The Evolution of Threat Detection and Response: Why Integration Expertise is Crucial

Doug Bailey

Threat detection and response is top of mind for healthcare organizations facing increasingly aggressive ransomware attacks. So, what is MDR, and how does proper integration improve its efficacy?

There is never a shortage of security vendor promises in today's crowded market, and it's often difficult to sift through the noise. Even without RSA and Black Hat this past year, vendor marketing engines haven't skipped a beat; in fact, the hyperbole has grown, and vendor claims have escalated even without the large events in which to spend marketing dollars. We can observe this phenomenon today, especially in the detection and response space. With so much on the line, particularly for healthcare organizations, it's essential to differentiate truth from fiction. In recent months, increasingly aggressive ransomware attacks have thrust threat detection and response to the top of our priority list. Gartner predicts that 50% of organizations will be using MDR services by 2025. It is critical to understand the evolution of the detection and response space and the challenges and differentiators facing MDR service providers.

The Evolution of Detection and Response
It all started at the endpoint when encryption of network traffic became pervasive, and legacy endpoint protection suites as a strategy seemed hopeless. The obvious leverage point was acknowledging the attack sequence started on the endpoint and evolving our strategy from AV/HIPS/DLP to an analytics-driven endpoint detection and response capability. EDR can identify a threat at its landing spot before the attacker can complete the attack sequence, thus providing an early response opportunity.

EDR is an endpoint technology and, as such, has its limitations. Attackers have adjusted by automating tactics to avoid endpoint detection, and as workloads move to the cloud, threat actors have begun exploiting this new attack surface. It has become apparent that telemetry from network traffic, SaaS applications, network services, and clouds were necessary to have any chance at thwarting an attack. Effectively, detection and response required context beyond the endpoint.

Vendors adjusted and started the xDR movement (little x as there were many first initials and acronyms early on) as a broad description of the need for broader telemetry and to enhance context. Extended Detection and Response ('big X' XDR), pushed by the end-user vendor companies, has recently been promoted to widen vendor product coverage by network vendors to endpoint and endpoint vendors into the network. This push resulted in multiple acquisitions of startup companies and new broad XDR vendor messaging. Some of these companies even coopted the MDR moniker and began representing themselves as Monitor, Detect and Respond vendors.

The jury is still out, but over the years, it has become apparent integrating disparate companies, products, and workflows is incredibly difficult and rarely results in a viable solution for end-users. Primarily, it results in a new vendor "markitecture" and something new for their salesforce to sell. As the former Chief Strategy Officer of an endpoint DLP company, I experienced this very phenomenon when we followed the analyst suggestions and acquired a network DLP company. Five years later, with a lot of money, time, and engineering gone by the wayside, there was very little customer value and little effective integration of products or workflow.

The Problem with Most MDR Providers: Lack of Integration Expertise
Next came Managed Detection and Response (MDR). Gartner Research discussed the highlights of MDR in its Market Guide for Managed Detection and Response Services by stating, "The goal of MDR services is to rapidly identify and limit the impact of security incidents to customers. These services focus on remote 24/7 threat monitoring, detection, and targeted response activities. MDR providers may use a combination of host and network-layer technologies, as well as advanced analytics, threat intelligence, forensic data, and human expertise for investigation, threat hunting and response to detected threats."

Today, most MDR service providers have evolved either from their roots as MSSPs or are newly minted MDR service providers. The legacy MSP/MSSPs have evolved from operationally managing and monitoring third-party products. These types of services differ significantly from providing integrated detection and response services. Effective threat detection and response requires very different operational systems, personnel, and skillsets than a third-party monitoring and configuration operation.

Cyber-attacks are sophisticated due to ample funding and automation

The newly minted MDR providers contract with multiple end-user products and profess to absorb the brunt of the product integration and orchestration challenges. They predominantly suffer from the same challenges as end-users in integrating disparate products and orchestrating workflows across different vendor products. This lack of integration and workflow orchestration often leads to ineffective detection and response. For the most part, these new MDR providers don't have the expertise or knowledge to effectively remediate threat situations and cause lasting harm to the organization.

Today, proper Detection and Response services are essential. We cannot stop attacks given their funding, sophistication, and automation. Still, we can prevent the majority of damage and costs if we can detect them early and respond in a timely fashion. Organizations constantly face a blizzard of alert white noise, creating the detection 'needle in the haystack' challenge. The plethora of context data spread out over multiple systems required to respond appropriately (the needle in a needle stack challenge) exacerbates the problem. Few organizations have sufficient time, budget, or resources to address these issues.

MAXX MDR: The Next Generation of Threat Detection and Response
All of this context brings us to today's emerging solution: MAXX MDR. MAXX MDR is different because its three-pronged approach combines CyberMaxx's proprietary solutions (MAXX Network and MAXX SIEM), along with MAXX EDR, a fully managed and integrated CrowdStrike implementation for endpoints. These solutions work together collaboratively and cover your organization from all sides. For healthcare organizations, the threat of a ransomware attack has never been more real. Their sophistication due to ample funding and automation makes them all the more dangerous, so this full coverage, multifaceted solution gives healthcare leaders peace of mind. Extending your team and security with MAXX MDR means you can avoid vendor bloat (i.e., having to manage various vendors and facilitate communication between all of them for different levels of protection). Sounds exhausting, right?

MAXX MDR includes optimal 24/7/365 protection, both on-prem and in the cloud, to protect your organization from today's and tomorrow's most advanced threats. CyberMaxx's security experts and programs have a proven 15+ year track record of success and a 99% customer retention rate, so you can rest assured your organization is in the right hands.

To learn more about MAXX MDR,schedule a consultation and visit ourwebsite.


Topics: cybersecurity, healthcare IT, MDR, Managed Detection and Response


Read more about CyberMaxx MAXX MDR and join our list for updates on industry news surrounding Managed Detection and Response.


Recent Insight