Post Syndicated from Jake Godgart original https://blog.rapid7.com/2022/07/11/rapid7-mdr-reduced-breaches-by-90-via-greater-efficiency-to-detect-investigate-respond-to-and-remediate-breaches/

When a security operations center (SOC) is operating at a deficit, they increase the possibility of beach reductions. That is, the likelihood they won’t be able to travel to any beaches – or any vacation destinations whatsoever – anytime in the near future. That can lead to burnout, which can lead to security talent loss, which can lead to the entire business being incredibly vulnerable.

So now let’s talk about breach reduction. As in, the charter of any security team.

No team can investigate every alert, but forging a valuable partnership with a Managed Detection and Response (MDR) provider can provide a turnkey solution and near-immediate headcount extension to your SOC.

A June 2022 Total Economic Impact™ study by Forrester Consulting commissioned by Rapid7 found that Rapid7’s SOC expertise – with XDR technology that generated improved visibility – enabled a composite organization using Rapid7 MDR to reduce the likelihood of a breach by 90% in the first year of partnership

The analysis was conducted using a hypothetical composite organization created for the purposes of the study, with insights gleaned from four real-life MDR customers. This composite reflects a security team profile we see often: a small team of two security analysts tasked with protecting 1,800 employees and 2,100 assets. We at Rapid7 see this as a tall order, but it’s one that (unfortunately) represents the state of security operations today.

The study concluded that partnering with Rapid7 MDR services experts enabled the composite organization to achieve end-to-end coverage and cut down on detection and response times. Let’s break down how Rapid7 MDR helped security teams reduce the likelihood of breaches by 90%.

1. Complete visibility into security environments

OK, so extended detection and response (XDR) isn’t exactly apples-to-apples with X-ray technology, but it’s an apt metaphor. Greater visibility, after all, helps to improve your overall security risk posture, and customers interviewed for the TEI study said their organizations were more secure thanks in part to this improved visibility. Rapid7’s InsightIDR uses its XDR superpowers to unify data from all over and beyond your modern environment, so it’s easier than ever to see and respond to a transgression.

The Rapid7 MDR team’s expertise in cloud-scalable XDR technology enables stronger signal-to-noise capabilities, so you only become aware of alerts that matter and get the peace of mind that comes from knowing we’ve got you covered. After all, being aware of a breach is better than not being aware of one – or having a customer alert you to the existence of a breach, which could lead to a different kind of breach: the relationship.

2. Detect and respond literally all day, every day

According to the Forrester TEI study, interviewed organizations had outdated technology that was used by staff to manually investigate each alert prior to partnering with Rapid7 MDR. These organizations’ security teams lacked expertise, were understaffed, and lacked visibility – the perfect storm to miss security incidents. Interviewees said there would be no way for them to implement a 24×7 detection and response program on their own without using Rapid7 MDR. As an interviewed director of information security for a financial services company said, “If we didn’t acquire Rapid7 MDR, I would have had to do a lot more manual work, and it would have kept me from other tasks.”  

With the modern proliferation of threats, the only thing to do is to have 24x7x365 coverage of your entire network. As referenced above, that can be expensive and near-impossible to maintain, unless you’re gaining leverage with the right MDR partner.

For example, with Rapid7 MDR, customers can opt in to Active Response, which enables our expert SOC analysts to respond to a validated threat on your behalf. The service also removes quite a few headaches, providing the flexibility to configure or cancel responses so that unauthorized quarantines occur less frequently (as they may with automated containment actions).

A customer SOC team will also have their own access to InsightIDR, the underlying technology of Rapid7’s MDR services. With the ability to also run your own investigations, your team will be able to see what we see, and follow along with the process. No black boxes or Wizard of Oz reenactments here.

These days we say that round-the-clock monitoring isn’t just important – it’s a must. A good MDR provider will be able to take on those duties, raising any incidents discovered and validated, day and night. In particular, Rapid7 utilizes a follow-the-sun methodology. This purpose-built monitoring engine leverages incident-response (IR) teams all over the world – Australia, Ireland, the United States, and more – to ensure awake and active detection and response experts are investigating security alerts and only notifying you when there’s an actual incident. From the SOC or remote locations, these IR teams can perform real-time log analysis, threat hunting, and alert validation, for any customer.

Redundancy is key here. Attackers never take a day off, but security professionals working 9 to 5 do. Whether it’s national holidays or vacation season, the majority of attacks occur around these specific times security experts might set their status to “away.”

3. Gain more freedom to focus their energy elsewhere

In the TEI study, Forrester found that Rapid7 MDR was able to provide security teams with greater information and curated alert detections, with the ability to block specific threats. MDR also improved response times to detections by providing teams with a security resource dedicated to security incidents that require any response. This meant internal security teams could focus on other priorities and business objectives without dealing with:

Alert triage and investigations

An interviewed senior cybersecurity analyst at a technology solutions firm said analysts previously spent three to four hours a day on alert management. Now, with MDR, that same process only takes 10 minutes of their time! That means the small team can focus on other elements of their security program knowing there’s another team of experts monitoring their environment around the clock.

Threat response

An interviewed CISO at a healthcare firm reported that their response could take up to two weeks prior to MDR. That’s a long time! With Rapid7 MDR, the security team was able to detect and respond in three days instead. The interviewed senior cybersecurity analyst from the technology solutions firm said response may have taken days prior to Rapid7 MDR, but now the security team can respond in 30 minutes! Greater efficiency (and faster response) meant lower likelihood of future breaches and lower impact of any breaches.

Post-detection reporting

The interviewed cybersecurity analyst from the technology solutions firm said that before Rapid7 MDR, it took an entire day to compile a quarterly executive summary and two monthly reports because it meant parsing through log data and finding the right information. Now with MDR, the report is created for them and their ability to create and deliver this to their team is more efficient. That means they can spend more time protecting the organization, not reporting.

4. $1.6 million in savings over 3 years

When an organization can reduce the likelihood of attacks by 90%, that can result in some serious ROI. How serious? The composite organization profiled in the Forrester study was able to see a breach cost avoidance – or savings – of $1.6 million over three years when partnered with Rapid7 MDR.

The composite organization saw an average of 2.5 incidents per year, with an average cost per security breach $654,846. This average cost included damage to brand equity and customer loyalty. We at Rapid7 are also cognizant of the mental toll those incidents take on the entire business, as well as the loss of forward momentum on any current initiatives – it all comes to a stop when a breach occurs and disrupts. This is why it’s critical to have a team spot threats early and respond to them quickly.

For the more advanced, large-scale breaches, sometimes it requires backup. Luckily, Rapid7 MDR now includes Unlimited IR to ensure major incidents are handled by our Digital Forensics and Incident Response (DFIR) experts. The merger of the MDR and IR Consulting teams accelerates a breach investigation by instantly pulling in senior-level IR experts to an emergency situation and ensuring the response is as efficient as possible.

Rapid7 MDR teams use our open-source DFIR tool, Velociraptor, the same tools and experience you’d receive if you called the breach hotline. These experts leverage multiple types of forensics (file-system, memory, and network), as well as attack intelligence and enhanced endpoint visibility to quickly organize and interpret data. Then? Kick the threat out and slam the door behind them.

Defense in depth

Beyond the need for agile detection and response abilities, preventive solutions are also of critical importance. At a device level, it is of course always prudent to ensure things like multifactor authentication (MFA), antivirus or NGAV (NextGen Antivirus) software, and/or an endpoint protection platform (EPP) – designed to detect suspicious behavior and stop attacks – are part of your preventive behavior.

At a more macro level (i.e., a SOC in the security organization of a Fortune 500 company independent of the Forrester study), the following preventive solutions should always be part of the mix:  

• Vulnerability Risk Management: It’s easier to detect and respond to the bad guys in the environment when you limit the number of doors they can walk through. Vulnerabilities are always at risk of exploitation. Managing that risk is what InsightVM was made to do. It helps to secure your entire attack surface with visibility and behavioral assessment of your network-wide assets, as well as analyzing business context so it can prioritize the most critical issues.
• Cloud Security: It takes cloud-native to protect cloud-based. InsightCloudSec provides visibility of all of your cloud assets in one, user-friendly place. Get immediate risk assessment with full context across infrastructure, orchestration, workload, and data tiers.    
• Application Security: More complex apps means more security required. With the ability to crawl and assess these modern web apps, InsightAppSec returns fewer false positives via features like the Universal Translator and its ability to bring flexibility to the security testing process. Finding threats with Dynamic Application Security Testing (DAST) – using the same exploits that an attacker would – is one of the keys to stopping web application-based attacks.
• Security Orchestration Automation and Response (SOAR): The composite organization from the Forrester study took advantage of Rapid7 MDR’s utilization of Active Response, Rapid7’s Security Orchestration, Automation, and Response (SOAR) technology, as well as skilled SOC experts to quickly respond to and remediate threats.  

By incorporating preventive and responsive solutions, you’ll work less by working smarter. Which, oftentimes, means letting someone else take on key aspects of your program. You can read the entire Forrester TEI study to get the deep-dive from interviewed customers – along with the numbers and stories they shared – on Rapid7 MDR.

But what the study does not quantify is Rapid7’s commitment to partnering with our customers to improve their security maturity, providing expertise that drives returns for your detection and response program where and when you need it. Considering MDR but don’t know where to start? We put together an MDR Buyer’s Guide that includes priority questions to ask when you’re seeking the right partner.

Additional reading:

• Today’s SOC Strategies Will Soon Be Inadequate
• What’s New in InsightIDR: Q2 2022 in Review
• Velociraptor Version 0.6.5: Table Transformations, Multi-Lingual Support, and Better VQL Error-Handling Let You Dig Deeper Than Ever
• Rapid7 MDR Delivered 549% ROI via Headcount Avoidance, Time Savings, and Breach Risk Reduction

Post Syndicated from Jake Godgart original https://blog.rapid7.com/2022/06/23/rapid7-mdr-delivered-549-roi-via-headcount-avoidance-time-savings-and-breach-risk-reduction/

In-house security organizations these days are operating at an extreme deficit. Skeleton crews are running entire security operations centers (SOCs). A constant barrage of alerts is making it difficult for these teams to detect and investigate every alert and stay ahead of today’s evolving threats. The odds are heavily in favor of the attacker.

But there is hope. Managed security service providers (MSSPs) – and more specifically, managed detection and response (MDR) providers – enable access to specialized detection and response expertise and headcount, bypassing the talent- and skill-gap challenges that plague the industry.

MDR offers a way for internal security teams to extend their capabilities in threat detection, alert triage, malware analysis, incident investigation, and response capabilities quickly and at scale. For under-resourced teams, MDR is a turnkey solution for a fully operational SOC at a fraction of the cost to build one out internally. How much, exactly?

A June 2022 Total Economic Impact™ study by Forrester Consulting commissioned by Rapid7 found that Rapid7’s “secret sauce” – a blend of extended detection and response (XDR) technology, improved visibility, and SOC expertise – enabled a composite Rapid7 MDR customer to capture an estimated 549% return on their investment (ROI) over three years and to see a payback for that investment in less than 3 months! That’s almost a 5.5x ROI!

The analysis was conducted using a hypothetical composite organization created for the purposes of the study, using insights gleaned from four real-life MDR customers. This composite reflects a security team profile we see often: a small team of two security professionals tasked with protecting 1,800 employees and 2,100 assets. A tall order, and one that (unfortunately) represents the state of security operations today.

The study concluded that Rapid7 MDR services experts integrate with an existing security organization to quickly cut down on detection and response times. Subsequently, the interviewed customers saw substantial returns from working alongside the MDR team as a trusted partner to mature their program.

Here are four key takeaways from the Forrester Consulting study.

Rapid7 MDR offered improved visibility through XDR technology

Detection can only be as good as the visibility the technology provides and what’s being monitored. In the words of an interviewed director of information security for a financial services company, “I didn’t have full visibility into the security activity of all devices across my enterprise. It was a ‘fingers-crossed’ [hope] that there isn’t something going on within my network.”

Luckily, MDR as a partner can ensure complete monitoring and visibility across the entire environment – comprehensive coverage to detect across all endpoints, user accounts, network traffic, deception technologies, the cloud, and more – offering a winning strategy.

In the study, Forrester found that Rapid7 MDR utilizes XDR capabilities to help customers see beyond the confines of a traditional security information and event management (SIEM) and endpoint detection and response (EDR) tools, with coverage across the entire modern environment.

Combined with the latest threat intelligence and machine learning to continuously analyze attacker activity, the MDR provider can help you anticipate that threat and form a more proactive response. That’s a winning strategy.

Rapid7 MDR saved time for security teams

Alerts can fire constantly. Each of them needs triaging and investigation. Every confirmed incident then needs a response plan, remediation, mitigation actions, and a post-incident report. The challenge is, all of this takes time.

With MDR, those alerts are handled without spending countless cycles from the customer’s internal teams. Investigation, response, and reporting are, too. This frees up the security team to focus on other aspects of their program.

Going from understaffed to capably staffed can be an incredible time saver. As a director of information security in financial services said to Forrester, “If we didn’t acquire MDR, I would have had to do a lot more manual work and it would have kept me from other tasks.”

The Forrester study concluded that Rapid7 MDR – by providing improved focus and outsourcing of detection and response activities – reduced the amount of time spent by:

• 87.5% on alert investigation
• 97.5% on response, remediation, and recovery
• 83.3% on research and reporting

Rapid7 MDR helped avoid the hefty costs of hiring security talent

The Gartner® 2021 SOC Model Guide report suggests that “by 2025, 33% of organizations that currently have internal security functions will attempt and fail to build an effective internal SOC due to resource constraints, such as lack of budget, expertise, and staffing.” This is partially because of the difficulty to hire and retain top detection and response talent.

Hiring a full SOC team is incredibly expensive. For example, the Gartner SOC Model Guide suggested an industry benchmark closer to “at least 10-12 personnel for 24/7 coverage,” with the Forrester TEI study placing one full-time employee (FTE) at $135,000 annually.

Because of this, many teams are turning to MDR to implement a hybrid-SOC model that integrates an MDR SOC alongside an internal SOC team. Gartner suggests, “By 2025, 90% of SOCs in the G2000 will use a hybrid model by outsourcing at least 50% of the operational workload.” This approach has certainly become the most optimal and economic option.

Partnering with an MDR provider is certainly one way to avoid prohibitive time and hiring costs. According to the Forrester Consulting study, Rapid7 was able to save the composite organization $1.5 million over the course of three years by avoiding the need to hire five full-time security analysts in order to achieve 24×7 coverage (in year 1). And those numbers might be low compared to other industry SOC FTE benchmarks.

Rapid7 MDR greatly reduced the risk of a security breach

There will always be new zero-days, new TTPs, and emerging threats that make it impossible to prevent (and stop) every breach. The Forrester Consulting Cost Of A Cybersecurity Breach Survey from 2020 Q4 estimated that an organization will have an average of 2.5 significant security breaches each year with an average cost of $654,846 per breach.

That’s where partnering with an MDR provider can help reduce that number. In fact, the Forrester study notes that Rapid7 MDR reduced the likelihood of a major security breach by 90% for the composite organization!

At Rapid7, some of our MDR capabilities that help prevent breaches from occurring are:

• XDR technology to see complete visibility across your attack surface (with an ability for customers to have full access to InsightIDR for log search, data storage, reporting, and more)
• 24x7x365 monitoring of the environment from a global, follow-the-sun SOC team of detection and response experts
• Proactive, hypothesis-driven threat hunts from human MDR analysts
• Active Response to contain assets and users instantly when there’s a validated incident

What about the 10% of incidents that get through? We at Rapid7 offer an industry-first, unlimited Incident/Breach Response baked into our MDR service, leveraging our integrated Digital Forensics and Incident Response (DFIR) team to ensure we’re able to assist customers with any security incident, no matter how minor or major.

All of this is why a director of information security in financial services who was interviewed for the Forrester study said, “I’d say we’re 100% more prepared to handle a security incident with Rapid7 MDR.”

MDROI

Ultimately, the goal of the security department is to invest in technology and services that help protect the organization. But when that investment is able to positively impact the company’s bottom line, it’s a win-win.

It’s not just about alleviating some of the stress on the security team. It’s also about having access to that MDR provider’s technology, their library of advanced detection methodologies and resources, and the collaboration that can lead to strengthening your security posture.

You can read the entire Forrester TEI study to get the full breakdown on Rapid7 MDR alongside the numbers and stories from customers.

But what the study does not quantify is our commitment to partnering with our customers to improve their security maturity, providing expertise that drives returns for your detection and response program where and when you need it.

Considering MDR but don’t know where to start? We put together an MDR Buyer’s Guide that includes the questions to ask and what to look for to help the decision-making process.

Forrester Consulting Study, “The Total Economic Impact™ Of Rapid7 Managed Detection And Response (MDR)” commissioned by Rapid7.

The Gartner® 2021 SOC Model Guide, 19 October 2021, John Collins, Mitchell Schneider, Pete Shoard

Gartner® is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Additional reading:

• The Average SIEM Deployment Takes 6 Months. Don’t Be Average.
• DFIR Without Limits: Moving Beyond the “Sucker’s Choice” of Today’s Breach Response Services
• Are You in the 2.5% Who Meet This Cybersecurity Job Requirement?
• MDR, MEDR, SOCaaS: Which Is Right for You?