Skip to main content

Acronym Overload:
From SOC to MDR and XDR

Offensive clarity

As offensive security specialists for over 10 years, we have tested countless organisations who believe their SIEM, EDR or MDR provider offers them comprehensive defense, only to find them lacking in fundamental areas.

From our experience, some “traditional” in-house, yet adequately resourced, Security Operations Centres (SOCs) can still provide a robust defense, while others struggle to stay on top of emerging threats. Similarly, while the latest defensive iterations (MDR, XDR) typically present a tougher challenge, others fail to detect and respond to the evolving tactics, techniques and procedures (TTPs). It’s clear that the newest acronym does not automatically equate to better security.

When EDR and MDR solutions were first implemented a decade ago, attacker dwell time (i.e time spent on a system from compromise to detection) was ~229 days. Now it’s less than 10 [1]. More sophisticated threats only need a few hours. See past a solution’s name – ensure your provider can fine-tune detection capabilities and is prepared to respond rapidly.

Attackers are becoming increasingly agile and elusive. We know – it’s our job to emulate them. As the vital activity of detecting and responding to attacks acquires new names, it becomes imperative for organisations to parse through the latest solutions which may inadvertently cause them to under- or over-invest in a new defensive solution.

How did we get here?

Due to expanding complexity and the need for swift response, most organisations today use technologies such as SIEMs (i.e Microsoft Sentinel, Elastic, Splunk) and EDRs (i.e Microsoft Defender for Endpoint) to analyse and monitor the huge volume of security data available across a modern organisation’s IT infrastructure.

When set up correctly, SIEM tools can automatically analyse vast amounts of security data from various sources to detect anomalies and potential threats. It is important to acknowledge , however, that automation doesn’t just happen. SIEM automation has to be built, implemented, and fine-tuned to match an environment.

Endpoint Detection and Response (EDR) was developed as a complementary tool to an SIEM. EDRs essentially act as a security guard stationed at an organisation’s endpoints (such as laptops and mobile devices), monitoring and proactively responding to suspicious activity by using the automated data a SIEM provides. Similarly, a defensive team who ‘set and forget’ their EDR will likely miss evolving threats, as they rely heavily on continuous monitoring, updating, and fine-tuning.

SIEM or EDR are still essential for organisations, however, managing such complex environments and advanced tooling requires a  diverse range of technical skills and operational processes that few organisations possess in-house. Increasingly, third-party managed detection and response (MDR) or extended detection and response (XDR) solutions are filling the gap.

Why automation and standard tools alone aren't enough

The rise of cloud computing, Internet of Things (IoT) devices, mobile devices, and remote work solutions mean the ‘attack surface’ hackers can target and has expanded dramatically in recent years. As sprawling IT networks enable attackers to evade detection, ‘controlling the battlefield’ has required the core capabilities of detection & response to become more sophisticated.

Even SIEM and SOAR solutions like Sentinel are often not fine-tuned enough to produce high-fidelity alerting, as many deployments simply utilise the out-of-the-box detections and first-party data sources. Add to that, a general cyber security skills gap and high SOC analyst burn out rates mean organisations no longer have the resources or stimulating environment to retain the highly-skilled personnel they need.

From an attacker’s perspective, it’s often about finding where the latest tactics, techniques and procedures (TTPs) can be used to exploit a vulnerability in a target organisation. A “traditional” in-house SOC equipped with the right threat intelligence to implement an appropriate detection in an environment will be more effective than a more “advanced” XDR provider who does not utilise intelligence or cannot conduct adequate threat hunting. 

When last year it took on average less than a day—approximately 16 hours—for attackers to reach Active Directory (AD)[2], a critical asset for organisations, threat hunting can no longer be a reactive afterthought. Dedicated resources are typically (but not always) assigned by MDR providers as part of day-to-day operations, while extended detection and response (XDR) providers will typically seek to integrate and correlate data from multiple sources to enhance threat hunts.

An honest appraisal of a ‘traditional’ SOC

When employees worked across on-premise networks, using desktops defended by basic firewalls, antivirus software, and simple intrusion detection systems, a single SOC analyst could monitor traffic and identify straightforward threats. But over time, business-processes have become widely integrated with complex IT systems and organisations are far more distributed (to the point some exist exclusively in the cloud).

With so many areas of the corporate network that attackers could exploit, SOC employees are subjected to incessant alerts and manual ticketing tasks. This ‘alert fatigue’ invariably leads to burn out after ~2 years on average. Many cyber security professionals start their careers in SOCs, however, after gaining experience in a formative role, the majority quickly move on to more consistent high-paying roles as they acquire advanced skills. This makes attracting and retaining skilled consultants a major challenge.

Detection & response providers have learned that in order to run a sustainable MDR or XDR service where analysts thrive in day-to-day operations, they need advanced technical challenges, R&D opportunities, and above all, the ability to demonstrate meaningful improvement in a client’s environment over time. The antidote to reactive and exhausting ‘alert fatigue’ is commonly called ‘continuous improvement’.

This may sound like a generic nice-to-have, but it’s now essential for detecting ever-evolving attacker tactics, techniques and procedures (TTPs) that a static SOC team will fail to detect. A SOC, often, will be focused solely on responding to existing detections using existing data sources in contrast to a service that’s built with continuous improvement in mind.

Any organisation considering the creation or expansion of an internal SOC team, should first itself the following questions:

  • Do you have security personnel who are driving continuous improvement?
  • Do you have the capacity to recruit and, more importantly, retain SOC analysts?
  • Do you have a Chief Information Security Officer (CISO), security architects, or personnel with threat hunting skills?

If the answer is no to any of these questions that’s not unusual – but a SOC probably isn’t for you. Many organisations are under-resourced in these areas and have increasingly looked to managed services like MDR and XDR as more affordable and effective long term solutions.

Final Takeaway

Irrespective of the solution, whether its an in-house SOC or more advanced external options like MDR, XDR or MXDR, any provider who claims they can implement an effective defence without the necessary insight derived from offensive testing is at best misguided.

Your organisation is a modern day fortress. Perhaps you require higher walls with multiple layers of defence within—additional guard towers, inner walls, secure rooms, and skilled archers (i.e deploying an MDR, XDR or other advanced tooling). But first one must consider:

  • Where is your defensive environment currently vulnerable?
  • What defences do you need to invest in to mitigate the latest threats?
  • Is each existing defensive element fine-tuned and prepared to withstand a real attack?

There are evidence-based ways that an organisation can identify and validate hypothetical security gaps prior to implementation.

Some form of end-to-end testing (i.e Red Teaming, Purple Teaming) or services will provide an initial view of your organisations ‘attack surface’ from an external attacker’s perspective prior to selection – a more reliable starting point than blindly selecting and implementing technologies and services can further complicate security.

We touched on two key service components for any modern defensive solution – threat hunting and continuous improvement – which can vary significantly depending on the provider. As two essential service terms in danger of being misused to the point of obsolescence, we will delve into both as part of our next article focused on the current state of defensive cyber security solutions.

Latest Updates

Filter

background-to-menu-in-solutions-master-page copy
InsightsNewsRansomware

The critical risk in DORA financial regulations

Supply chain attacks are a growing concern, particularly within the financial sector, with attackers increasingly…
October 4, 2024
insights
Insights

A strategic guide to implementing attack surface monitoring

As cyber threats evolve, the importance of attack surface monitoring has never been clearer. In…
October 3, 2024
cyber-security-laptop
Insights

The most effective attack surface management tools and techniques

The ability to manage and monitor your attack surface is no longer a luxury—it’s a…
September 26, 2024
×

Under attack? Call our 24/7 Incident Response Hotline now

Get in touch with an accredited Incident Response experts who can help you contain, recover and mitigate attacks.

0333 987 4048

For regular switchboard please
contact - 0333 939 8080