What is MDR?
Managed Detection and Response (MDR) was created in response to the need for a service that could address cyber threats that traditional Managed Security Services (MSS) could not detect accurately and respond to. This service is a combination of technology and skills that deliver advanced threat detection, faster mitigation, deep threat analytics, global threat intelligence, and collaborative breach response 24x7x365.
It is important to remember, however, that MDR was not developed as a replacement for traditional MSS such as log monitoring, log management, security device management, and vulnerability scanning. MDR enhances MSS with focus on detecting and responding to breaches by making use of technology and services on security analytics, threat intelligence, and response orchestration that complement existing MSS technology.
Netswitch has been named by the Gartner Group as a market representative provider in the MDR space. Netswitch’ SaaS offering is based on the company’s Securli Advanced Threat Protection platform and SecurliXF extended threat intelligence service. The service correlates disparate data feeds from different sources to provide predictive threat intelligence along with monitoring, incident response and remediation capabilities.
Netswitch MDR service follows the NIST Framework for Improving Critical Infrastructure Cybersecurity or what is more popularly known as the Cybersecurity Framework.
What is the NIST or Cybersecurity Framework?
The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) developed a framework“with a focus on industries vital to national and economic security, including energy, banking, communications and the defense industrial base.”
This is a voluntary Framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risk. It is a prioritized, flexible, and affordable approach that helps promote protection and resilience of critical cybersecurity infrastructure and other sectors that are important to the economy and national security.
This framework has been proven to be “flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors, as well as by federal, state and local governments.”
The NIST or Cybersecurity network is a collaborative effort that involves stakeholders from government, industry, and academia.
In May 2017, President Trump issued the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, directing all federal agencies to use the Cybersecurity Framework.
How does Netswitch deliver MDR?
At Netswitch, we take a multi-layered security strategy called Defense-in-Depth. This concept is based on what is taught in the military that in battle, the enemy cannot easily break through a complex and multi-layered defense system.
Defense-in-depth, therefore, protects an organization’s most important data with many layers of security while less important data may be less restricted.
What is the benefit of Defense-in-Depth?
Having a multi-layered strategy means the organization can tailor security to different levels. Not all data needs to be completely secure. Proprietary and confidential information are typically the most critical assets of a company and these can be protected by the most restricted settings in Defense-in-Depth.
There is no single solution that can prevent a cyberattack on organizations. There will always be exploits and vulnerabilities. With Defense-in-Depth, even if one system fails, there are other systems that remain functioning.
Three-step defense-in-depth strategy for prevention and response to network attacks:
1. Use a smart firewall for external threats
A smart firewall offers more protection compared to a traditional firewall because it can look inside content rather than just block content based on sources and destination. It acts as your gatekeeper and first layer of defense shielding your organization from different types of attacks. It should stop unsolicited traffic from accessing your network and only allow responses to traffic originating from “known” sources.
A smart firewall can scan emails and catch malicious traffic coming into your network like rogue links to infected and intentionally harmful websites, attachments with malware, and phishing emails that manipulate recipients into providing credentials or divulging private data like passwords or key account information.
A smart firewall can also operate bidirectionally – it can also detect suspicious outbound traffic. It can catch embedded netbots that are trying to communicate out of their command centers. This allows you to catch infections on the way out and results in apprehending various instructional attacks like the working netbots in the Target Stores data breach.
Smart firewalls ignore network packet identity “claims” and actually look inside packets to see what they really contain. They can see if the packets are legitimate or if they have been corrupted. A smart firewall can block them if they contain malware or if they are impersonators.
A smart firewall can also identify and detect a compromised laptop inside your network through internal segmentation. If the compromised laptop has access to your public-facing web server trying to get to your mail server or database server, the smart firewall will block it and shut it down.
Smart firewalls contain sophisticated intrusion prevention technology (IPS) which monitors network traffic and all system activities looking for malicious activity. They can drop malicious packets, send alarms, reset connections, block traffic from extensive lists of known IP addresses, automatically correct cycling errors and fragmented packet streams while cleaning up unwanted transport layer messes.
Smart firewalls require initial configuration and ongoing tuning and maintenance so that they remain relevant to your environment. Different protocols and different applications using the same protocol will require different types of scrutiny. However, it is worth the effort. If your organization does not have the resources or does not want to maintain resources for that purpose, Netswitch can do it for you.
2. Network infection detection
After implementing a smart firewall solution, the next step is network protection. Even with the smart firewall in place, your organization is still vulnerable to attacks from other sources such as email and infected mobile devices.
These devices may be a corrupted USB memory stick or a wearable fitness device that can be used to download malware. Even a clean mobile phone can act as a conduit for pathogens and email remains an extremely popular way for hackers to trick recipients into downloading malicious code.
Organizations have anti-virus and software to deter malware infections but these programs often require daily or weekly updates and are always a step behind the latest malware and miss a significant portion of advanced threats.
Malware developers design their code and botnet ecosystems to self-update whenever they start getting detected. Antimalware software discovers and identify millions of malware variants but are always one generation behind and fail to spot the code that has been self-modified to avoid discovery. This makes them an ineffective layer of defense.
Netswitch uses one intrusion detection tool in particular in our managed security services called NetTrust. It examines the actual contents of the packets and works by performing real-time analysis of your organization’s network traffic and correlates suspicious network events to detect patterns that indicate the presence of malware.
NetTrust is designed to analyze events from routers, switches, firewalls and all other devices within the network so that you have real-time discovery of anomalistic behavior as it occurs at every point along the network.
A scoring system based on the number of malicious conditions is used to provide each host with a dynamic score that indicates the potential risk of the host at any given time. This scoring system is displayed in a simple and actionable reporting format.
3. Internal Threat Detection
After implementing a solid perimeter solution and taking care of your core network defenses, the last step is to address internal threats.
This type of threat is intentional and designed to steal intellectual property and valuable proprietary information like engineering drawings, software code, algorithms, etc.
Addressing this threat requires monitoring the behavior of the organization’s internal staff as well as external contractors and contract employees. Vendors and service providers should also be monitored as well as external databases that they use to store the data that they are working on, whether it is software code, research, trading data or customer account information.
According to the Kroll’s Global Fraud and Risk Report 10thAnnual Edition 2017/18, overall, 84% of surveyed executives report their company fell victim to at least one incident of fraud in the past 12 months, up from 82% in 2016. In addition, 86% of surveyed executives said their company experienced a cyber incident or information/data theft, loss, or attack in the last 12 months.
Employees who have access to sensitive information and are about to leave the company are high risk and most of the time, employers become aware of data theft only after these employees have resigned from their jobs.
Implementing technology to detect insider threat as it happens is another critical layer in your defense-in-depth security strategy and Netswitch has managed security solutions available to help organizations design and implement a layered security strategy specific to each company’s security needs.
Today’s organizations will go through digital transformation whether they like it or not and although there are clear benefits in this process, there are also drawbacks.
Attacks on your organization’s network are inevitable and your assets are vulnerable. It is, therefore, imperative that you protect your data and sensitive customer information.
Netswitch offers you a wide array of security solutions for all types of businesses.
Contact Netswitch today for a consultation.