Managed Detection and Response: Integrated SIEM versus Inherent MDR

SASE Secure Access Service Edge

Guest Writer Bio: Eyal Webber-Zvick is Cato Networks’ Senior Director of Product Marketing and Business Development with over 20 years of experience in security and networking companies.

With Gartner’s introduction of the SASE architecture, the industry has accepted that security and networking should be converged and delivered from the cloud. This architecture reduces costs, makes deployment much easier, and more importantly, provides better visibility into and protection for what’s happening on the network.

While originally security convergence meant including firewalls, intrusion prevention and malware detection in the network, the next wave of security convergence includes the management of those functions through Managed Threat Detection and Response (MDR). Cato delivered its MDR service at the end of February 2019. (See Cato Fortifies Cloud-native Security Services with New Threat Prevention and Detection Engines.)

Some networking vendors are starting to integrate a security information and event management (SIEM) with SD-WAN and call it MDR, but there’s an enormous difference between this approach and a cloud-native MDR offering.

The Legacy Approach to MDR

MDR services include a Security Operations Center (SOC) staffed with security experts who analyze relevant information to assess and verify threats and initiate a response. This is an invaluable service for organizations that want to minimize risk without building their own sophisticated infrastructure for monitoring for and managing threats.  

Currently there are two approaches taken by network providers who offer a managed detection and response service. The legacy approach is to use a SIEM to collect and analyze event information from sources (typically logs) throughout the enterprise environment. The provider runs the SIEM, such as Microsoft Azure Sentinel, ingesting logs and alerts from network sensors, endpoint sensors (i.e., an agent on connected endpoints), applications, and other points of the infrastructure. To inspect cloud-to-cloud and mobile-to-cloud traffic, the provider will deploy a virtual  appliance or some other sensor in the cloud.

Once the data is collected, the SIEM combines the logs, and uses data analytics and threat intelligence to detect threats. From its SOC, the network provider can orchestrate custom responses for automatic mitigation or use human intervention to respond to threats.

Such an approach may run the SIEM in the cloud and, as such, have a datastore that’s more scalable than one kept on premises. But this is only a minor benefit of the cloud. The approach continues to perpetuate serious drawbacks endemic to legacy MDR services.

  1. By working from threat intelligences and logs, SIEMs miss a lot of context that’s available when looking at the raw network data; for example, frequency of flows between end points, new or unusual flows that haven’t appeared before on the network, malformed packets, and the like.
  2. The MDR service is still left with highly skilled SOC analysts sifting through tens of thousands of events. This leads to higher costs that invariably get passed down to the customer in the form of higher prices or poor service quality.
  3. Sensors need to be deployed everywhere, which is time consuming, expensive, and not always feasible.

A New Approach: Threat Detection Based on Network Flows

A second approach to MDR is a cloud-native solution that operates from the metadata of the raw network flows traversing the SASE platform, augmented by security data such as threat intelligence feeds. Including the raw network data provides deeper visibility than just operating from logs and threat intelligence feeds. This is the approach taken by Cato MDR.

For example, Cato MDR scrutinizes network flow data based on many attributes such as accurate client application identification and geo location, and risk assessment of the destination based on IP, URL category, URL names structure, frequency of access, and much more. A logic like “Python bot communicating periodically to an unknown/unpopular website” will get caught by Cato MDR but will remain totally unseen by an event-based SIEM that is unaware of those flow attributes.

Cato uses a big data repository and machine learning algorithms to mine network flow data for suspicious flows and trends. This distillation of data maximizes the time of the SOC analyst, thus reducing costs. Anything determined to be suspicious is passed to a Cato security expert for verification. If the incident is benign, the investigation is closed. If a threat is verified, the expert notifies the customer, and based on predefined policy can apply network-level threat containment by cutting the compromised endpoint from the WAN and Internet. The Cato expert is available to provide context for the threat and guide the customer on remediation as needed.

Cato’s approach has a zero footprint. There’s no need to deploy agents, sensors or appliances for data collection, making the solution faster to onboard and providing wider service coverage. Cato’s MDR globally covers all edges including cloud and mobile, and all traffic including WAN and Internet. And because the service uses network flows as opposed to alerts  the solution can look at flows from every customer organization that utilizes Cato’s private network, providing a high degree of visibility into more than three terabytes of daily flow information. All this data provides more context to investigate and understand threats.

Simplified Security

With Cato MDR, there’s no integration necessary because every aspect of this solution – all the data flows, the data warehouse, the machine learning, etc. – is an inherent part of the Cato SASE platform. Even Gartner Research VP Andrew Lerner said about the future of network security being in the cloud, “Software architecture and implementation really matters. Be wary of vendors that propose to deliver services by linking a large number of features via VM service chaining, especially when the products come from a number of acquisitions or partnerships. This approach may speed time to market but will result in inconsistent services, poor manageability, and high latency.”

When the network infrastructure and the security infrastructure are one and the same and nothing has to be bolted on or integrated in, security is simplified yet visibility is deeper and broader. It’s harder for threats to hide, which in turn increases the efficacy of managed detection and response.

You might also like:

It’s Time for SD-WAN to Get “Sassy”

SASE – Secure Access Service Edge

How to Integrate SASE with Your Existing WAN and SD-WAN

Share this post