Can you Measure the Business Impact of Modern MDR Services?

Gartner estimates that by 2025, 50% of organizations will be using MDR services as an integral part of their workflow for threat monitoring, detection, and response. (Source: Gartner Market Guide for Managed Detection and Response Services, 25 October 2021). As MDR services cross the chasm from niche offering to a critical component of the Security Operations Center (SOC), it's time for more organizations to reflect on what "good" looks like for MDR, and what metrics are most useful to track and understand the value that MDR delivers. While it might be tempting to treat MDR service as a commodity, there is significant differentiation if you look at it through the right lens.

Defenders run a Never-ending Marathon

Today, many SOC metrics are built on a fundamental premise: there are active intruders in your environment who are working feverishly toward a goal, and will succeed in extracting sensitive information, encrypting data for ransom, or executing other forms of damage if defenders don't stop them first. With this mindset, defenders are in a continuous race, 24/7/365, to find and disrupt the adversaries before they can achieve their goal.

If this is the model your MDR follows, then it makes sense to measure effectiveness based primarily on speed. Common speed-based metrics include:

• Time-to-Detect. How long does it take for defenders to identify that an intruder has gained access to the environment? Detection is based on a combination of technology automation as well as more human-driven techniques such as threat hunting.
• Time-to-Contain. Once an intrusion is detected, defenders must work quickly to validate that it's a true threat and not a false positive. Once verified, analysts must perform additional research to understand the scope of the intrusion and then take fast and decisive action to contain the threat, eject the intruder, and stop future impacts.
• Time-to-Recover. The defender's job doesn't stop once the intrusion is contained. Attacks often leave behind backdoors and persistence mechanisms that must be diligently hunted down and eliminated. Time continues to be critical during this phase, as the window may be open for an intruder to return, and business applications may remain unavailable until recovery can be completed.

Like many endpoint protection solution providers, Xcitium offers our technology bundled with our purpose-built MDR service to provide a complete, turnkey solution for managed endpoint protection, monitoring, and response. Xcitium's unique combination of patented technology and expertise is allowing Xcitium's customers to pivot away from traditional, reactive metrics and focus more energy on the outcomes that matter most.

Stepping Off the Treadmill

Xcitium has pioneered the concept of ZeroDwell Containment which creates a completely new and different game for defenders. With ZeroDwell Containment, stealthy and sophisticated intruders may still make their way into an environment, but the malware and tools they use to execute their campaigns are contained using patented technology, effectively neutering any and all threats from the point of execution.

This security model fundamentally changes the way defenders operate, creating space for thought and proactive planning. If attackers are confined to a safe, contained environment, then defenders are free to deal with the intrusions on their own time frame, not one dictated by the adversary. Time-to-contain immediately shrinks to effectively zero, as threats are automatically contained by default. Time-to-recover becomes a lot less relevant when there are no artifacts to clean up.

This leaves the question, what is the job of a MDR team when the technology has nearly eliminated the hardest part of their job? What can a team of experts accomplish when they're able to step off the treadmill and avoid the cybersecurity rat race entirely?

Operations Still Matter

If you're going to play this new game, you'd better be sure that everyone in your environment is operating in-bounds. It's critical that security leaders have the data they need to validate that the expected security controls are in place and the entire set of machinery is operating smoothly. In this world, operational metrics take on increased significance. Examples include:

• Protection coverage: Job One is ensuring that security controls are universally and correctly deployed. This requires a comprehensive asset inventory, and the ability to audit for configuration and security updates. Driving high protection coverage gives defenders the space they need to breathe, and enables them to focus attention on inevitable exceptions.
• Volume of data collected. Tracking the volume of telemetry coming into the MDR provides a useful indicator to validate that collection is working properly. Anomalies such as significant deviations from historical baselines can quickly highlight security controls that are malfunctioning, and provide early warning of visibility gaps.
• Volume of incidents. Keeping tabs on the number of incidents handled by your MDR service provides a high-level perspective on the overall threat landscape for your organization, and gives you a yardstick you can use to compare your organization to others and plan future cybersecurity investments. It also is an important measure of how much work the MDR service is doing on your behalf, and serves as a basis for ROI analysis.

Outcome metrics

Operational metrics help security leaders to monitor and ensure that security controls are deployed and operating properly. The more interesting MDR metrics for security leaders focus on the business outcomes driven by the MDR service. When done properly, outcome-based metrics provide a direct measure of value delivered by the MDR provider, help to drive continuous improvement, and enable executives to make informed decisions at renewal time. Metrics that measure outcomes for the business include:

• Number of incidents requiring remediation: An effective MDR service will reliably identify intrusions and intercede before damage can occur. Ideally there should be no collateral damage, driving this metric close to zero. That said, the reality is that a sophisticated, determined intruder may find a way. Tracking the small number of incidents that have a negative outcome gives an excellent starting point for discussion about how to improve defenses and processes to achieve a stronger security posture.
• Time spent by your internal team responding to incidents. When your MDR service uncovers an incident, what comes next? Do they handle it from beginning to end, or do they produce a summary and hand it off to your team for incident management? Understanding the effort your team is expending, and the impact your MDR service has on it, is a valuable measure of the real value you're receiving from the service provider.
• What did we learn? Every encounter with an adversary provides an opportunity to learn by asking a series of questions: Did the attacker introduce any new or novel tradecraft? How did the attacker achieve their access? What controls could have stopped the intrusion at an earlier stage? Your MDR can help make this retrospective analysis easy by doing the analysis and providing recommendations for future security improvements.

While extremely valuable, these kinds of metrics are often challenging to bring to the surface when your MDR provider is stuck in reactive mode and focused primarily on managing massive volumes of alerts in a timely manner. ZeroDwell Containment gives Xcitium's MDR analysts an unfair advantage, dramatically reducing the noise and false positives they must handle on a daily basis, enabling them to help clients spend more time driving continuous improvement.

Drive Security Maturity with MDR

Tactical metrics such as time-to-detect and others provide a measure of how fast your defenders are running the race. This is useful information, but only two questions really matter: Did we win the race today? Are we positioned optimally to win the race tomorrow?

Technologies such as Xcitium's ZeroDwell Containment allow security teams to uplevel the conversation, and move from tactical, reactive focus to more strategic and proactive metrics that business leaders can use to make informed decisions about programs moving forward.

Source: Xcitium