We continue the conversation with Fabian Franco, Senior Manager of Digital Forensic Incident Response (DFIR), Threat Hunting and Security Operations, OpenText, and Kevin Golas, Director of Worldwide Cyber Security Services, OpenText as they share their thoughts on how organizations can benefit from a managed detection and response solution and improve their post-breach response.
Q. How does Managed Detection and Response (MDR) compliment an Endpoint Detection and Response (EDR) solution?
FF: An Endpoint Detection and Response solution is a critical part of a Managed Detection and Response service. The EDR will pick up telemetry off managed endpoints and can also ingest network and DNS traffic, as well as OS Data Points that are being generated. This provides security analysts extended visibility and enables automation to be run on those data sets. MDR brings a human element into the equation. It’s still challenging for machine learning and AI to always predict every single type of attack. And if it could, antivirus would catch everything that is out there, which is not the case. In the Solar Winds attack, it was an incident response team that initially flagged that the breach was occurring, which shows the importance of having experienced teams looking at the data. EDR software can generate a lot of false positives making it hard to identify what alerts are actionable. While an MDR provides the human element by building rules tailored to the client’s network to make it more effective and efficient for them. OpenText MDR helps automate many of the SOC Tier 1 processes for our clients and includes both an EDR and SIEM as part of the solution.
Q. How does automation help reduce staff turnover and alert fatigue?
KG: What we see in the industry is a high turnover rate and shortage of security experts. Many SOC analysts are constantly looking for different jobs and new challenging opportunities that will help build their skillsets. Here at OpenText, we have a low 1% turnover rate within our MDR team. As a team we are only looking at tangible alerts, as opposed to other teams that are spending days running queries, looking at false positives and clearing them out. Our team is proactively involved in threat hunts and valuable skill-building activities. We also have the benefit of working with some of the best in the business and learning from each other. The team is motivated each day to be on the hunt for the latest malware. This type of work is much more rewarding compared to spending every day looking at a dashboard and clearing out alerts as they come in. Instead, OpenText MDR is automating the SOC Tier 1 analyst activities and doing actionable threat hunting. Every day we wake up excited to find new attack methods. We are always trying to stay ahead of the criminals and mitigate the risks for our customers.
Q. How can organizations improve their post-breach response?
FF: Once an organization knows that they have been breached, their response plan is critical to minimizing damages. OpenText MDR provides incident response services and can do the full investigation at the forensic level. That’s part of our digital forensic incident response retainers. That’s one of our differentiators from other MDR providers, we can help provide a clear understanding of how they were infected and investigate the incident. MDR teams should be able to address important questions including where the attackers moved latterly, what persistence techniques are being used, and was data exfiltrated? OpenText MDR provides a complete picture of what went on, and the team secures the network and then takes the steps to get clients back up to a running state as fast as possible. We excel at managing the entire investigation lifecycle and the benefit for clients is the expertise and technologies that are available in-house. Many MDR teams will go in and instruct customers to reimage the boxes and do a quick fix. They don’t solve the vulnerability or the hole in their network that lets the threat actors in. The attackers come right back in, and they get hacked in six months. This is a never-ending cycle of a quick patch, get hacked, another quick patch, and get hacked again. The value in using OpenText MDR to come in and help clean up your environment is that it immediately improves cyber resilience and reduces the chance of a repeat attack. When attackers return, they’re often trying new techniques to get into an environment again, and OpenText MDR can preemptively stop that activity from taking place. If they use Cassia RMM as one of their tools, OpenText MDR can do a threat hunt to proactively scan their environment and sweep the entire network looking for any signs of abnormal behavior or malicious malware in their environment that is not actively running.
KG: The Cybersecurity and Infrastructure Security Agency (CISA) recommends doing post-compromise threat hunts. I also highly recommend organizations do a threat hunt at least once or twice a year and following a breach. Threat hunts provide critical third-party validation, that the tools and the process flows that are in place are working properly and accurately. When it comes to a dormant infection, organizations need to be able to find it and find it fast. Having a threat hunt done alongside regular penetration testing is part of a good cyber hygiene program and is one of the best ways to detect unknown threats within your environment.
For more information on how MDR can detect and respond to threats in minutes visit OpenText Managed Detection and Response.
