Some years ago, we were involved in the POC of a malware protection solution at a prominent hospital. As the technical team was putting the software through its paces and testing various variants of malware for detection and response, everything appeared to working well. The software was set to detect (but not block) any anomalous traffic through parts of the network.
The evaluation team, made up of IT administrators took some days off to spend time with their families (it was that time between Christmas and New Year’s, when most organizations either shut down or the pace of business crawls). Thus, there was no one reviewing the console’s controls and reports.
Upon our return from holidays, we looked at the historical data for the past week. The results was astounding, if not onerous. The console was ‘lit up like a Christmas tree’, as described by the lead investigator, with numerous instances of malware deeply embedded in the network.
Turned out that the network was deeply infected with multiple cases of malware, all of which was set to detonate and begin exploiting vulnerabilities to move laterally and seek information which it could ex filtrate, all on December 26th. In fact, this makes perfect sense. If you are going to infect an organization (let alone a hospital), you’d want to ensure that impact is done when there are few (if any) staff to clean infected machines. December 26th seems like a great candidate.
Brevity will necessitate that we don’t go into many details but this was a perfect example to demonstrate the need for a proactive, always on, service for cyber security.
In fact, this has recently been dubbed by Gartner’s Anton Chuvakin as Managed Detection and Response (MDR). Now, one of the fastest growing areas within cyber security, MDR seeks to provide a service (as opposed to a product or tool) that actively monitors all available security controls, both customer owned as well as proprietary to the service provider, to proactively hunt for threats and intruders inside organizations. The result is an outcome based service where service providers use available tools (commercial and proprietary) to actively hunt for threats inside organizations, in real time, and acting as extensions of organizations IT departments.
Stay tuned in the next few weeks as we write about the different controls, as well as services, that organizations need to employ in order to improve on their security posture, as well as the different variations that are available in the market.