Cyberattacks continue to increase. In 2020, 77% of IT leaders reported an uptick in how often cyberattacks were happening, according to Cybersecurity Magazine. Despite the rise in attacks, companies had to cut headcounts, leading to an additional burden on IT teams. In 2021, 83% of IT leaders were considering outsourcing their security needs, likely because they couldn’t properly manage so many threats.
Although outsourcing security significantly reduces the workload on internal teams, choosing the right outsourced solution can be difficult, given the number of existing options.
When selecting an outsourced security vendor, a key element to look for is the level of response the outsourced partner offers. Outsourced security providers typically offer three services:
- Managed Security Service (MSS)
- Managed detection and response (MDR)
- Extended detection and response (XDR)
Unfortunately, no certification process exists to confirm the level of response these vendors actually offer. If you want to know what level of response your cybersecurity vendor is delivering, you need to understand what each level entails to have an informed conversation. The more educated you are as a buyer, the better you can optimize for your team’s needs.
In this article, we’re going to define what response means in a cybersecurity context and explain clearly what the three levels of response are.
What is “response” in a cybersecurity context?
In a cybersecurity context, response refers to the entire process of detecting, containing, eradicating, recovering, and learning from cybersecurity incidents. Any comprehensive response strategy must include the following four stages:
- Detection and analysis
- Recovery and post-mortem
In the first stage, the response team identifies suspicious activity and confirms that an attack has taken place. The team then tries to assess the scope of the incident.
Detection and analysis is a critical first step so that businesses can respond quickly to cybersecurity incidents.
After the threat has been detected, the response team will attempt to contain it by removing the attacker’s access. The sooner they can do this, the greater they minimize the damage to the organization.
In the eradication and recovery phase, the response team restores systems to their normal working state. This can be done by restoring backups, for example, in the case of a ransomware attack.
Finally, the response team conducts a post-mortem on the attack to identify how to prevent similar attacks from happening again and to ensure any exposures or vulnerabilities are addressed.
Level 1 Response – Alerting
Many outsourced cybersecurity vendors, including some MSSPs/MSPs (Managed Security Service Providers, and Managed Service Providers), provide only the first stage of response: alerting. In this stage, the vendor alerts you that they suspect an attack has occurred. This alert can be triggered by various indicators of compromise or anomalous behavior detected in the system.
However, they leave it up to you to confirm that the alert is correct. Further, you must complete the rest of the response work depending on whether or not there was actually a compromise.
Unfortunately, automated security alerts are notorious for their false positives. A 2022 report by Orca Security revealed that 62% of respondents feel that alert fatigue contributes to employee turnover at their organization. Alert fatigue also leads to friction between IT, Security, and DevOps teams, said 60% of the report’s respondents.
The lack of alert confirmation by the security vendor can lead to enormous, wasted time chasing false positives or low-priority alerts.
If you have the resources and don’t want to review logs, a Level 1 Response offering might be an option for you, but it’s vital to understand its limitations.
Level 2 Response – Automated response
Experience has shown us that a fully automated response isn’t advisable in cybersecurity. AI-powered responses and automated handlings are excellent when used as tools, but not as replacements for direct human action.
The Level 2 Automated Response category consists of (a) confirming the attack and then (b) running an automated tool to remove the threat. Without human guidance to monitor both the threat and the recovery, this approach can end up being more costly because of lost production, unnecessary downtime due to false positives, and missed threats.
Automated responses typically suffer from the following limitations:
- Overconfidence in the response
- Overly aggressive containment procedures
- No one to turn to for further information
The primary limitation of automated responses is overestimating how effective automation is at overcoming a sophisticated human attacker. Additionally, automated responses might not catch all instances of a threat, inadvertently allowing it to spread unnoticed to other machines.
Overly aggressive containment
Because automated responses lack the human touch, containment actions are often overly aggressive and can’t always filter out false positives; resulting in excessive downtime, disrupting business operations, and causing additional costs.
No one to turn to for more information
Another limitation of the Level 2 response is that it can be difficult for your team to get more information and access to a senior analyst. Automated responses can only do so much. Too often, human intervention is necessary to fully understand and remediate the incident.
Level 3 Response – Full Human-led Response
True security partners will own the incident from start to finish. They alert your company only on true positives that the vendor has verified. The partner then uses a human-led response to understand the full scope of the attack and contain it.
This doesn’t mean the security partner won’t use automated tools, but any tools used are employed to improve efficiency, not to remove human interaction with the threat.
Instead of taking an entire system offline, the analyst will engage in a proactive hunt to identify compromised machines and then take the specific containment actions called for by the results of the hunt. Depending on the findings, the analyst might block only a single file or network connection.
This proactive approach results in minimal downtime for the company being attacked.
Once the attack has been fully contained, the analyst will trigger your team to engage in recovery efforts. However, they will ensure that recovery only takes place when it’s absolutely safe to do so. After the incident has been resolved, the partner will close the case with a post-mortem meeting and recommend specific controls to prevent similar incidents in the future.
Level 3 response requires minimal effort from your team. It’s the most comprehensive level of response, furnishing the utmost protection against security incidents.
The connection between response and attack costs
The way a team responds to a cybersecurity event significantly affects the overall cost of that event for the organization. The total cost of the attack to an organization can include:
- Lost revenue from system downtime and recovery time
- Actual cost demanded in ransomware fees
- Regulatory costs from fines, such as for leaked private data
- Lost revenue from damaged reputation
The faster and more effectively your team can contain an attack, the less that attack will cost.
IBM’s 2022 Cost of a Data Breach Report discovered that companies saved an average of $2.6 million when they used an incident response (IR) team and had a regularly tested IR plan. Having such a team and well-tested plan forms part of a full-level response.
The same report revealed that companies cut their response time by 29 days when they used extended detection and response technologies.
SolCyber offers a true managed Level 3 Response service
For customers with experienced incident response teams, SolCyber recommends looking for Level 1 capabilities to offload the tedium of looking through alerts. However, for most SMBs/SMEs with limited resources, Level 3 is necessary to ensure comprehensive protection against security incidents, which also greatly boosts their cybersecurity posture.
By partnering with SolCyber, your expensive IT/security resources can focus on business priorities, while SolCyber offers the remaining managed services.
Some of the benefits of partnering with SolCyber include:
- 24/7 monitoring
- Automated incident response
- Comprehensive threat-hunting capabilities
To learn more about how SolCyber can help protect your organization from cyber threats, visit our website and explore our relevant solutions. Contact us today to schedule a consultation and take the first step in securing your organization’s future.