Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include:
- Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud)
- Spending too much time or energy on integrating detection systems
- An underperforming security orchestration, automation and response (SOAR) system
- Only capable of taking automated responses on the endpoint
- Anomaly detection in silos (e.g., network separate from identity)
If any of these symptoms resonate with your organization, it’s time to address PDR.
I know what you’re thinking, PDR isn’t really a thing. While the security industry already has an overloaded number of “DR” terms, like EDR, NDR, CDR, MDR, XDR, TDIR, etc., you’re right — there’s no industry PDR term, but the sentiment behind our playful acronym is certainly real. Case in point: look at the number of “DR” acronyms in our previous sentence. The industry as a whole is fragmented and this has resulted in many enterprises suffering from PDR.
Why PDR happens
PDR side effects often include malaise, restlessness, a sense of unmanaged risk, a willingness to get distracted by generative AI, a compulsion to attend conferences outside of the office and an uncharacteristic joyfulness when attending budget meetings. This all results from the fact that the road to recovery from PDR can often be difficult. How did you get PDR anyway?
PDR may have snuck into your security program. You were happy with your SIEM and then extended detection and response (EDR) came along and demanded to run “outside the SIEM” and you thought, “That’s not so bad.”
Then attack surface management (ASM) came along and didn’t integrate with anything, but you knew you couldn’t detect and respond to threats in assets that you don’t know about, so you needed to buy that stand-alone ASM tool.
Identity threat management came along but that was only available from your current identity vendor and didn’t integrate with your user behavior analytics (UBA) system. Next thing you know you’ve got PDR.
Register for the webinar on PDR
Five treatment goals for PDR
1. Consolidation
We’re not just talking about vendors, but tool and workflow consolidation. Most of the new security technologies you bought as an independent capability over the last 3-5 years have been paired or integrated by a vendor looking to capture market share by adding adjacent capabilities. Make sure you understand what can be “good enough” versus “best in class” when looking to consolidate capabilities. If you’re consolidating vendors, select vendors that first and foremost commit to extensibility and integration.
2. Proactive security
Instead of merely reacting to threats, focus on proactive measures. Reduce your attack surface by investing in exposure management. Establish a program that includes services such as code analysis, attack surface management, enterprise detection engineering, penetration testing, adversary simulation, threat hunting, and vulnerability management.
3. Zero trust in the cloud
You might be wondering how zero trust earned a spot in a detection and response to-do list. I recognize that distributed (aka federated) enterprise threat detection and response (TDR) is still maturing.
A common current security scenario is one where a hybrid cloud environment exists, utilizing cloud-native capabilities, but due to the cost-prohibitive nature of extracting data from cloud hyperscalers, security teams are supporting two disconnected environments. Until federated detection and response tooling improves, the best universal strategy is to use the cloud detection and response tooling needed to support the business transition to cloud, but focus more security attention on prevention when adopting cloud-native security capabilities. Ensure all the zero trust concepts you worked so hard to define and implement in your legacy environment also extend to your cloud environments.
4. Strategic planning
Take an inventory of your current PDR capabilities and define your future state. Realize that your strategy may need to play out over multiple years.
5. Threat management architect
Appoint a threat management architect with both technical expertise and the ability to evangelize security principles. They should understand the holistic concept of cyber resilience, which encompasses more than just backups and recovery but also anticipates and prepares for threats while maintaining business continuity.
Seeking help from a PDR professional
If PDR is deeply embedded in your organization, consider enlisting the expertise of a PDR professional. Look for a professional with advanced capabilities who can enhance your existing investments rather than pushing for new software adoption. They should offer a range of services, including application and database security, and be well-versed in cloud environments. Ensure your chosen PDR professional can provide a comprehensive portfolio of services, spanning threat prevention to incident response.
Overcome PDR with threat detection and response services
IBM Consulting has services professionals who are certified PDR recovery professionals. The new Threat Detection and Response (TDR) service from IBM’s Cyber Threat Management Services is designed with many of the principles covered here. You don’t need to make a massive investment in AI; we’ve been doing that for years. You don’t need to rip and replace any of the investments you’ve made; we support the broadest ecosystem of vendors.
Starting with TDR is as simple as joining us for the webinar on November 1 to learn more, or reading the press release to learn how you can reduce cyber risk and lower incident costs by 65% with the Threat Detection and Response service. You can also check out our recent managed detection and response (MDR) market leadership in this KuppingerCole Report.
We’ll get you on the road to PDR recovery in no time.
The post Does your security program suffer from piecemeal detection and response? appeared first on Security Intelligence.