For years, companies have monitored their own digital environments and managed their own detection and analysis of cyber alerts, events, and incidents. But as cyber attacks become more sophisticated and systems become more complex, organizations need to ask themselves: are we really up to this task?
The challenges of optimal prevention and response are complex. You can take all the glitches and notifications from network detection response (NDR) and endpoint detection response (EDR), try to correlate them to indicators of compromise, deciphering the signs of a criminal infiltration. You can assemble tools to monitor both networks and endpoints. But can you really ensure both that you're up to date and that you're using all the available knowledge?
I work alongside Amir Roknifard, a Cyber Security Solutions Architect here at KPMG, who says that "what organizations need is managed detection and response (MDR), which allows you to engage not only experts with access to global information but also a resource capable of building that knowledge into detection tools."
I couldn't agree more.
NDR or EDR: Which type of detection?
EDR focuses on endpoint devices or hardware—things like servers, laptops and workstations—or any type of mobile device or tablet. But here's the thing: cyber attacks don't always target endpoints. Sometimes, the attacks are on the data floating on the network. For this, teams need to deploy NDR, which monitors ongoing traffic and suspicious behavior within a digital environment.
Amir simplifies it this way: "Both NDR and EDR are used for prevention, detection, and response, and both provide assurance—but at different points." So, both try to prevent lateral movement in the victim's environment, but if they're combined, the organization can actually be protected both ways.
A proactive approach to detection and analysis
Most public organizations rely on private vendors for their security and may not budget adequately for cyber security. When considering how much to invest in detection and analysis tools, it's important that leadership and management teams consider the potential cost of an attack. With billions of dollars in potential ransoms at stake—not to mention your clients' valuable data—it seems to me that do-it-yourself cyber security is misguided at best.
Too often, organizations feel the sting of an attack before they realize the gravity of the situation. In fact, victims of an ongoing attack generally need more than seven months to realize they've been compromised and contain it, before data starts leaking out. Canada is a hot target for attackers because three things attract attackers: money, vandalism and politics—and our natural resource extraction industries in particular have all three.
That's the difference between reactive and proactive organizations. Those already under attack want to know:
- How many devices are compromised?
- What data is leaking out?
- How fast can we stop it?
Proactive organizations ask a different question: How can we know when we are compromised and to what extent?
MDR is your smartest course of action. By bringing information from disparate systems together, MDR facilitates swift, effective, decisive responses. Knowing what is an attack—and what is not—is key.
Even with the best tools and talent, it can still be nearly impossible to know what's going on with an environment. "Complete visibility" just doesn't exist. Under all the interfaces, at the memory level of the devices, there are opportunities for hostile actors to infiltrate. Even with retrospective analysis, it can't always be determined exactly what has happened, because attacks are becoming increasingly sophisticated.
But with MDR, patterns over time and the linkages between the reported event and other events can be more easily recognized.
Weighing your options
The best defense strategy lies in acknowledging that the cybercriminals already know more than you think. Engaging MDR services from a reputable provider offers extensive support. And if your MDR provider is the same as your incident response provider, there's an opportunity for powerful synergy that is much better to contain and resolve.
I would, however, caution against making the mistake of thinking that the right tools will do all the work for you. Tools aren't intelligent enough to understand and evaluate all the data. After all, a tool is only as good as the hands of the worker using it. Automated investigations still need humans to interpret information and make decisions at critical points. And you still need to build, manage, train, test, and update. Most technology solutions don't cover everything. They may support certain operating systems but not others. Another vendor may cover different aspects or have some overlap.
But unless you've got a few billion in loose change—and you're ready to let your professional reputation walk away with your money—prevention is always better than the cure.