Hello Readers! Today I wanted to share something very interesting that happened in Q4, 2022 at our company Query. We surveyed security professionals and found some major learnings that enabled me to write this blog. While the survey was broad, I will scope this blog to the top three investigation challenges that MDR customers face.

How was the survey conducted

We thought we would benefit from talking to and learning from analysts and SOC managers about what big problems they face in their work, so we set out to talk to a minimum of 50 cybersecurity analysts at mid-to-senior seniority levels. The selection of the people was random as long as they held that job profile. While 50 may not sound like much, we actually spent an hour talking to each, so the quality of the deep-dive discussion was of greater value than the quantity of meetings held. We thought that if we didn’t find enough common patterns, we would expand our survey beyond the initial 50, but that scenario didn’t come.

The process involved us being purely in listener mode while discussing their jobs to be done and the problems they faced. We didn’t share about our product/roadmap because we didn’t want to bias them in any direction. We would just have them talk and explain their pain-points to our team, so this was very different and refreshing from traditional mass-surveying with monotonous questionnaire forms with 1-5 agreement levels on dubious predefined questions! This very organic, free-range process felt like it would lead to the best learnings, and it did; at least to us!

About Learnings on MDR Investigation Challenges

As per our above process, we did not set out to quiz specifically about MDRs, but the investigation challenges often kept coming up from the analysts we talked to. In some manner, that points to a very high adoption of MDR services in the industry.

We did have learnings unrelated to MDR, but that’s a topic for another day. Today, let’s scope it to talk specifically about the three most common investigation challenges we heard from cybersecurity analysts who had experience working with MDR.

Also note that this is not a ding on MDR providers. Rather, we found that organizations of all sizes and across multiple industries are more and more easily embracing MDR providers and finding value with them. Therefore, this is more about bringing further improvements to aid in that adoption.

Challenge 1: Cybersecurity Data is Everywhere and MDRs can’t easily monitor it

Invariably, whomever we talked to, we realized that their organizations had hybrid environments with very decentralized data. The world is fast moving beyond traditional on-prem networks and physical data centers. Companies often have cloud-only environments, and even then they are using multiple cloud infrastructure providers (Azure, AWS, GCP, …) and often have multiple accounts with the same provider for different needs. For example, we often heard that Corporate IT was using Azure while Operations was using multiple AWS accounts, with each often having multiple regions. Add on top the mushrooming usage of vendor-hosted SaaS, and data was actually often outside of the organization’s cloud accounts.

Data has always been distributed, but the cybersecurity team was centralizing logs and security events into SIEM/data lakes. We found that MDRs start with tapping into both this security event data and the endpoint data. MDR onboarding is around this minimum subset and often does not include additional contextual data that comes from other systems of records, such as identity systems, ticketing systems, CMDB systems, etc. Replicating context data from systems of records was not found practical and left for future scoping. 

The MDR provider would often put connectors and sensors to collect and transmit data. This was typically being done only for high-fidelity activity data such as authentication logs vs being done for high-volume data such as DNS logs. From cost practicalities, the path we often heard was to scope down to replicate only alerts from the environment.

Challenge 2: Lot of investigation work is being created back for internal teams

Once onboarding on the defined subset was done and the service passed into operational status, we heard good things that the MDR was able to take the brunt of the monitoring load. Proper workflows and escalation processes were defined, operationalized and tested. The MDR was doing effective investigation and response on several classes of alerts, and also reduced false positives significantly. That’s the good news.

The bad news was that for the alerts that were in the gray area, the in-house team still needed to be staffed to investigate them. We heard from CISOs who had envisioned full-outsourcing but had to scale back and ensure that enough in-house resources were available to investigate. The MDR services want to scale by standardizing their monitoring processes across customers, and the limited user and business context meant they had to send to the in-house team to review. The in-house team had to look and pivot across the broader data sources and multiple systems of record, and that took significant effort.

Challenge 3: Not at the desired forefront of preventing/detecting what matters most

We did come across success stories where the MDR service freed up the CISO’s in-house resources and the MDR continued to improve their SLAs and metrics. Results were good with detecting new/generic malware because the MDR had tie-ins into additional threat-intelligence and had resources looking at attacks across customers. 

However, this didn’t give the CISO or their team the confidence that the MDR will be able to prevent or detect the targeted attacks that matter most. The primary reason was the lack of entity, user, and business context. The scaling and standardization that the MDR provider was trying to achieve across their customers was sometimes a conflicting goal against gathering and understanding the custom context.

Depending upon the organizational size, budget, and desired maturity of the cybersecurity program, we heard about the fork where CISOs who had the budget and mandate would leave the voluminous, mundane work for the MDR and then invest in an in-house senior analyst team to be at the forefront. On the other hand, most others — especially with the mid and small tier — were left with a gaping hole.

Summary and further from here

Organizations have begun to rely on their MDR providers and for mid and small organizations. Often that has been the only path to stand up a decent cybersecurity monitoring service. CISOs should walk in fully aware of the benefits and the challenges as they continue to work with both their service providers and in-house teams in meeting and raising their bars. We discussed some of these challenges that impede MDR program success.

Going forward, while there is no silver bullet, one process improvement to consider can be an API-based approach to data that could bring investigative context to MDRs without replicating or duplicating data. MDRs thus have an opportunity to reduce their own infrastructure costs, improve their margins, and also provide a higher fidelity detection service.
Does your organization use an MDR service? If so, I would love to get your take on what challenges you see, and whether you agree/disagree with what we heard and abstracted. Please reach out to me or contact Query (contact@query.ai) if you would like to discuss any of the above further.