Cybersecurity Vulnerability Management is Growing Crisply


Posted on by Robert Ackerman

Since Gartner, the prominent technological research firm, introduced the managed detection and response (MDR) category seven years ago, many organizations have hired one of scores of MDR providers with the goal of improving their security postures, in part by easing the burden of overworked and woefully short-staffed security teams.

This miniature industry, known as vulnerability management, is the ongoing process of identifying, assessing, reporting and remediating cyber vulnerabilities across endpoints, systems and workloads. It’s the most comprehensive solution readily available to address multiple cyber issues. Essentially, MDR vendors are outsourced security operations centers (SOCs), the in-house protector of an organization’s cyber threats.

MDRs have become increasingly popular. According to Research and Markets.com, the market value of MDRs grew from less than $1 billion in 2019 to nearly $3 billion in 2022 and is projected to grow to nearly $6 billion by 2027. By 2025, Gartner says, 50 percent of organizations in the U.S. will be using MDR services.This growth trajectory is robust for good reason. There is a shortage of 700,000 cyber pros in the U.S. and 3.4 million globally, and this dearth of experts typically prods cybersecurity and IT teams to invest in more tools to close security gaps. This seems reasonable, but security teams can quickly become overwhelmed by more tools than can be managed properly.

Automated tools send out alerts based on specific criteria, but they’re often unnecessary and produce hundreds of false alerts. For instance, a cybersecurity team with 40 different tools that aren’t properly integrated may receive 40 notifications of the same activity. Other false alerts come from poorly optimized systems or irrelevant threats.

This explosion of false alerts can make cyber teams numb to genuine threats, and, not surprisingly, too many organizations are reacting to them far too slowly. According to IBM, it takes an average of 277 days for business to identify and report a data breach, a huge headache that boosts the odds of significant damage.

Some MDR vendors are better than others, of course, and many of them could stand some improvement. Overall, though, MDR vendors ensure better cyber threat detection and response.

Many invest in the latest technology and almost all players make sure it’s being constantly updated. They hire highly-skilled staff that tends to be more experienced in threat detection and response than many in-house security teams. And because MDR vendors sell their services to lots of customers across several industries and verticals, they can correlate and cross-reference cyber threats and simultaneously analyze data from a wide variety of sources, enhancing their understanding of evolving threats.

Before making a decision about out-outsourcing a MDR vendor, prospective customers need to evaluate the gaps in their current security posture. This enables them to determine whether cyber outsourcing makes sense and, if so, their needs and capabilities in funding, cyber knowhow and manpower.

Those organizations proceeding to this level should make a point of being sure that specific parameters meet their needs. For starters, they should make sure that MDR service level agreements (SLAs) are strong. As an example, many SLAs are required to report any suspicious data within 30 minutes, day or night. If this is periodically violated, check to see if there are penalty clauses if this practice is violated -- a powerful check on performance strongly encouraging compliance.

In addition, given that malicious logs are typically rare, make sure the prospective MDR vendor can manage to avoid false positives that might look malicious but, in fact, are not. Too many false positives can undermine the value of the service. On another front, bear in mind that the security needs of various organizations differ. So it’s important to determine that the vendor has the capability to customize a particular solution you desire.

Noteworthy, too, is that many MDR services are overly focused on protecting endpoints. These respond well, for instance, against cyber threats such as ransomware and malware and clearly are important. But this approach means some MDRs lack visibility into an organization’s broader tech stack and some of today’s more advanced threats. This undermines security context that could be crucial.

Another issue among some MDR services is that they rely on a “black box” and/or fail to solve the alert noise problem. In the case of the black box, useful information is produced but without any information regarding its internal workings, limiting visibility into valuable investigations. The alert noise problem – the enormous volume of network traffic – makes it extremely difficult for a security analyst to differentiate between legitimate data exchanges and actual security risks.

Lastly, it’s important to underscore that most MDR providers focus solely on alerts generated from security tools. Albeit not an issue per se, those seeking deeper detections need to find vendors that also ingest so-called raw security telemetry, which can find the threats that security tools can miss on their own. Telemetry monitors data from remote sources and provides information, for example, about whether a server has been impacted by an anomaly and perhaps compromised.

In the big picture, the upshot is positive. MDR vendors are generally competent and customizable. So they’re open for business for relatively small, as well as big businesses, and can scale protective measures as smaller companies grow. No question, MDR service providers are worth a hard look in a world replete with cyberattacks and breaches.


Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Analytics Intelligence & Response

Application Security Testing Advanced Threat Protection business continuity & disaster recovery intrusion detection endpoint detection visibility & response Intrusion Detection / Prevention intrusion prevention/detection incident response

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs