How to optimize managed detection and response (MDR) offering and SOC activity

Cyber threat intelligence (CTI) has become a staple in the cybersecurity community, as it empowers companies and individuals with information that can be attributed to threat actors. However, not all MSSPs realize CTI’s full potential and the opportunities it can create.

SOCs and MDR providers have a lot of catching up to do. The threat landscape is evolving faster than cybersecurity teams can adapt. As a result, SOCs and MSSPs unwittingly run on outdated protocols limited resources, preventing them from realizing their full potential for their customers. What’s more, myths about certain cybersecurity approaches hold many SOCs back.

This article serves to debunk these myths and outline five fundamental actions each MDR and SOC can take to optimize their offerings. The outlined measures have been proven time and again and will guarantee that your customer will received the best managed service.

Read this article to discover four examples of how being an intelligence driven provider can propel your business and boost your brand in the eyes of your customers.

Content Summary

Introduction
Leverage the power of CTI
Conduct regular thirdparty audits
Measure your team’s efficiency
Build a service management practice
Consolidate your stack with help of XDR technology

Introduction

Let’s face it: The threat landscape is evolving faster than cybersecurity can adapt. Regardless of how mature your company is or how well trained your information security personnel are, you should always assume that threat actors are several steps ahead.

Those on the front lines of the endless battle against cybercrime have it the hardest. Security operations centers (SOCs), the first line of defense in the event of a cyberattack, are not equipped to handle modern threats. This is in part due to the fact that SOCs run on outdated protocols and lack the resources to effectively prioritize and manage alerts — nearly half of SOCs do not have a dedicated incident response specialist or Cyber Threat Intelligence (CTI) analyst on staff.1

Moreover, modern SOCs lack the tools to give them adequate visibility of the threat landscape and of their own perimeter. In fact, 45% of breaches in 2020 were due to simple perimeter-based vulnerabilities and insecure infrastructure.2

Effective detection and response capabilities can mean the difference between your company losing millions and maintaining business operations as usual. To ensure the latter outcome, SOCs and MDR providers must think outside the box and proactively adopt new policies and solutions.

“MDR done right gives you contextual understanding of your environment and digs deeper into the nuanced details that make your environment vulnerable to threats. Managed detection and response helps you monitor and understand your overall security posture while also improving compliance and reducing your risks.” Joeseph Shenouda, Cyber Consult

One factor holding SOCs back, however, is misconceptions about certain cybersecurity approaches — that they are complicated, require too many resources, or are not worth the trouble. This white paper will break down these myths and propose five easy steps you can take to ensure the efficiency of your SOC and the quality of your MDR offering:

1. Leverage the power of CTI
2. Conduct regular third-party audits
3. Measure your team’s efficiency with KPIs
4. Build a service management practice
5. Consolidate your stack with XDR technology

Leverage the power of CTI

Cyber threat intelligence (CTI) has become a staple in the cybersecurity community, as it empowers companies and individuals with information that can be attributed to threat actors. However, not all MSSPs realize CTI’s full potential and the opportunities it can create.

Below are four examples of how being an intelligencedriven provider can propel your business and boost your brand in the eyes of your customers.

Expand the personalization and targeting of your offerings

CTI has changed significantly over time. What once was based on pure IoC feeds has transformed into adversary-centric, expertisedriven solutions.

Despite the evolution, the core idea behind CTI has not changed: to provide a company with actionable data that will help in strategic and operational decision-making.

Including CTI into your MSS offering means two main improvements:

1. You can potentially gain access to unique and closed sources that contain information about cyberattacks before they actually happen.
2. You can tailor your proposal to a specific organization by completing intelligence requirements.

CTI allows you to offer managed security services based on which adversaries are most likely to be interested in the specific company/ industry. At the same time, you provide tailored and actionable data, no matter how mature a company’s cybersecurity is.

Bottom line: You not only offer more and/or better data but also offer to track relevant adversaries and help prepare the customer to counter them “in the wild” instead of disseminating threat reports and security bulletins.

Be one step ahead of the market

Quality cyber threat intelligence is no longer about the response stage. Gathering information and understanding adversaries allows you to predict how the market will change so that you can act accordingly.

In the short term, discovering a new instrument or zero-day vulnerability months before anyone else is a crutial advantage. Leverage this to craft a detection strategy and bring value to your customers via intelligence-driven consulting.

There are long-term benefits as well. In cybersecurity, one year is already a substantial time frame for forecasts. Leverage your access to unique data and the expert CTI community to gain an edge in prioritizing defensive tools, security controls, and skillsets.

Bottom line: You get a peek at the ever-changing future. Keep your services portfolio updated and on par with the latest trends. Gain customers’ trust and worldwide recognition when your forecasts as a provider come to life.

Improve your services with global context

While closely related to the previous point, here we refer to day-today operations rather than long-term strategies. There are ways CTI can enrich your overall portfolio as an MSSP.

Data sources are the key here. Imagine that attribution for every detection in a customer’s network was almost fully automated and enriched by additional information such as the key tactics, techniques, and procedures (TTPs) of a specific threat actor, insights into attack stages, and probable next steps.

Intelligence-driven indicator enrichment and threat attribution are great practical steps for improving your services.

Including the promise of access to first-hand intelligence data straight from response and investigation activities (like attackers’ C2 servers and machines) can also increase your offering’s real and perceived value.

Bottom line: You help your customers focus their defensive efforts and empower your service portfolio with cyber threat intelligence on all levels.

Substantiate ROI in cybersecurity

There is almost always miscommunication between technical and security experts, and top-level business executives and decisionmakers. The importance and validity of investments in cybersecurity on such a scale (e.g. when choosing an MSS provider) have to be conveyed properly.

CTI can facilitate this process. Apart from technical terms, IoCs, and TTPs, threat intelligence provides easy-to-understand businessrelated data for any level.

Threat intelligence can help answer the following questions:

• How much is an attack going to cost us?
• How many companies like ours went out of business last year after a successful cyberattack?
• How many critical vulnerabilities do we have in our infrastructure?
• How many threat actors target similar enterprises in our region and how hard are they hit?

Bottom line: By having these answers not only do you substantiate ROI but also show your customers’ C-level executives numerous ways how to maximize ROI on cybersecurity by going back over previous points discussed above.

Conduct regular thirdparty audits

Whether in medicine or cybersecurity, it never hurts to get a second opinion. The value of an unbiased assessment of your policies, assets, infrastructure, and personnel cannot be overstated, with benefits including:

• Finding vulnerabilities that would have otherwise been overlooked
• Figuring out your true security posture
• Getting actionable recommendations tailored to your business needs
• Preparing your team to deal with real-life attacks

Therefore, SOCs and MDR providers should focus on conducting regular third-party audits.

Although there are many cybersecurity audits — each just as important as the next — your staples should be Red Teaming engagements and the Compromise Assessment. Both evaluations involve the vendor taking an attacker-centric approach, using its indepth understanding of attacker TTPs and behavior to detect deeply embedded vulnerabilities and traces of malicious activity.

Both should be performed at least one a year and by different vendors each time to ensure a truly objective assessment.

Red Teaming

Red Teaming is the ultimate security test for organizations. In it, the Red Team (third-party auditor) performs an attack simulation based on real-life TTPs and cyber incidents. Conclusions of the engagement are drawn based on how well the Blue Team (SOC or MDR) responds to the simulation.

Such engagements prepare the Blue Team to respond to real security incidents through the practical application of dormant skills and tools.

Red Teaming engagements are strongly recommended for enterprises and larger companies, but they can also bring value for smaller companies in the form of actionable recommendations.

Compromise Assessment

The core motivation for a compromise assessment is the realization that you may already be breached. While many companies believe that their security controls are air tight, they forget that threat actors are adept to finding new ways of bypassing detection logic.

That is why attacker dwell time can be up to several months, if not years.

During a compromise assessment, the auditor examines a company’s infrastructure and network for traces of past or ongoing cyberattacks. The vendor then gives the company a detailed report on security breaches as well as tailored mitigation recommendations.

Bottom line: Red Teaming and Compromise Assessments give SOCs the wakeup call they need to bolster their protocols and staff training and provide better MDR capabilities.

Measure your team’s efficiency

Having a clear picture of what success looks like for MDR is critical. Aligning the objectives and expectations of the MDR provider and the client is vital because any disconnect will destroy the MDR-client relationship and waste valuable resources.

There are two areas on which you should focus: timebased and quality-based metrics. Finding a balance is key because, otherwise, you could inadvertently encourage fast results over quality performance, which will hurt overall efficiency.

Examples of time-based metrics:

• Incident monitoring
  • Time to detection
  • The rate of incidents escalated
  • False positive incident rate
• Incident Response
  • Time from detection to elimination
• Cyber Threat Intelligence
  • Threat actor attribution rate

Examples of a quality metric

One way of using a quality-based approach is to do regular reviews of incident analysis. This works especially well with Tier 1 analysts. The review can be done by the Tier 1 team supervisor or a Tier 2-3 analyst at regular intervals (e.g. five alerts per month).

Following the evaluation, you will understand what knowledge is lacking within your team, the common mistakes made during triage, and whether there is room for additional auto-enrichment.

Supervisors can also use the results to develop internal workshops to improve employees’ knowledge about specific threats and teach them how to avoid human error. To encourage the learning process, you can include case reviews as part of the Tier 1 analyst’s KPIs.

Separating the metrics reported to the client and internal performance metrics is crucial. The MDR provider must show the client their capabilities. The business components may see that the performance offered is sufficient for its purpose. For example, measuring the capacity and utilization of your analysts can help you calculate the ratio between the number of incidents and the number of analysts. With this information, you can determine when to look for additional resources

As for internal performance, maximizing coverage and visibility is the goal.

More often, SOCs rely on telemetry from

• Endpoints (process and event data)
• Networks (NetFlow, metadata records, full packet captures [e.g. PCAP])
• Assets and vulnerability data (exposed common vulnerabilities and exposures, ports, etc.)

So you can avoid the risk of missing malicious activity in some areas that are not covered by monitoring, such as new network segments.

With regard to coverage, you can utilize the MITRE ATT&CK® framework for gap analysis.

Bottom line: Measuring the efficiency of MDR processes can provide muchneeded transparency between internal teams and clients and drive change and facilitate constructive partnerships.

Build a service management practice

Bridging the gap between business and technology is a tricky yet crucial task. Regardless of how sophisticated your MDR offering is, if you don’t have a keen understanding of your customer’s needs and business structure, your efficiency will deteriorate, as will your customers’ trust. To ensure full transparency between technological and business processes, you need to have dedicated service managers as part of your SOC team.

The job of a service manager (SM) is simple: translate the business needs of the end customer into a service your SOC can provide. SMs begin their work before the service onboarding process and:

• Identify critical data and processes, and how to protect them
• Search for potential points of infrastructure-level compromise
• Set up communication with the SOC

Once the work has begun, the SM stays by the client’s side 24/7, monitoring the implementation processes and alerting the SOC to any anomalies.

Service managers also are important for their reporting. SMs draft reports for senior management and IS team leaders, breaking down the SOC’s activity in a language and format they can understand.

Ideally, a SOC team should have multiple SMs who each dedicate their time to a small group of customers (or one big customer). Every company, even those within the same industry, has its own processes and security approaches. Without understanding the nuances, your MDR capabilities can end up being less effective.

Bottom line: An SM looks at many factors, including type of business, network equipment, information security policies, and subcontractors, and develops individualized approaches. Having a manager who understands your business not only improves a SOC’s ability to provide better service but shows each customer that they matter.

Consolidate your stack with help of XDR technology

Every year, MDR providers face new challenges and search for ways to overcome them while increasing profitability and growing their businesses. The desire for a single, simplified end-to-end SOC platform among MDRs had been rising steadily until 2020, when the demand spiked due to the global pandemic and subsequent mass migration to remote work.

One of the most powerful ways MDRs can expand profitability and business growth is to use XDR technology to simplify SecOps, analyst training, and solution administration.

Having XDR at the core of your MDR offering will help you correlate attack telemetry across the network and endpoints via automated root-cause analysis that turns into a single incident alert that higher tier analysts can then inspect. The goal is a faster detection and response cycle that prevents burnout, lowers the barrier to threat hunting, and reduces attacker dwell time and SOC analysts’ alert fatigue.

Modern attacks are complex and multi-staged, and traditional SOC tools such EDR and SIEM are limited in their prevention capabilities. EDR solutions lack the necessary telemetry that security teams need to stop sophisticated threats that focus on the attack surface beyond the endpoint. And while traditional SIEMs may be flexible and customizable, they are difficult to operationalize and tune due to the number of variables and available features. Moreover, deploying a traditional SIEM solution over the course of months or longer to keep tuning and adding new rules is no longer a viable option.

XDR extends visibility and detection capabilities across the larger enterprise IT environment and streamlines correlation, threat hunting, and response more holistically. It also breaks down data silos and unifies incident context for faster, more effective threat detection and response.

Bottom line: XDR can be an extremely effective technology that enables MSSPs to end malicious operations by extending detection and response capabilities across the entire enterprise environment. And for MDRs, this means a reduction in costs to support its SOC stack and, therefore, better service margin. Moreover, it is becoming increasingly vital to work with technology partners that can help you not only maintain and grow your client base but also contribute to cost-saving and higher margins.