Jason Straight on Managed Detection and Response

Jason is Senior Vice President and Chief Privacy Officer at UnitedLex.  In this role, Jason manages the company’s internal privacy program and leads the UnitedLex Cyber Risk Solutions practice, which provides strategic cyber security services to companies and law firms around the world.  As a recognized expert in his field, Jason is a frequent speaker and author on topics relating to cyber security, privacy, data risk management and data breach response. Before joining UnitedLex, Jason was a managing director in Kroll, Inc.’s Cyber Investigations Practice.  Prior to that, Jason held numerous positions at Kroll Ontrack, Inc. and was a member of the company’s executive team where, among other things, he led and managed the development of the company’s incident response and cyber investigations practice.  Jason began his legal career as an associate in the New York office of Fried, Frank, Harris, Shriver & Jacobson, LLP. 

Jason is admitted to practice law in New York State and is a member of the American Bar Association, where he is a member of the Science & Technology Law Section, and the New York City Bar Association, where he is a member of the Information Technology Law Committee, and the Task Force on National Security and the Law.  He is also an active member of the International Association of Privacy Professionals and is a Certified Information Privacy Professional (CIPP/US). 

LIFARS: What is Managed Detection & Response and who should care?

Jason: As the old security adage goes, “prevention is ideal, but detection is a must.”  Gartner recently defined a new security market segment called Managed Detection & Response (MDR), which follows this motto.  MDR is distinct from the larger (and older) Managed Security Services Provider (MSSP) market segment.  MDR providers are distinguishable from MSSPs in their focus on real-time incident detection and forensically-sound response as opposed to alert-based monitoring.  While there is some overlap between MSSPs and MDR providers, notably the inclusion of a 24/7 network security monitoring component, an MDR service is designed to quickly detect threats that circumvent preventative perimeter controls and respond to them with decisive action or guidance that will neutralize the threat and minimize potential impact.  If your company needs more than just “eyes on glass” to tell you when they have an issue should consider using an MDR as a more effective way to reduce risk and proactively hunt for potential threats.

LIFARS: What kinds of threats is an MDR most effective at addressing or mitigating?

Jason: Since MDR focuses its attention on what is happening on your network and behind your firewall, MDR excels at non-signature based detection of anomalous activity occurring on an endpoint or unusual communications or traffic between and among hosts on your network (including network-accessible cloud resources).  Correlating this anomalous activity with perimeter security data like DNS or firewall logs allows an MDR provider to maximize visibility into the dark corners of your network and enable you to respond rapidly to virtually any type of threat.  While detection of “advanced threats” that slip through perimeter controls is the most obvious use case for MDR, insider threat detection is also a major benefit of engaging an MDR service.  With the ability to correlate detailed endpoint data, user activity logs and perimeter security logs, an MDR can detect potentially malicious or simply careless activity by a user or machine that can dramatically improve your ability to spot a malicious insider or a situation where a user account has been compromised.  At UnitedLex, our MDR service has detected and responded to threats as varied as ransomware to state-sponsored advanced threats, to insider theft incidents.

LIFARS: What are the key technologies that underpin and MDR service?

Jason: MDR providers vary in the technology they deploy as part of the service so you should examine a provider’s offering closely.  UnitedLex’s approach is to first maximize the utility of any tools the customer has already deployed.  Many customers have perfectly good tools installed but are unable to unlock the full value of the technology due to resource limitations, misconfigurations or lack of interoperability.  UnitedLex uses advanced analytics and relies on the expertise of its security engineers to help clients tune their devices and feed our MDR team the most valuable security data to support the service.  For clients lacking certain important technologies, UnitedLex can include endpoint threat detection and response (ETDR) technology, a hosted SIEM platform, IDS and advanced packet inspection tools and many other technologies as part of the service.  The advantage is that the tools can be built into the cost of the service, saving 50-75% compared to the cost of licensing the tools separately and hiring staff to support them.

LIFARS: What is the best way to evaluate and compare MDR providers?

Jason: An MDR provider is only as good as the quality of its SOC analysts and incident responders.  In evaluating and MDR provider you should seek to interact with the analysts that would actually be supporting your company and should request a proof-of-concept trial to experience the service for yourself before you commit.  You should also ask about incident response experience and have the provider walk you through an IR scenario so you understand the level of support that the provider is capable of providing.  You should be confident that the MDR provider can help manage the full fallout from an incident- whether that means advanced forensics, remote and on-site incident response support, forensically-sound evidence preservation, support for a legal or regulatory inquiry or providing expert assistance in communicating with your executive team or board.  Forensic tools and experienced and certified forensic engineers should be integral to the service and shouldn’t require a separate “call out” to a hotline or support service.  Secondly, you should be wary of MDR providers that require you to rip and replace your existing tools with proprietary tools offered by the MDR provider.  The key to operating an effective MDR service is retaining the ability to integrate new tools and services to support the always evolving threat landscape.  Getting yourself locked in to an MDR’s proprietary tool might serve you well today but could leave you exposed tomorrow.