SCHEDULE A CALL
Uncategorized

The Need For Managed Threat Response (MTR)

The most devastating cyberthreats generally involve human-led attacks, often exploiting legitimate tools and processes such as PowerShell. However, attackers are evolving, resulting in an increase of successful breaches and attacks.

Take a look to see how attackers are evolving:

What can be done?

  • Protect – organizations generally focus 45% of efforts here
  • Detect – makes up 30% of organization security focus
  • Respond – 25% of organization security focus is spent responding to threats

Juggling the above capabilities can be challenging and with hands-on live hacking enabling attackers to modify their tactics, techniques, and procedures (TTPs) on the fly to bypass security products and protocols many organisations are looking for support.  

While technology, particularly intelligent automated technology has an important role to play to protect a network, expert operators are required to perform detection and response. Stopping human-led attacks requires human-led threat hunting. 

But finding and retaining talent is a major block for many organizations.

In a recent survey 81% of respondents said their ability to find and retain skilled IT security professionals is a major challenge to their organization’s ability to deliver IT security*.

Three more challenges organizations face are:

  • Tool optimization – not getting full value from the tools already purchased
  • Threat hunter – need human monitoring for threats tools can’t detect
  • Security updates – growth leading to a security program upgrade

*Source: 2020 VansonBourne survey of 5,000 global IT managers

MTR Overview

Sourcing the Human Element

The need to have a human perform the detection and response element to cybersecurity is now understood – so where can organizations get help, given the lack of skilled staff available? You can either try and find or upskill your own people to fill the gap OR you can offload the requirement on to a managed security service like Sophos MTR.

Managed Security Services are an essential evolution in today’s cybersecurity landscape

24/7 human-led threat hunting, unlike other services that rely on automation. Sophos MTR puts human experts at the center of the hunt, investigation, and response.

24/7 human-led threat hunting is at the center of every hunt, investigation, and response with Sophos MTR. Other services rely exclusively or primarily on automation.

Sophos takes targeted actions neutralize threats. Sophos doesn’t just investigate detections, they investigate suspicious activity; they don’t just investigate known threats, they investigate the behaviors, tactics, techniques and processes that attackers engage in to evade detection and execute successful attacks.

Sophos gives you complete transparency and control. While others stop at threat monitoring and notification, Sophos takes targeted actions to neutralize threats.

How does it work? Let’s look at a timeline.

  1. Nothing was detected, so no response can be taken
  2. Analyst conducts a threat hunt discover a brand new indicator of compromise (IoC)
  3. Analyst starts an investigation to confirm if the new IoC is malicious or benign
  4. Analyst determines what response action is needed, and executes
  5. Analyst-led remediation actions are turned into playbooks for future automation

As you can see, not only did the analyst conduct the investigation and confirm the attack/behavior is malicious/benign but also provided remediation actions which will help protect the organization from these types of threats in the future.

Take a look at the process to understand how and when human threat hunters and response experts get involved.

MTR Over EDR

MTR – done for your VS EDR – do it yourself

This image has an empty alt attribute; its file name is edrmtr-1024x401.jpg

All MTR customers get Intercept X for protection and EDR along with it. You can go hybrid: outsource threat hunting and SOC to MTR, and EDR can be used internally by IT operations.

34% of organizations in a survey conducted by Enterprise Strategy Group, or ESG, say that their biggest challenge is that they lack skilled resources to investigate a cybersecurity incident involving an endpoint to determine root cause and attack chain.

Advantages

24/7/365 team of experts

  • Best protection on the market, access to cutting-edge technology before available in other products
  • EDR is powerful but requires capable analysts to use regularly for full value

Services are an enabler

  • MTR lets team members focus on tasks they are skilled at
  • Threat hunting, incident response, and security health checks are included

More data, more visibility

  • Threat investigations include data from other Sophos Central products, beyond the endpoint

MTR is not:

  • a managed EDR
  • part of Sophos Central
  • an IT operations service

Why not build a SOC in-house?

You may be thinking that running a SOC is a great idea, I want to do it in-house. The truth is in-house costs more money, more time, and has a higher failure rate. If you were an organization trying to hire a cybersecurity analyst, it costs $55k-116k according to US Glassdoor.com data. You’d need 24/7 coverage, so a minimum of two analysts. Mid-sized organizations need at least 4, and don’t forget to factor in benefits and vacation. Also factor in team managers (~$180k), engineers (~$115k), and EDR, workflow processing, intel feeds, and other various systems needed in a SOC. Sophos MTR is a fraction of the cost compared to building out your own SOC.

EDR Over MDR?

EDR has become a core capability of endpoint protection, no longer seen as an addon. 51% of organizations use EDR, and another 31% are considering using it.

You can now search for anything. Anything an analyst can think of, you can search in the SQL application. There are tons of queries, you can edit them or build your own if you’re good at SQL. What you can ask is limitless.

The benefits

The only competitor to Sophos that offers human-led MTR is CrowdStrike. Learn why Sophos beats Crowdstrike, and not just because our protection accurate is 100% compared to their 88% (SELabs Jan-Mar 2020).

Scenario – Can you stop a cyberattack? Here’s what Sophos does!

Sophos Rapid Response is lightning-fast incident response. Any organization can benefit from the exports. Customers are onboarded within hours and the majority of customers are triaged in 48 hours. No shipping equipment or flying analysts on site. Is a 45 day fixed-cost service, 24/7/365 (cyberattacks happen at the worst of times, holidays, and 3 am – Sophos is there!).

Remember this image from earlier? See how RR fits.

Related Posts