Security Spending Shift Toward Detection and Response

How CISOs Can Navigate the Shift Toward Detection and Response

Keith McCammon, Chief Security Officer

Share this Project

Keith McCammonThe security landscape is undergoing a major transformation as organizations shift spending toward detection and response. According to Gartner, detection and response is a top security priority for organizations in 2017, and spending on enhancing detection and response capabilities will be a key priority for security buyers through 2020. This shift is a move away from wide but shallow services provided by Managed Security Service Providers (MSSPs) and toward a more intimate, focused—and ultimately more effective—class of service such as Managed Detection and Response (MDR).

A number of factors are driving this trend. The threat and control landscapes continue to evolve. Threat actors continue to shift away from delivery of traditional early-stage malware and now favor complex multi-stage attacks that rely less on malware and more on exploiting native system utilities and services. On Windows, PowerShell and WMI attack tooling have evolved to combine robust frameworks for access and command and control (C2) frameworks with persistent, intelligent privilege identification and escalation. Many of these frameworks are now being ported to other languages to target Mac environments as well.

Controls have evolved in kind. Application whitelisting continues to gain adoption despite the relatively high cost of implementation and operation. Whitelisting is not for those seeking instant gratification—but for those who are willing to work and wait, it delivers what may be an unparalleled reduction in attack surface. And despite what some vocal pundits would have us believe, malicious software and activity detection is improving as well. Some thoughtful approaches to behavioral detection and exploit mitigation have dramatically increased attacker costs.

As defenders, disciplines such as Network Security Monitoring (NSM) and Endpoint Detection and Response (EDR) afford us a level of visibility into network and endpoint activity that provides what we need to detect most attacks most of the time. On the heels of that visibility we are seeing increased sharing of higher-value threat intelligence, leading to development of increasingly affordable and high-quality collection tools and criteria.

There’s always a “but” . . .

This paints a rosy picture, but we also know that despite these improvements we continue to see a large number of successful attacks. Some of these are very clever. Most are not. Phishing and social engineering continue to dominate on the delivery front, and there are enough unprotected endpoints that traditional malware is still a money-maker.

How does a CISO both keep atop of commodity attacks and identify and disrupt attacks that are more subtle and advanced? Invest in the best prevention and visibility tools that the budget can bear. Build a team capable of synthesizing alerts and observations. Then afford that team the time to ask questions, setting off to hunt the wily attacker.

Of course, it is when the CISO sets out to do this that the enduring challenge emerges: The problem is never finding enough tools to purchase. And it’s not that they can’t find the right tools. CISOs can’t find the right people, and without the right people you can’t build effective security operations. This is why Gartner noted organizations are commonly investing in services.

Planning a Solid Security Program in a Shifting Landscape

When faced with this type of challenge, it’s important to focus on the constants. There are some constants that map to the “why.” Why invest in a security program at all? The constant we seek here involves threat models, risk, even regulation. Assume that the organization understands these constants, because the security program exists!

There are two constants that remain and map to how we address our problems: technology and operations. Technology is easy to understand and easy to find (though we don’t always find the right technology). Operations, loosely defined as qualified people and sound process, will always be the harder of the two to solve.

We’re faced with a classic build vs buy decision. We often think of this applying to technology, but it also applies to teams and operations. What are the various skillsets needed to build the team—what technical, analytical, and management skills are required? Are resources available to recruit, train, and retain the team? When the team is capable of addressing today’s problems, are they the right team to anticipate emerging threats and implement solutions? These questions aren’t easy to answer, and often the answer is that you need to build and buy.

Read more: Build vs Buy: Not Mutually Exclusive

Managed Detection and Response

This brings us to Managed Detection and Response (MDR). What organizations need more than anything is the ability to collect, curate, and ultimately operationalize their next generation (not next-gen!) of security technology. MDR is not about a product. It’s about delivering ongoing, data-driven security operations. It’s about focus, depth, and just the right amount of specialization.

As a case study: Years ago, before we knew how (or if) what is now the MDR market would develop, we built Red Canary with the singular goal of improving our customers’ security. We were very fortunate to blaze this trail alongside our good friends at Carbon Black, and atop our purpose-built platform consisting of a variety of security and information technologies. However, we always knew that while technology would be critical to our success, we would never be successful because of technology. We will always innovate and implement the best technology so we can detect the threats that matter, but we exist to solve the problem that permeates all others: delivery of effective security operations.

Gartner’s research underscores the importance of the operations problem. For the first time, not only do “security people” recognize the changing landscape, but the entire market is responding by seeking out services that meet their business and operational needs—not just their compliance and monitoring needs of years past.

Red Canary 30 Day Endpoint Assessment