With today's rapidly growing threat landscape, companies are at a higher risk of breaches than ever before. At the same time, the industry is experiencing an unprecedented talent and skills shortage- leading to a big decision for companies to choose between outsourcing and insourcing.
Cisco Subject Matter Expert Zane West, Senior Director of Customer Experience Product Management, Security Services, discusses the importance of threat detection and response and how services can help SOC teams hunt, investigate, and remediate threats.
ZW:Globally, the industry is experiencing a talent shortage. A fully operational 27 x 7 x 365 SOC is about 27 people and the cost of such setup only becomes viable if you are an organization with at least 50K employees. Outsourcing areas of the SOC allows customers to focus on the talent they do have and optimize their costs. This provides the opportunity to focus that talent on the outcomes they want, whether it's more advanced and consistent threat mapping or implementing an update or patch. That decision must be based on access to staff and talent that a customer has, in addition to the opportunities to streamline and be more effective.
ZW:If your outcome is to be more offensive and agile, then outsourcing elements of your SOC operation, like detect and response, is a great way to achieve that. By doing so, you gain standardization and consistency. You also gain access to use cases and defined playbooks you may not have been able to mature yourself.
ZW:MDR- Managed Detection and Response is a SaaS offering that offers everything as a service including the technology and platform. With more focus than its old MSSP model, MDR looks at technology with more of a specific purpose- like endpoint technologies, perimeter, and edge. Not only is there the managed detection element, but there is also the response element, like additional threat intelligence for enrichment to respond, as well as contextual information around assets and devices.
XDR is a more nuanced term, often seen as a technology or services discussion. Really, I think it is somewhere in the middle- it's a platform that serves as a single place for investigations. XDR looks at two or more control technologies, like endpoint and firewall, and allows customers to have detection and response, visibility, and automated responses in a single platform, and allows everyone in the SOC to work from the same place.
ZW:MDR has a certain level of response. Largely automated, MDR can perform configuration changes or policy configuration changes to isolate endpoints, but it is largely limited, as has been historic with response detection services. With lateral traffic moving beyond endpoints, visibility can become blurred, causing companies to lose line of sight.
This is where XDR comes into play. With a combination of different technologies, XDR makes use of multiple vectors including flow data from endpoints and network along with email, identity and others, providing the much-needed visibility across the entire estate. This is especially important with recent increases in remote and hybrid work models.
ZW:The proactive element of the response is equally as important as the detection. Understanding and analyzing what happened after an incident is where most customers gain enormous value.
In sport, on the offensive, you still need to practice. The best and most resilient organizations are practicing and planning for these threat responses all the time. They're doing tabletop exercises, breach assessments and penetration testing- not in isolation, but regularly, as a part of an information security management program. Exercises like cyber ranges that provide technical attack simulations, allow companies to analyze how their people, processes, and technologies may work cohesively during an attack to detect and respond.
Another very important element to an offensive security strategy is the penetration test. This ability to look at your security from a holistic approach is extremely valuable. Organizations need to have continuous and programmatic testing of environments to understand where challenges are. Today, the penalties for exposing important PII (personally identifiable information) are huge. Having a programmatic approach to testing the environment is going to give measurable results, and the opportunity to improve. Using a supplier like Cisco or a partner can help remediate the challenges in the environment.
It's not a matter of if you will be breached, but when. Exercises like this drive continuous improvement, so companies know exactly where their weaknesses are and where they need to improve. If we can help reduce the time to respond, we can reduce the impact and ultimately, the cost of a breach.
Threat detection and response is critical to all organizations. Programmatic testing and continuous practice can provide the opportunity to improve, so your organization is better prepared and ready to handle any threats that come its way. The strongest defense is a strong offense, and a solid threat detection and response strategy can be what sets your security organization apart.
Threat detection and response services from Cisco, such as MDR and XDR, can provide opportunities to outsource tasks of a customer's Security Operations Center (SOC).
Find out more about Cisco Secure MDR