Locating XDR and MDR in a prevention-first approach to security.
“How could this happen?”
This is what both executives and Security Operations Center (SOC) teams of enterprises might keep asking themselves after a successful ransomware attack.
The story is often the same – a random phishing email finds its way into the inbox of an employee, who then proceeds to provide personally identifiable information, including work account details, to a seemingly legitimate-looking entity.
Social engineering and email scams remain some of the top threats facing businesses worldwide, with ESET Research finding phishing and fraud trojans at the top of email threat detections.
Recently, Insomniac Games, a subsidiary of PlayStation Studios, was compromised by the Rhysida ransomware, ending up with terabytes of leaked data, as the studio refused to pay the ransom asked of them (which, despite the result, is a legitimate strategy, since threat actors are not the most trustworthy of entities).
Is there an approach to security that could have prevented an attack like this? Let’s explore a prevention-first approach employing Extended Detection and Response (XDR) or Managed Detection and Response (MDR).
Persistent threats persistently threaten established businesses
Just as fairy tales tell of big villains that kidnap princesses and valiant heroes running to save them, the same is true for ransomware and cyberattacks in general.
However, instead of dragons trying to burn down castles, we’re discussing dangerous forms of malware deployed to penetrate and occupy them. Valiant heroes, in the form of security specialists, then try to hold what was supposed to be a rather secure castle with all the defensive bells and whistles available … apart from that big gaping hole right under the north-facing castle walls, obscured by a green bush.
Perhaps the metaphor went a bit too far, but the idea is clear – there will always be certain vulnerabilities, unprotected threat surfaces/vectors, or gaps in defenses that might not be as obvious at first sight as we would assume.
Threat actors will always try to gain entry to a business's internal systems because that’s where to find the most important access rights/files/data that are dear to the managers and CEOs. That value can be enumerated in millions and in some cases even billions of (dollars, Euros/other). And crooks know that, so they will keep trying their best to pull the chair from under the people tasked with securing businesses.
Consider the SolarWinds and the MOVEit supply chain attacks, for example. The former happened in 2020 because of understated and poorly communicated vulnerabilities, while the latter, in 2023, was caused by hackers exploiting a flaw within the file transfer software, gaining access to sensitive customer data.
The result of the MOVEit hack? According to Emsisoft’s estimate, USD 15 billion in damages. This after having impacted around 2,726 organizations. They say you can’t put a price on many things, like health and safety … however, this is not the case for cybersecurity.
Regarding both attacks, it didn’t matter whether a particular business was targeted, since due to the nature of a supply-chain attack, any partner/client can sustain collateral damage, often having their information accessed and leaked as a result. Therefore, it can be said that as far as a supply-chain attack is concerned, no one in it is safe … unless they take some specific precautions, such as by investing in XDR or an MDR service.
Vulnerabilities in and out
Now, zero-day vulnerabilities are tough to prevent, since they usually crop up due to flaws in software that not even the developer may know about – hence the name.
Vulnerabilities can be disclosed, and subsequently recorded, by organizations like MITRE, which maintains the registry of common vulnerabilities and exposures (CVEs).
One way to prevent the exploitation of vulnerabilities is to always keep systems and apps up to date, such as with security updates, or by patching vulnerabilities through patch management functions, which are often a requirement of cyber insurance nowadays.
The reason vulnerabilities are so important in the grand scheme of things is that successful patching and updates are make or break for the management of a company’s threat surfaces. Security admins have to demonstrate effectiveness here, both in the office and for employees working hybrid or fully remotely. This is true regardless of how device use expands beyond the limits of company premises and must even extend security to areas and activities security admins may not see. This brings with it a whole slew of problems, including potential new vulnerabilities, the resulting incidents, and users being targeted who have access to critical internal networks and data through their computers, phones, or tablets.
This fact is driven home, especially as cloud-based tools become the norm. As a result, cloud security has become a key component of prevention, since most companies now use products like SharePoint or other cloud-powered internal data repositories and sharing networks. And what’s more, both the benefits and the risks trickle down to cloud-powered apps like Office 365 or Google Workspace Suite, meaning that the more connection there is between an internal server and an external user, the more opportunities there are for exploitation. This is very evident when we look at cases where, for example, Microsoft Teams was used to share malware through external accounts that did not even belong to the targeted organization.
Monitoring an extended network
Cloud security is important, but it is not enough, especially from the perspective of a security admin who might want to have a deeper understanding of their company network, with specific alerts, rules, and triggers that would highlight and specify issues arising during crucial moments – like when an attacker is trying to exploit one of the company’s assets.
Skilled admins would probably pick an XDR solution to gain an understanding of their environment, with access to quick remediation of potential incidents. This is all well and nice – when an organization has the necessary resources to purchase and maintain such a solution.
Sure, XDR tasks can be made easier by employing effective and intuitive software solutions like the ones offered via ESET Inspect, which makes the lives of security admins easier by coming pre-loaded with certain rules, with further enhancement being rather easy to configure thanks to its elegant interface. But that takes time, and it also asks the admin to know their environment enough to recognize which rules need to be configured, customized, and set up in a prioritized manner.
From there, capabilities like the automatic incident creator found in ESET Inspect can work wonders to speed up incident remediation, giving the admin more time and room to focus on other important matters.
But is that enough? Can XDR prevent ransomware attacks such as the one that targeted the above-mentioned game studio?
Time to stop ransomware
Indeed, while using XDR is one way to stop the execution of ransomware, the admins need to be fast enough to respond on time, stopping the threat in all locations, and killing it as soon as possible by knowing where the breach occurred.
XDR can help with that, as it offers a granular view of a company’s environment. During the MOVEit saga, for example, ESET Inspect managed to detect the compromise and supply admins with logs pertaining to it.
And if that is not enough, or a company requires more professional help to rapidly address mitigation and remediation needs, services including a larger capacity of security experts supplied with professional software –MDR solutions – are where it’s at.
MDR is a lot like XDR, but it adds another dimension – it is a service that also employs real-life experts to manage company cybersecurity. While XDR is a great pick for businesses with enough personnel, institutional knowledge, and capacity to tackle complex threats, MDR pushes security to greater heights as it supplies experts with deep knowledge of both the security tool at hand (XDR) and the threat environment.
This means high-level support in case of an incident, be it a random weekday, holiday, or weekend, as MDR is a 24/7/365 service. So, in case a ransomware attack happens when most of a business is out, the MDR team can still immediately respond to a threat despite the lack of in-house staff.
This rings true even for small and medium-size businesses (SMBs), which can lack such staff by design, due to limited resources. Regardless, SMBs face the same threats as large enterprises, including ransomware. And in such cases, quick action is always necessary.
Closing time
It's one thing to stop an ongoing incident, but it's an entirely different thing to proactively prevent an incident from happening in the first place.
XDR and MDR are both excellent choices in the fight against ransomware and related threats, as they empower companies to be on the lookout for even the most insidious threats.
And while all the components of a security platform such as ESET PROTECT help in protecting specific environments, a detection and response solution, whether in-house or as a service, combines all of this into a single view. It provides a refined and clear understanding of the security apparatus of a company, giving admins the right tools to respond and remediate on time.