Applying Operational Excellence in MDR

Bitdefender Internet

This is the final installment in our three-part blog series on how Bitdefender has built principles of operational excellence (OE) into our managed detection and response (MDR) service. Part 1 defined OE principles, described why they are important in the MDR industry and how they enable security operations to achieve scale and effectiveness. Part 2 outlined the steps organizations can follow to design their own MDR service or in-house security operations using OE principles. This final installment describes how OE principles are applied in the day-to-day operations of Bitdefender’s MDR service, and how that makes our clients more secure and cyber resilient.

Part 3 – Delegating – Applying OE Principles in Security Operations

By incorporating OE principles into the design and development of Bitdefender’s MDR service from the start, we’ve been able to operationalize and standardize many aspects of cybersecurity – from data collection and threat detection, to threat hunting, response and reporting. This enables us to create a cycle of continuous improvement – something that is missing from the vast majority of MDR services in the industry (see our discussion on this in Part 1).

Guided by OE principles, when Bitdefender begins working with a new client, we start by asking strategic questions of the in-house security team. This helps our security analysts better understand and prioritize the risks the client faces. We not only look at their environment, but also take into consideration factors such as the industry they operate in, who might want to target them, and what their motives would be. The insights gained from these questions help us narrow the scope of threat hunting when incidents do occur. That’s because an effective MDR service is all about context. Understanding the most likely attack scenarios enables our security analyst to steer their threat hunts in the right direction, reduce false positives, and ensure that the client’s in-house security team is not flooded with irrelevant data. Strong cyber resiliency involves a combination of people, technologies and processes, all driven by actionable threat intelligence – not merely a collection of indicators of compromise (IoCs).

OE methods help ensure we have the right processes in place and are able to operationalize them, creating standardized, repeatable cybersecurity operations. This, in turn, enables us to achieve greater automation and scalability with predictable, measurable outcomes (something that is very important when communicating the value and effectiveness of the MDR service to senior leaders.)

The MDR Operational Cycle

Focusing on a cycle of continuous improvement, Bitdefender’s MDR service follows an operational cycle of: Plan, Execute, Review, Refine, and Plan again.

Plan

The planning stage begins with asking questions and establishing a baseline for what is normal in the operations. Without a solid understanding of what normal looks like in an environment, security analysts won’t have the insight needed to determine if an anomaly is malicious or benign. For this reason, the first step of any MDR service should be measuring the environment to establish a baseline. Too many MDR services skip this step completely or simply let their security analysts “get a feel” for the environment. That can be helpful, but it’s not scalable.

Applying standards of operational excellence to baselining makes it a data-driven process. It involves using technologies to gather enough data and telemetry from throughout the environment to gain a full picture of normal operations. It also means having the processes and automation tools in place to ensure that the collected data is usable, searchable, and retrievable so analysts can react quickly when an anomaly is identified.

Execute

There are several ways that OE principles should be applied to the day-to-day cybersecurity operations or “execution” phase. Two examples are in data collection and threat hunting. When it comes to collection, many security operations centers (SOCs) collect terabytes of data daily, or even hourly. However, this data is useless if the security team lacks context. By standardizing and operationalizing the processes around how IoCs are collected, enriched, and reported to the threat hunting team, data can be transformed into actionable cyber threat intelligence.

When it comes to threat hunting, without OE principles in place, approaches can be all over the map. Some MDR providers believe looking for artifacts on a single host after it has already been known to be compromised is threat hunting. Others look for IoCs that have been identified in a report and call that threat hunting. The reality is that threat hunting is a high skill, high maturity specialization. It needs to be hypothesis-driven and human led. MDR services should have a deliberate process guided by OE principles and use contextualized data, designed to define potential cyber threats and proactively seek them out within the environment. By operationalizing the search process, security analysts are provided targeted and effective threat intelligence that tells them what to go look for. This speeds the response, reduces false positives and increases the analysts’ success.

Review and Refine

One of the most important steps in a cycle of continuous improvement is reviewing incidents and processes, identifying lessons learned or improvements to be made, and refining the process for the future. In cybersecurity, this step is especially important after a security incident, threat hunt or breach. Among Bitdefender’s MDR team, this process involves a “hot wash,” where our security analysts discuss and evaluate the incident and response in order to identify strengths and weaknesses, and identify lessons learned.

The results of the threat hunt and the lessons learned should be documented in a standardized way that ensures the institutional knowledge gained is shared and used going forward. Baselines should be updated, and the results of the hunt should be fed back to the threat intelligence group to provide additional context and insights for future hunts. OE methods create operationalized processes for capturing the lessons learned, refining procedures and policies, and ensuring that they are carried forward in the next planning stage.

The Benefits of OE for MDR Clients

By creating consistent, repeatable processes in cybersecurity operations, OE principles enable an MDR service to respond faster and more efficiently to threats – thus better protecting the client. OE principles enable an MDR service or in-house cybersecurity team to do more with fewer resources and achieve a level of automation and scale that would not be possible otherwise. Most importantly, because OE methods are designed to create a cycle of continuous improvement and a culture of high-performance work teams, they improve the overall cyber resiliency of an organization, enabling them to identify and respond quickly to new threats and improve processes for the future.

Conclusion

Though principles of operational excellence are typically seen in industries such as manufacturing, they can provide benefits to almost any industry, including one as fast-paced and dynamic as cybersecurity. Whether building out an in-house cybersecurity team or developing a managed detection and response service, organizations should look to follow OE principles when designing and managing their operations. Business and threat landscapes are constantly changing. OE principles enable organizations to better plan for, identify, and react to potential threats and security incidents more quickly while also ensuring that processes are continually evaluated and improved upon. In a world of growing cyber threats, OE is crucial for ensuring resiliency, security and future-proofing your organization for whatever comes your way next.

Join Bitdefender’s Lead MDR Security and Head of Cyber Intelligence Fusion Cell as they take a detailed look into the threat landscape through the lens of 2021, 2022 and beyond.