Perspectives On MDR and Threat Hunting

Praveen Yeleswarapu
September 27, 2021

This article is a written summary of the third #CybersecurityAfterHours event that happened in September 2021, with guest speakers Ravi Prakash and Chaitanya Kulkarni of Larsen & Toubro Infotech.

If you’d like to register for the next event, please sign up here.

How should organizations think about renewing their cybersecurity posture today?

Organizations need to bear the following things in mind while renewing their cybersecurity posture:

  • The Chief Information Security Officers (CISOs) in an organization must be vigilant of external as well as internal attack vectors and strive to identify them early.
  • It is critical that businesses associate with entities after thorough background research. Associating with entities that do not have high-quality security standards or have a history of breaches can act as a weak link, wreaking havoc on the entire security infrastructure.
  • CISOs must be aware of the business environment. When CISOs understand the market and the customers, they are better equipped to assess the level of exposure and probable outcomes of a failed strategy, prompting businesses to improve their practices.

CISOs, on the other hand, must consider three further aspects as part of their incident response plan.

  1. Continuity of business. Even the smallest of blackouts can result in significant business losses.
  2. Brand equity, which is liable to be damaged in case a cyber attack disrupts the smooth flow of information.
  3. Compliance management to ensure that best practices are followed throughout the organization and by related participants from outside an enterprise.

How can a CISO be poised to suggest Cybersecurity as a business priority to the Board?

Since business and finance executives are not well-versed with the technical jargon of the cybersecurity ecosystem, it becomes difficult for them to make financial sense of heavy investments into cybersecurity. In order for CISOs to be convincing enough to make the executives shell out the money required to build the necessary defenses, they have to be equipped with the right form of information.

To make a persuasive suggestion to the board, CISOs must quantify the threat into numbers. The number is an expression of the probable loss that the enterprise is likely to suffer if it fails to improve cybersecurity standards.

Then, the CISO must identify which aspects of the business are exposed to attacks and how such attacks can disrupt various aspects of the business.

Finally, the CISO must translate the exposure in a manner that allows the board to understand the adverse effects of not investing in cyber defense.

Is MDR just a buzzword in Cybersecurity, or is there more?

Managed Detection and Response (MDR) is essentially security as a service solution. It is more than just a buzzword, it is an evolved approach to help identify and mitigate threats.

An MDR service provider proactively monitors the exposure of a business as well as possible threats that may damage the system. Such a platform uses multiple approaches to improve cybersecurity and performs a variety of functions which may include incident investigation, integrated alert triage, integrated remediation through security orchestration, automation, and response (SOAR), and user and entity behavior analysis (UEBA) among others.

How effective can Threat Hunting be in mitigating threats of various kinds?

Threat Hunting allows an enterprise to identify threats that may otherwise evade existing defenses. The approach is effective and helps businesses stay ahead of cyber attackers through constant monitoring.

The approach, at its core, can be summed up as such:

  • Businesses can develop a hypothesis on the various reasons that can possibly cause the cyber defenses to fail.
  • Identify the indicator of compromise (IOC) which can prove or disprove the hypothesis.
  • In case the hypothesis is proven to be true, the scope of the threat hunt can be expanded to identify and eliminate vulnerabilities from the system.
  • In cases where the hypothesis is false, another hypothesis should be developed and tested, and the cycle continues.

In other words, while threat hunting is a task for service providers, how to conduct a threat hunt and what are the IOCs to look for are strategic decisions to be taken by the organization in question.

How are we seeing automation enable service delivery in cybersecurity?

Automation is enabling cybersecurity professionals to identify and eliminate more threats than ever. As machines learn more, they are able to perform a variety of functions that are either too overwhelming or too inefficient for employees.

Since SOC (Security Operations Centre) operations are often faced with false positives, the use of automation can eliminate a vast chunk of those using machine learning. It helps declutter the security events for the SOC, allowing them to focus on the truly concerning incidents as opposed to spending countless hours going through every piece of data manually.

Traditionally, there are three elements in the Threat Hunt cycle that can be readily automated by enterprises:

  • Event analysis: This allows machines to classify security events, thereby increasing the scope of events that the CISO can examine. Classification allows security teams to filter information for enhanced focus.
  • Factor identification: Where a machine can be fed with instructions from cybersecurity analysts. This enables the machine to raise alerts in case attackers attempt to tweak certain elements in order to reach multiple systems through a single source.
  • Data enrichment: This allows machines to identify threat patterns. Through the combination and correlation of data, machines are able to use complicated information and make sense of them. Automation enables the analysis of large volumes of data, yielding results much faster than human analysts.

Are we confusing threat hunting and log collection?

Log collection is part of the larger Threat Hunting landscape. As and when threats are identified by a system, they can be cross-referenced with previous data stored in logs. This allows SOCs to identify early vectors and come up with strategies to prevent threats sooner.

While threat hunting does include log collection, both are not the same, and we must refrain from assuming that one equals the other. In other words, having access to data, and acting on this to generate insights are two very different things.