Threat management solutions and services for information security come in a broad range of different types, the applicability of which depends upon the nature of your organization, your specific needs, and your goals. This article intends to help explain some of the more common services you may encounter; MSSP, MDR, EDR, XDR, SIEM, SOC, and NDR. We will provide a quick explanation of what each is, who would typically use them, and what benefits they can bring to your organization. We aim to demystify the options so you can focus in on the one that would best suit your needs.
Security Information and Event Management
What is SIEM?
Security Information and Event Management (SIEM) is the term used for a range of software solutions that primarily collect, aggregate, and analyze event data from across all the devices attached to an IT infrastructure. The data is analyzed to identify any anomalous events or patterns of behavior that could be as a result of a threat actively exploiting, or attempting to exploit, a security weakness. The SIEM solution will highlight suspicious operations that will then require further investigation to determine if a security breach has occurred, or if an attack is in progress.
The principle purpose of SIEM is the aggregation and reporting of complex event and logging data in a readily accessible format that not only facilitates security breach identification but also provides the necessary information to allow detailed forensic investigation of each breach. SIEM also can support compliance reporting for organizations that need to demonstrate IT security compliance with legislation, regulations, or standards.
One weakness of SIEM is that it can be complex to operate while it generates vast quantities of events requiring investigation that can be labor-intensive to resolve. Events may be security-related or could simply be due to unexpected device operations, device faults, or merely false-positive warnings caused by typical behaviors.
Who uses SIEM?
The typical SIEM customers are medium to large enterprises with distributed and complex IT infrastructure producing vast quantities of event and log data, where obtaining visibility of security threats is a complicated and rigorous undertaking. Looking for a needle in a haystack is a fitting analogy when trying to identify a tiny number of significant security incident related events buried amongst millions of non-security related events.
SIEM is available as a product for installation on an organization’s system to allow in-house security management or as a complete end-to-end outsourced threat management service.
The primary advantage of SIEM is that it provides systematic and continuous threat detection and response solution. The downside of SIEM is that it can have high costs to install and operate, requires significant staffing to investigate results manually, and the handling of vast quantities of data can be burdensome – also known as alert fatigue.
Security Operation Centres
What is a SOC?
A Security Operation Centre (SOC) is, in general terms, a facility where security specialists undertake security management, as well as threat detection and response activities on a 24-hours a day, seven days a week basis. A SOC can be anything from a room within an organization’s building through to a remote facility operated by a third-party. A vital feature of a SOC is the security (both physical and logical) that it requires given the nature of the activities that the staff within undertake. Any compromise in the security of the SOC itself will directly translate into a compromise in the security of the networks that it is protecting.
SOC’s typically are built with a SIEM system at its core and employ threat intelligence and, more recently, behavioral analytics to supplement the IT infrastructure event and log data to deliver a more comprehensive threat detection capability.
The main drawback with a SOC is the cost of operating and maintaining such a facility and staffing it on a 24/7 basis with suitably qualified and experienced analysts. Outsourcing to a third-party specialist SOC provider can mitigate these costs somewhat, but the fees will still represent a considerable outlay.
It is common for novice organizations to refer to their SIEM as a SOC.
A modern or next-generation SOC uses more advanced technology such as SOAR, EDR, and NDR and other techniques, including machine learning and behavioral analytics, to detect unknown threats. It also makes use of active defense strategies such as threat intelligence, adversary hunting, and response.
Who uses a SOC?
The typical SOC owners and customers are large enterprises with highly distributed and complex IT infrastructure across multiple locations and geographic regions. Such systems generate such vast quantities of event and log data that require dedicated security specialists using the latest tools to obtain visibility of emerging and evolving security threats. SOC’s are of the most significant value to organizations operating in fields where they face threats from state-sponsored threat actors or organized criminals with the capability to launch sophisticated, sustained, and zero-day attacks.
Managed Security Service Providers
What is an MSSP?
Managed Security Service Providers (MSSP) is the term used for specialist information security service companies that deliver outsourced security solutions for organizations. Services offered fall into the categories of security operations, compliance reporting, and rudimentary security monitoring. Typically, this includes network security management, vulnerability management, and log management. Network security management can cover everything from configuring and monitoring firewalls, installing, and maintaining anti-malware applications through to network intrusion detection.
The principle purpose of an MSSP is to provide an organization with a complete outsourced IT security service that they can tailor to include those services that their organization requires to protect its IT infrastructure. As an additional benefit, the MSSP can provide compliance reporting for organizations involved in regulated activities that require demonstration of compliance to regulations such as the is the Payment Card Industry Data Security Standard (PCI DSS).
The main weakness of MSSP is that they offer a broad range of services but may not have the capability to deliver in-depth threat detection, investigation, and response. Most MSSP are limited to legacy approaches such as the use of logs and SIEM for threat detection and response, which has proved very noisy due to false positives and the root cause of alert fatigue.
Who uses MSSP?
MSSP’s come in all shapes and sizes to cater to all different types of client organizations, so any kind of organization can use them. The services provided will be guided by the individual security needs of the client, the threat landscape it operates in, any requirements for regulatory compliance, and above all, the available budget. Most organizations use MSSP for security operations, compliance, and basic security monitoring.
For organizations that have an in-house security capability, the MSSP can be used to supplement this capability. Alternatively, the organization may choose to outsource its entire security requirements to an MSSP.
Managed Detection and Response
What is MDR?
Managed Detection and Response (MDR) is the term used for specialist threat detection and response capabilities delivered via an outcome-based approach. The goal of MDR is to rapidly identify and limit the impact of security incidents to customers while the focus of these services is on remote threat monitoring, detection, and targeted response activities on a 24/7 basis.
MDR providers may employ a combination of host and network-layer technologies, as well as advanced analytics, threat intelligence, forensic data, and human expertise for investigation, threat hunting, and response to detected threats. These make up an MDR’s technology stack, and deployment is on the inside of the client network on all chokepoints and endpoints. Most MDR do not rely on the use of logs or legacy SIEM.
MDR takes off where MSSP stops, and it’s considered the next iteration for threat detection and response. Most threats detected by MDR cannot be found in logs or a SIEM and cannot be identified by an MSSP or the client’s internal SOC. Furthermore, threats detected by an MDR are typically automatically validated, investigated, contained, and remediated. Unlike MSSP, an MDR does not send unvalidated alerts or false positives to clients and expect them to conduct the investigation.
MDR also offers the opportunity to repurpose security budgets where the MDR would use equivalent or better technology in their stack, such as next-generation AV, SIEM, MSSP, IDS, sandboxing, and others.
Unlike MSSP that simply relies on logs, the main weakness of MDR is that it can get expensive as MDR takes advantage of a completely separate technology stack that needs to be deployed on the inside of the client network. MDR also has a negative side-effect in that it makes log-based approaches such as the existing client SOC and MSSP look ineffective as it detects threats that simply cannot be identified from logs – this naturally doesn’t fare well for any executive that invested in those solutions.
Who uses MDR?
MDR is ideal for mid-size organizations, but it can also be used by all size enterprises that have made little investment in inhouse threat detection and response capabilities, or those who have tried building such inhouse capabilities and are failing to see any viable outcomes.
Organizations that value-focused high-fidelity threat detection, validation, and containment geared toward attacks that have bypassed protective security controls like firewalls and endpoint protection should seek MDR. These capabilities can be used in greenfield environments or to complement and extend the capabilities of in-house SOC or MSSP efforts.
Many buyers gravitate to MDR because the response capabilities are a differentiator from many MSSPs. Well-performed incident response takes time and skill, which many organizations just don’t have, especially when multiple threats are being detected in a short time frame. The more in-depth investigation, analysis, and validation of threats, along with enhanced guidance on how to contain and mitigate the threats, provide significant value to MDR customers. After all, reducing the time to detect a threat is meaningless without a corresponding reduction in the response.
Clients in need of security device management, vulnerability management, log management, and compliance reporting should steer away from MDR and use MSSP instead.
Endpoint Detection and Response
What is EDR?
EDR solutions monitor and record system activity and events happening on endpoints and provide the security team with the visibility they require to expose incidents that would otherwise remain invisible. EDR solutions have evolved from whitelisting solutions that essentially monitor and prevent the unauthorized execution of events. By these actions, whitelisting solutions were able to prevent the execution of unrecognized or untrusted software. The principle behind whitelisting was the fact that there were, at the time, no known ways to evade OS initiated execution events.
EDR solutions are centered on the notion that defensive tools can monitor a series of events along the attacker’s kill chain and capture sufficient event information such that the likelihood of any incident being undetected is significantly reduced. A fundamental underlying assumption of this approach is that there is no credible method of evading all of the various events that occur along the kill chain that is being monitored. However, EDR vendors openly acknowledge that their solutions may miss the primary events associated with a cyberattack.
Security researchers have previously disclosed findings that showed how it was possible to execute software on Windows OS without triggering any events. This discovery, and the subsequent widespread disclosure of its existence, resulted in the emergence of fileless malware as an attack vector that we are currently experiencing. This single event can be pointed to as the reason whitelisting was significantly weakened as an effective defense mechanism.
EDR solutions evolved whitelisting by adding more events and applying analytics engines to the data to uncover instances of things that didn’t belong and enrich the discoveries with intelligence gathered and maintained about files and events. As it stands with security technologies, early adopters reaped the greatest rewards. Today, the limits of EDR solutions are becoming well understood as vulnerabilities are exploited, and attack methodologies multiply.
Managed EDR is simply the management of the EDR solution by an MSP or a vendor and could be considered a small subset of MDR with limited visibility.
The main weakness of EDR as a standalone solution is the limitations on the types of activity it can monitor and the kinds of attacks it can detect. For example, it cannot reliably distinguish between legitimate use of Admin tools, such as Powershell, PSexec.exe, WMI, amongst others, that are used for malicious abuse by attackers performing credential theft, reconnaissance and lateral movement resulting in a high rate of false positives. Furthermore, EDR is blind to any malicious activity that doesn’t entail a distinct process behavior change, including a multitude of commonly used attack vectors such as DNS responder, ARP spoofing, tunneling attacks, lateral movement, and many more.
Due to its complexity, EDR needs to be exercised by highly trained forensic experts, analysts, and threat hunters with many years’ experience who have extensive knowledge of OS internals. It also requires significant investment in building automated hunts to scale any operation. Finally, alert fatigue and data overload are common problems with EDR as they can produce tens of thousands to millions of events per day.
Who uses EDR?
The typical EDR customers are large organizations with ten or more staff in their security team. Efficient operation and analysis of EDR solutions and alerts require highly skilled security staff, which is practically out of reach for most but large organizations. Although many smaller organizations purchase EDR or Endpoint Protection Platform (EPP) inclusive of EDR, these organizations end up using only the regular antivirus capabilities of their EPP while the EDR capability goes un-used. As a result, considerable investment delivers a minimal return.
NETWORK DETECTION & RESPONSE
What is NDR?
Network detection and response (NDR) is a security solution that organizations employ to detect and prevent malicious network activity or conduct post-incident investigations and forensic analysis to determine the root cause, facilitating response and mitigation. NDR solutions can protect against non-malware threats such as insider attacks, abuse of credentials, privilege escalation, lateral movement, and data exfiltration. As an additional benefit, they also provide organizations with greater visibility of actual network traffic and activity. This visibility, in turn, enables security teams to identify and stop suspicious network activity rapidly and thus minimize the impact.
NDR products use Network Traffic Analysis (NTA) but add historical metadata to enable investigations, threat hunting, and the capability for an automated threat response using intelligent integration with firewalls, EDR, NAC, or SOAR platforms. NDR is deployed out-of-band and connects using SPAN/TAP on the inside of the network as an attempt to make room for implementing the broader, full-spectrum potential of NTA.
The main weaknesses of NDR include zero or limited encrypted attack detection, zero endpoint visibility and control, and zero prevention capability. It can also be prone to false positives as network traffic alone doesn’t provide sufficient context to reliably determine whether a communication instance indicates malicious activity, regardless of the ML algorithm used.
NDR solutions can also get very expensive when deployed across large distributed networks requiring the use of a separate network sensor at each location.
Who uses a NDR?
The typical NDR customers are medium to large organizations looking to add more network visibility and post-breach forensic capability to their existing security stack. Efficient operation and analysis of NDR solutions and alerts require highly skilled security staff, which is practically out of reach for most but large organizations.
Extended Detection and Response
What is XDR?
Extended Detection and Response (XDR) is a recent addition to the security lexicon. This term describes the extension of SIEM and promises to reduce alert fatigue and false positives by integrating endpoint, network, system, application, and cloud data. This amalgamation enables better visibility and context into advanced threats through the use of analytics.
Sitting between EDR and MDR in terms of capability, it enhances on EDR solutions in terms of the types of activity it can monitor and the range of attacks it can detect. Where EDR improved on malware detection over antivirus capabilities, XDR extends the range of EDR to encompass more deployed security solutions while also offering containment capabilities using integrations with enforcement points.
The main weakness of XDR is that it is limited to the organizations existing security controls and detection solutions and the associated logs from those to detect a threat. Furthermore, just like SIEM, due to its reliance on logs, it still misses many threats that can only be detected by MDR.
Who uses XDR?
The typical XDR customers are enterprises with large security teams who have invested in a significant set of security controls and detection solutions and are looking to consolidate, streamline, and automate their operations.
Organizations that have invested in EDR, SIEM, and other threat detection solutions and have failed to gain any reasonable security outcomes from those investments and continue to be overwhelmed with false positives and alert fatigue would benefit from XDR.
XDR provides more visibility and context into threats. Events that would not have been previously addressed will rise to higher levels of awareness, the improved visibility allowing security analysts to swiftly focus on attacks, eliminating further impact, and reducing its severity and scope.