“What I need to see from the service provider, in addition to its technical capabilities, is that . . . its staff
must act like they’re part of my team.”
The ability to detect and automatically respond to incidents in real time is essential in today’s threat environment of ransomware and viruses. If you do not have this ability now, you already have a problem managing cyber-risk.
We have a layered approach that starts with monitoring router activity, then monitoring network and endpoint activity, followed by monitoring servers and applications. The system displays alerts, and then sends email alerts. If the system detects a threat or suspicious activity, it automatically shuts down nodes.
We currently do all this monitoring in house. We began beefing up our detection and response capabilities several years ago, after a couple of ransomware attacks that, although they did not cause us material losses, were disruptive because we had to restore data and re-image machines. We are a small shop. Our IT team, which handles all IT support and security, consists of five people who watch over fourteen locations, 1,200 machines, and 2,500 users. The security tools we currently use make this work possible, and they work well for us, but we do not have the staff to continuously watch security monitors. We depend on the tools to automatically block threats, which so far
has happened quickly and reliably. It’s often the case that we first learn of an issue when users call in to tell us they are unable to get into the system. Then, we go to the security tools, determine what happened, and correct it.
This is an excerpt from 7 Experts on Transitioning to Managed Detection and Response. This eBook was generously sponsored by GoSecure.