Going Holistic: The Next Evolution Of Managed Detection And Response Services

Originally written and published by Manoj Srivastava for Forbes here.

In my first Forbes Technology Council article on managed detection and response (MDR), I noted the biggest challenge driving organizations to outsource cybersecurity to a managed services partner: growing attack surface and complexity. As the industry has grown to address an ever-evolving threat landscape, we’ve seen massive fragmentation in the security tools on the market. On one level, that has helped find powerful, targeted toolsets to protect every part of the IT stack against a dizzying range of threats—from endpoint protection to vulnerability assessments to cloud identity management. However, identifying what a given business needs has become extraordinarily complex, especially for mid-market and smaller organizations.

In a follow-up article, I next detailed the diverse preventative cybersecurity offerings that managed service providers are now adding to their portfolios. You can probably see where this is going: While it’s important for these providers to offer forward-looking protection, if cybersecurity was already complicated, and they added even more components to their services, doesn’t this make things even harder for them to manage and for their customers? How are businesses supposed to synthesize what all these proliferating tools are telling them and determine where to focus their time and resources? How can managed service providers give customers critical information and recommendations in an actionable, easy-to-understand way?

The answer is that there’s one more step the industry needs to take to tie these threads together. Managed service providers should evolve from delivering a collection of disparate detection and prevention capabilities to delivering a Unified Security Posture for their customers. By treating managed security holistically, managed service providers can give customers the best of both reactive and preventative security within a unified program. Even better, proactive and reactive elements can continually inform one another, creating comprehensive cybersecurity that’s more than the sum of its parts.

Mapping Maturity

The great thing about having so many different toolsets available is that service providers can offer customers exactly the right mix of reactive and proactive capabilities. The problem, of course, is that organizations are like snowflakes; no two are exactly alike. We can break that diversity down into a basic cybersecurity maturity model:

Level 1 – Unprepared: These organizations lack the necessary information to mount an effective defense and are unable to respond to current or emerging issues.

Level 2 – Reactive: These have basic measures in place to react to cybersecurity incidents, but they can’t prevent problems from arising.

Level 3 – Proactive: These organizations augment reactive defenses with tools to proactively address current issues and challenges.

Level 4 – Anticipatory: Mature organizations have platforms, structures and processes in place to proactively prepare for and address future challenges.

Very few organizations are still at Level 1 (fortunately), but organizations can vary widely in their reactive and proactive capabilities. Ideally, the provider’s role is to help them move towards Level 4, where they view security strategically. Not only can customers at this stage respond effectively to threats, but they can continually make informed decisions on where to focus next. Just as important is to provide a meaningful answer to the question, “Where do we stand right now on cybersecurity?”

Managing Security Posture

How can service providers deliver on this holistic model? They can start by building the capacity to synthesize information across the cybersecurity stack, both reactive and proactive so that they can give customers a single score or rating reflecting their overall security posture. Most providers start with reactive MDR capabilities that protect the attack surface (endpoints, applications, cloud) against real-time threats. They can then layer on preventative capabilities like exposure management, threat hunting, phishing awareness training and cloud and identity management.

It’s now common for the toolsets used in each of these areas to provide a rating for that segment of the cybersecurity stack. That’s a great start, but handing a customer a list of ratings from a dozen different vendor toolsets is not particularly helpful. Instead, providers should take this opportunity to move beyond managing their customers’ cybersecurity tools and take responsibility for their overall security posture. Drawing information from all the diverse toolsets in the customers’ environment, they can then provide a single overall rating that captures the full picture.

This holistic, platform-based approach to managed security offers multiple benefits. Now, providers can:

• Show customers exactly where they stand with their cybersecurity maturity, track their progress and identify next steps to improve security posture.

• Help IT leaders communicate effectively, including showing how the organization’s rating has changed over time and where security investments are making a difference.

• Quantify the cybersecurity impact of organizational changes, such as acquiring a new company, changing policies or adopting a new vendor.

• Create a “virtuous circle,” where reactive and proactive measures continually inform and improve one another, strengthening overall security.

That last benefit is particularly important for providers seeking to build more strategic customer relationships, where they help customers continually optimize their security posture as the business evolves. Insights gleaned from exposure prioritization, for example, identifying emerging threats targeting similar organizations, can dictate which patches should be prioritized or when it’s time to invest in new layers of reactive protection. Similarly, if an MDR solution blocks a threat targeting an application vulnerability in one place, other vulnerable assets must be identified and patched. Or, after remediating a malware attack launched by an employee clicking a malicious URL (reactive), providers could recommend additional phishing awareness training (proactive).

Each reactive and proactive data point gets reflected in the customer’s unified security posture rating and informs what the provider recommends next. As the customer advances along the cybersecurity maturity curve, the partner can layer on more advanced services—continuous security control monitoring, attack path simulations, compliance and more—customized for that customer’s unique needs. Through it all, the virtuous circle keeps expanding, bringing insights from each reactive and proactive element of the cybersecurity program to inform all others. And providers can bring their customers more customized, coordinated and comprehensive protection.