Corporate IT and security teams have the unenviable task of keeping relentless and increasingly sophisticated adversaries at bay. They’re often faced with limited resources and expanding attack surfaces, but recruiting and retaining top-tier security professionals to run an in-house Security Operations Centre (SOC) is out of reach for many organizations. At the same time, threats continue to evolve and adversaries hone their techniques, leading to incidents that often grind business operations to a halt.
To avoid being caught on the back foot, defenders need an approach that’s proactive and combines prevention, detection, remediation with accurate and timely threat intelligence. If building that capability in-house is impractical, then renting or buying it as a service is a more realistic option. This isn’t a new concept, of course – smaller organizations have enjoyed the benefits of new IT innovations for decades through bureaux, managed services providers and cloud computing.
There’s a strong argument to be made for doing the same with advanced cybersecurity services, and this where Managed Detection and Response (MDR) can make a major impact. MDR gives organizations a proactive, expert-driven and scalable threat monitoring and hunting capability, without the cost of an elite SOC. Not so long ago, an MDR was expensive and complex – if less so than a dedicated in-house set-up. It’s now increasingly practical for smaller organizations to consider, too.
We recently caught up with Director of ESET Threat Research Jean-Ian Boutin to talk about the work of his team, and how threat research and intelligence feed into MDR workflows. Jean-Ian also gave us a peek into where the combination of cutting-edge technology and human expertise provides the most practical value, especially for SMB environments.
What do most small business users gain from ESET Threat Research? How does that change when they use ESET MDR?
ESET has a threat research team spread across multiple regions; I’m with the team in Montreal, but we have researchers spread across Europe and in the US, too.
There’s stuff everyone can see: our publications on WeLiveSecurity, and talks and presentations at cybersecurity conferences worldwide.
Then there are things that only ESET business customers get: all kinds of “tips and tricks”; that is, information about threat actors: what they’re doing, how they’re operating – all things that help our customers stay safe.
When it comes to managed detection and response, threat intelligence is a key component that helps our detection and response team understand how the various threat actors are operating and how they can use that information to protect our customers from breaches.
We’ve talked a bit about the tip of the iceberg – all of the back end of MDR that users rarely see, but that is absolutely critical. Could you explain that?
The various alerts that might be occurring in your console will sometimes be endpoint detections that we want to investigate. And my team is responsible for making sure that all the new samples and threats are being handled and detected in customer environments. So part of the team’s role is really to make sure that all these new trends, all these new samples are looked at, investigated and then detected on our customers’ premises. This is one of the key aspects.
We take great care in organizing threat intelligence data on e-crime, ransomware, APT groups, and nation-state actors targeting global organizations. Our researchers use these insights to link new breaches with past cases.
They assess the severity of the breach as well, and we can also assess what could be the purpose behind the attack. It really gives the customer a complete view into what might have happened, whether or not a breach happened, or even the specific group that targeted them.
What does MDR add on top of existing ESET endpoint protection?
MDR is more tailored, and the relationship with the customer is improved and increased. But the output of my team is distributed across the entire product set.
There’s been some talk of ESET private reports recently: how relevant are they to what most small and midsize businesses face? Are they facing targeted attacks? What about nation-state actors?
The threat profile will vary from one organization to another, and a nation state actor will typically have predefined goals, and they will be targeting victims that align well with those goals.
In terms of e-crime, this is broad. This is mass targeted. We see a lot of infostealers. We see a lot of ransomware as well.
So, our role is to understand how all these groups operate and make sure that if they have new techniques, we can actually act very swiftly and make sure that we block all the attempts.
This is the ultimate goal, but equally, so many threat actors are out there doing these types of things, and there are so many more families of malware. It’s really a daily job to make sure that the customers are protected. No shortage of work, definitely.
James Rodewald, one of ESET’s security analysts, uses this concept of triangulation: seeing something in the wild, hearing from an affected customer, and checking in with the threat intelligence team. An example he has used is an attack involving FamousSparrow. Can you elaborate on that from your perspective?
It’s important to have close relationships with the people who are actually dealing with these types of cases, because the main role of my team is to look at the telemetry, so the data is gathered from all the endpoints, and we are trying to find interesting cases, and the cases that we need to work on to improve the overall protection.
But sometimes the MDR team stumbles on something that we’ve seen in the past, and that also allows us to have a greater understanding of how the threat actor is actually operating.
In that specific case, that was eye-opening for us, because we haven’t seen this threat actor for quite some time. Whenever there’s a case involving a customer using MDR, it’s better in terms of research, because the closer relationship with the customer means that we know more about their infrastructure, so we can help them better. We can have a better understanding of the impact of the case. And that is then fed to other threat intelligence customers, so we are trying to be as close as possible to all these teams and link these incidents so that we can improve our coverage and improve our understanding of all these threats.
You talked about the working relationships with the MDR analysts and the D&R (Detection and Response) team. How does that change the way that you do your work and your understanding of threats when you have that kind of one to one relationship with the analysts and maybe the customer as well?
It changes everything, because with MDR, we already have a working relationship with the person who’s in charge of security for this organization, so we can very rapidly understand the scope of the attack, what exactly happened, why the attackers were there, and so on.
The information available to us is exponentially greater than what we can get with regular endpoints. So for us, this relationship is invaluable in terms of insights, visibility and our understanding of the case.
There was something of a spate of attacks in the UK last year that compromised large organizations like Jaguar Land Rover and Marks & Spencer via outsourced helpdesk services. Small and midsized companies also have outsourced services like this as part of their supply chain, and often they’re also the less well-protected parts of a bigger company’s supply chain themselves. Should they be concerned?
The risk posed by supply chain attacks is significant. There have been numerous documented instances over the years where threat actors target vulnerabilities in the supply chain, often focusing on third-party providers with less stringent security measures. By compromising such providers, attackers may obtain initial access to an organization’s network.
With respect to MDR, an advantage is the extensive visibility it provides, ensuring a comprehensive view of all detections and alerts. This capability enables us to identify even minor anomalies more effectively. Given that our team continuously monitors these organizations for potential incidents, we are able to detect and respond to subtle threat actor errors promptly.
Supply chain attacks present significant challenges due to the difficulty in securing all third-party entities. However, implementing an effective solution enhances our ability to react swiftly and efficiently to such events.
As the head of a threat research team, what’s the difference that you see MDR having on customers? What’s the impact for an organization that has an MDR service, and an organization that might not necessarily make that leap just yet?
In general, as I’ve mentioned before, continuous visibility is much greater with MDR. If your organization is affected by a campaign, you’ll have better tools to piece together all the different actions taken by attackers and understand what they did within your network.
Simply put, MDR provides deeper insight into attacks. From a threat research standpoint, this is the top advantage, and another key reason to value such visibility is the speed of response. With MDR, there’s already a secure channel between researchers and your company, making it easier to reach someone who can take steps to contain a breach quickly.
Final question: What would you say to organizations that might think of MDR as too complicated or expensive?
MDR acts like an insurance policy, helping to identify threats such as ransomware early – often before major problems arise. Attackers typically use initial access brokers to gain entry, but several warning signs can be detected in advance. While paying a ransom is never advised, recovery can still be disruptive. MDR supports business continuity so you can keep focusing on your core offerings.
Thank you!
