August 1, 2024 By Jennifer Gregory 4 min read

In recent years, managed detection and response (MDR) has evolved significantly in its ability to reduce organizations’ risk of cyberattacks proactively. In the recent 2024 IDC Worldwide Managed Detection and Response Vendor Assessment, respondents noted that employees of MDR providers felt like extensions of their own teams.

An MDR vendor lowers network vulnerability by using tools such as the SIM and endpoint event logs to manage security controls. In addition to using such tools, the MDR teams monitor the endpoint devices and correlate them with telemetry and signals from other controls. When suspicious behavior is spotted through threat hunting and triaging, the team prioritizes where to target threat actors proactively.

Because an MDR cannot detect every single attack, the goal is to give the company — through an attack life cycle or an attack path — more high-fidelity detection opportunities to spot an attacker. For example, an effective MDR vendor can more quickly spot a cyber criminal who has elevated their permissions and is going after sensitive data. With the extra time gained, the vendor can often evict the criminal before a breach of the data set or service disruption.

Ensuring the MDR is set up most effectively through red-teaming

Chris Thompson, Global Head of IBM X-Force Red at IBM, says that some companies simply install an MDR and leave it. However, you must ensure that the MDR is optimized for your environment, such as ingesting the right logs and using the correct custom-built manual detection alerts on top of the SIM. He recommends using both red teaming and MDR as part of a proactive cybersecurity approach.

“With red teaming, you are getting a sparring partner to evaluate whether or not the security controls that the MDR team manages are working as intended,” says Thompson. “Red teaming can provide validation that a particular tool is working correctly or identify that it hasn’t been deployed correctly. It also can determine if a tool hasn’t been tuned and customized to the environment correctly.”

Download the report

How red teaming evaluates your MDR

Many mistakenly assume that a complicated network means attackers will struggle to get up to speed on how to target an internal system. For example, a bank with a capital markets division may think that its complex networks make it too hard for a cyber criminal to steal trading algorithms or access trade data.

“Red teaming challenges these assumptions on how well protected a network is. It also tests if the security controls that are in place are configured and operating correctly as well as whether the monitoring teams are effective,” says Thompson.

Red teaming, which typically takes one to three months, depending on the complexity of the objectives, simulates an advanced adversary and validates if the key elements of the network are working correctly. The team starts by evaluating the threat actor groups that are typically targeting the industry and interested in a certain subset of data or disruption of service. Next, the team ensures that they can detect the least sophisticated threat actors likely to be targeting the company.

This happens by simulating a threat actor at various levels of sophistication to get a feel for the maturity of the sophistication level and the effectiveness of the controls. The results of these simulations show where the team needs to focus remediation efforts and how to proactively identify gaps not receiving telemetry from a portion of devices on your network.

Thompson says that his team commonly sees miscommunication between MDR vendors and the internal blue team. With a realistic end-to-end attack, they can show that a team didn’t hand off the alert properly or the team didn’t configure event logs to be correctly ingested. He finds that proactively identifying the gaps revealed in a simulated attack can prevent vulnerabilities from leading to serious real-world issues in the event of a compromised network.

“Over time, red teaming works to mature your ability to detect and respond to more and more sophisticated threat actors as you mature your internal security program,” says Thompson. “The goal is to ultimately reduce the time it takes to spot and evict an attacker that successfully gains a foothold in your network, for example, by spear phishing or compromising an externally exposed service.”

Further reducing vulnerabilities through AI

AI in cybersecurity is often viewed as a two-edged sword. On one hand, the offensive attackers are using AI to move faster, such as with open-source toolkit attacks, as well as to attack in different languages that bypass detection. Thompson says that in the future, he expects to see AI being used offensively to help conduct attacks faster and to automate some of the attackers’ actions.

On the opposite side, AI is also being used defensively in MDR solutions to help triage events and investigate them faster. However, Thompson recommends that companies validate the claims of MDR providers. He says that if the AI is not properly vetted, the tool can miss detections, misclassify alerts, downgrade alerts or miss correlations that a human MDR investigator would spot.

“Both of these types of issues can be simulated and verified through red teaming to ensure that the MDR vendor isn’t overly relying on AI,” says Thomspon. “On the offensive, you can validate that the MDR is prepared to detect and respond to modern, more AI-assisted attacks.”

Where red team testing and MDR intersect

IDC stated that most MDR buyers prefer to have a separate provider to handle offensive security testing like red team engagements. Companies often feel this provides the neutrality needed for successful red team testing. However, the report also noted that it felt it could use IBM for red team exercises, even though it is rare for an organization to utilize the customer’s MDR provider for offensive security testing. The reason given was that IBM’s large size made an independent red team possible.

Thompson said that many organizations, including IBM, are able to successfully provide independent evaluations of their own MDR solutions through red teaming. The key, he explained, is that the teams operate completely separately, without interactions or overlap. Thompson recommended that companies considering using the same vendor for both be sure that the vendor offers the best services for the specific circumstances.

“MRD is only part of what makes a mature security program within an organization. Having an MDR vendor that you trust that’s monitoring a tier one EDR solution and you properly incorporated telemetry from other security controls and correlate that in your SIM are all key to the success of an effective blue team and security program,” says Thompson. “However, it’s important to not rely on just the vendor to be responsible for all the detections because there are a lot of pieces to take into consideration. Red teaming really helps validate some of those assumptions on how mature the controls are and who’s effectively responsible for monitoring them end to end.”

To find out more about how the IBM X-Force Red Team can help your organization optimize your MDR, visit this page.

More from News

Insights from CISA’s red team findings and the evolution of EDR

3 min read - A recent CISA red team assessment of a United States critical infrastructure organization revealed systemic vulnerabilities in modern cybersecurity. Among the most pressing issues was a heavy reliance on endpoint detection and response (EDR) solutions, paired with a lack of network-level protections. These findings underscore a familiar challenge: Why do organizations place so much trust in EDR alone, and what must change to address its shortcomings? EDR’s double-edged sword A cornerstone of cyber resilience strategy, EDR solutions are prized for…

DHS: Guidance for AI in critical infrastructure

4 min read - At the end of 2024, we've reached a moment in artificial intelligence (AI) development where government involvement can help shape the trajectory of this extremely pervasive technology. In the most recent example, the Department of Homeland Security (DHS) has released what it calls a "first-of-its-kind" framework designed to ensure the safe and secure deployment of AI across critical infrastructure sectors. The framework could be the catalyst for what could become a comprehensive set of regulatory measures, as it brings into…

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces. AI in every pocket Having…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today