How Managed Detection and Response Relies On Automation to Enhance Cybersecurity

Between the ongoing barrage of ransomware, constant pressure from threat actors and the persistent shortage of cybersecurity staff, more organizations are turning to managed detection and response services to supplement their internal defenses. 

Organizations of all sizes may find that MDR services alleviate the burden on IT staff while providing access to specialized expertise that can be invaluable in today’s threat landscape. For example, MDR vendors complement a defense-in-depth strategy to bolster protection against misconfigurations or vulnerabilities that could normally result in a breach. Such partnerships can be crucial for small organizations, providing access to advanced security solutions and eyes-on-glass monitoring around the clock to accompany them. MDR in those instances may serve as the primary security operations center for a small to midsized organization, or it may serve to complement a mature existing SOC for a larger organization.

MDR vendors aren’t created equal, so when evaluating potential partners, it’s essential to understand how they develop and deliver certain aspects of their services. For instance, automation can be a powerful tool in the MDR arsenal, but its efficacy depends on the back-end design and data that go into it.

Automation is one of the primary ways that MDR vendors support their customers. Automation helps simplify and prioritize — for example, gathering information from a network tool, an endpoint tool and threat intelligence feeds, and boiling all of that down into meaningful data. While security monitoring solutions can deliver a wealth of information, that data can be overwhelming without the proper tools to stitch together telemetry from disparate solutions and then sort the valuable alerts from the noise.

When MDR vendors apply automation this way, they respond more quickly to alerts because their employees have less data to sift through manually. They can pinpoint high-priority alerts and take action, which is the ultimate objective.

Another important use case for automation is creating automated responses for specific scenarios. In these cases, automation adds a layer of security for when a particular course of action needs to be taken immediately. For instance, an organization might want to email a designated security administrator when a critical alert is detected. Automation removes the human element from such events, including any potential for delays, miscommunication or errors in judgment or decision-making.

Automation also adds speed to remediation processes, such as removing a malicious email from employees’ inboxes or isolating assets based on specific criteria. With automation, that process takes seconds, whereas a manual intervention would take much longer. 

One challenge with automation is that it’s only as powerful as the processes and design behind it. That’s why selecting an MDR partner with the expertise to apply automation effectively is vital. The end result of automation can drastically improve the time it takes to stitch together the appropriate data. 

What each organization looks to accomplish with automation can be very different. A substantial manual effort is required to build the automation rules and playbooks within the tooling that an organization decides to use. That might be undertaken by an MDR vendor, or it could be within an internal security orchestration, automation and response tool. 

While we rely on advanced technologies like artificial intelligence to help with detection rates and reduce alerts within our products, AI is not to the point where it can alleviate the manual effort needed to build out the workflows. Creating a good playbook and using a product that has robust capabilities and integration will enable the organization to greatly reduce manual efforts later on. Using the right tools, working with MDR vendors that offer proprietary tools as part of their MDR services and that have experts on staff to create the automation rules will ultimately determine the effectiveness of the automation.

Although many security solutions offer native integration out of the box, even these may require manual effort to get them working properly. Plus, all automation tools require periodic oversight.

Designed and deployed effectively, automation shines by enriching alerts and reducing false positives. MDR vendors that create their automation systems properly can bring value to their customers through their ability to pull in disparate sources of threat intelligence, assess indicators of compromise and differentiate the true positives from the extraneous noise. Automation tools can aid that process immensely, making it more likely that MDR vendors will successfully mitigate risk for their customers.

Story by

Michael Cappiello, a senior inside solution architect for security at CDW.

Dom Daidone, a cybersecurity practice lead at CDW.