Last updated at Tue, 09 Apr 2024 16:59:05 GMT

The goal of a detection and response (D&R) program is to act as quickly as possible to identify and remove threats while minimizing any fallout. Many organizations have identified the need for D&R as a critical piece of their security program, but it's often the hardest — and most costly — piece to implement and run.

As a result, D&R programs tend to suffer from common mistakes, and security teams often run into obstacles that hamper the value a solid program can deliver.

Recognizing this fact, our team of security experts at Rapid7 has put together a list of the top mistakes companies make in their D&R programs as well as tips to overcome or avoid them entirely.

1. Trying to analyze too much data

To have a successful and truly comprehensive D&R program, you should have complete visibility across your modern environment – from endpoints to users, cloud, network, and all other avenues attackers may enter. With all this visibility, you may think you need all the data you can get your hands on. The reality? Data “analysis paralysis” is real.

While data fuels detection and response, too much of it will leave you wading through thousands of false positives and alert noise, making it hard to focus on the needle in a haystack full of other needles. The more data, the harder it is to understand which of those needles are sharp and which are dull.

So it ends up being about collecting the right data without turning your program into an alert machine. It’s key to understand which event sources to connect to your SIEM or XDR platform and what information is the most relevant. Typically, you’re on the right path if you’re aligning your event sources with use cases. The most impactful event sources we usually see ingested are:

  • Endpoint agents (including start/stop processes)
  • DHCP
  • LDAP
  • DNS
  • Cloud services (O365, IIS, load balancers)
  • VPN
  • Firewall
  • Web proxy
  • Active Directory for user attribution
  • For even greater detail, throw on network sensors, IDS, deception technology, and other log types

At the end of the day, gaining visibility into your assets, understanding user behaviors, collecting system logs, and piecing it all together will help you build a clearer picture of your environment. But analyzing all that data can prove challenging, especially for larger-scale environments.

That's where Managed Security Service Providers (MSSP) and Managed Detection and Response (MDR) providers can come in to offload that element to a 24x7 team of experts.

2. Not prioritizing risks and outcomes

Not all D&R programs will focus on the same objectives. Different companies have different risks. For example, healthcare providers and retail chains will likely deal with threats unique to their respective industries. Hospitals, in particular, are prime targets for ransomware. Something as simple as not having two-factor authentication in place could leave a privileged account susceptible to a brute-force attack, creating wide-open access to medical records. It’s not overstating to say that could ultimately make it more difficult to save lives.

Taking this into account, your D&R program should identify the risks and outcomes that will directly impact your business. One of the big mistakes companies make is trying to cover all the bases while ignoring more targeted, industry-specific threats.

As mentioned above, healthcare is a heavily targeted industry. Phishing attacks like credential harvesting are extremely common. As we should all know by now, it can be disastrous for even one employee to click a suspicious link or open an attachment in an email. In the healthcare sector, customer and patient data were leaked about 58% of the time, or in about 25 out of 43 incidents. Adversaries can now move laterally with greater ease, quickly escalating privileges and getting what they want faster. And when extortion is the name of the game, the goal is often to disrupt mission-critical business operations. This can cripple a hospital's ability to run, holding data for ransom and attempting to tarnish a company’s reputation in the process.

3. Finding help in the wrong place

Building a modern security operations center (SOC) today requires significant investments. An internal 24x7 SOC operation essentially needs around a dozen security personnel, a comprehensive security playbook with best practices clearly defined and outlined, and a suite of security tools that all go toward providing 24/7 monitoring. Compound these requirements with the cybersecurity skills shortage, and not many organizations will be able to set up or manage an internal SOC, let alone helm a fully operational D&R program. In a recent Forrester Consulting Total Economic Impact™ (TEI) study commissioned by Rapid7, it was identified that Rapid7’s MDR service was able to prevent security teams from hiring five full-time analysts – each at an annual salary of at least $135,000.

There are two critical mistakes organizations make that can send D&R programs down the wrong path:

  • Choosing to go it all alone and set up your own SOC without the right people and expertise
  • Partnering with a provider that doesn't understand your needs or can't deliver on what they promise

Partnering with an MDR provider is an effective way to ramp up security monitoring capabilities and fill this gap. But first, it’s important to evaluate an MDR partner across the following criteria:

  • Headcount and expertise: How experienced are the MDR analysts? Does the provider offer alert triage and investigation as well as digital forensics and incident response (DFIR) expertise?
  • Technology: What level of visibility will you have across the environment? And what detection methods will be used to find threats?
  • Collaboration and partnership: What do daily/monthly service interactions look like? Is the provider simply focused on security operations, or will they also help you advance your maturity?
  • Threat hunting: Will they go beyond real-time threat monitoring and offer targeted, human-driven threat hunting for unknown threats?
  • Process and service expectations: How will they help you achieve rapid time-to-value?
  • Managed response and incident response (IR) expertise: How will they respond on your behalf, and what will they do if an incident becomes a breach?
  • Security orchestration, automation, and response (SOAR): Will they leverage SOAR to automate processes?
  • Pricing: Will they price their solution to ensure transparency, predictability, and value?

An extension of your team

Services like MDR can enable you to obtain 24/7, remotely delivered SOC capabilities when you have limited or no existing internal detection and response expertise or need to augment your existing security operations team.

The key questions and critical areas of consideration discussed above can help you find the MDR partner who will best serve your needs — one who will provide the necessary MDR capabilities that can serve your short- and long-term needs. After all, the most important thing is that your organization comes out the other side better protected in the face of today's threats.

Looking for more key considerations and questions to ask on your D&R journey to keeping your business secure? Check out our 2024 MDR Buyer's Guide that details everything you need to know about evaluating MDR solutions.

Additional reading:


Get the latest stories, expertise, and news about security today.