Today’s CISOs and their collective security teams may well find they have wide-ranging considerations to factor regarding both current and next-generation threat detection and response tool investments. Questions such as:
- Are we examining new technology for deployment or is this just a product reincarnation?
- What are the benefits of a consolidated approach like XDR?
- Will XDR truly, as advertised, replace the need for separate SIEM, SOAR, or EDR investments?
- How do these detection products interoperate in our environment?
- Are all these buzzwords just marketing hype?
Mitiga co-founder and CTO Ofer Maor addressed these high-level issues and more in his recent BrightTALK webinar, “Threat Detection & Response Tools: What Do All Those IR Buzzwords Mean?” The webinar builds on the discussions we heard in May at this year’s RSA Conference. Alongside questions regarding our proactive forensic data approach, many attendee exchanges in our booth touched on discussions of how well their threat detection and response solutions responded when cloud and SaaS breaches occurred.
Here are several relevant Question & Answer exchanges informing current-day detection solutions.
“Detection and prevention technology only goes so far”
Despite the array of security information event management (SIEM), security orchestration, automation and response (SOAR), endpoint detection& response (EDR), extended detection & response (XDR) tools, and solutions such as managed detection & response (MDR) and managed security service providers (MSSPs), in Ofer’s assessment, security remains “a cat and mouse game.”
“So what happens is all this detection technology and all the prevention technology only goes so far. It will block the majority of the attackers, the lower level ones, but the advanced attackers will always come up with a new technique, with something that you haven't seen yet, with something that circumvents the signatures and finds a way to get in, and then they will eventually break in,” Ofer summarized.
Citing a recent Security Advisory — the Mitiga Research Team spotted a sophisticated, advanced business email compromise campaign that leveraged inherent weaknesses in Microsoft 365 MFA, Microsoft Authenticator, and Microsoft 365 Identity Protection — Ofer summarized that there are unconventional approaches used to successfully breach long-established cybersecurity technologies.
Threat detection and prevention technology complexity challenges most security teams
With all these solutions deployed, why are there so many reported attacks happening? “Using them effectively across every single resource or every part of the organization is almost impossible, which is one of the reason why we have major incidents,” Ofer responded to one questioner.
Some alternate approaches organizations might consider are managed services or hybrid technology and service solutions that help organizations better implement threat detection and prevention solutions.
Despite consolidation indicators, some customers feel they need more
In Ofer’s assessment, XDR essentially represents the technology approach that consolidates predecessor detection and response tools. The story will not end there, however.
“We're seeing now CDR, cloud detection and response startups. Why do these startups come to life? Because, despite the consolidation, we see that customers feel like they need more. That they don't get enough coverage. So some customers will optimize on consolidation, but some customers always optimize on high security, best-of-breed for each.”
Detection technologies lag in the cloud
When asked what threat detection trends should impact today's cyber security investments, Ofer counseled that since so many organizations have moved to the cloud, security teams should prioritize solutions that work well in today’s cloud and software as a service (SaaS) environments.
There's so much going around in terms of cloud attacks, including attacks due to simple misconfigurations. That's partly because we're in the early days cloud, so even the simple things are easy to exploit in large, complex environments. That's why cloud incident readiness and response is a great area to invest in.
Learn more about enhancing your cloud incident readiness.