Beyond EDR

How to upscale your internal detection and response capability.

Posted on 14 March 2018 by Gayle Kennedy

As the threat landscape and the actors who operate within it continue to evolve and utilize new tactics and techniques, many enterprise organizations are realizing that it can sometimes be a thankless task to keep pace.

There are a number of possible routes to managing the threats to enterprises, which could include buying and deploying endpoint detection and response (EDR) software and either hiring or training staff to monitor any threat activity raised.


However, this is not a quick or simple process, for a number of complex reasons. Building an internal detection and response capability that can defend and respond to modern threat actors – even with the best EDR tooling to support you – can take anywhere from four to seven years. Why? Because:


The threat landscape and the actors who operate in it evolve faster than any technology or software

It’s no secret that the threats to mature companies are real and prescient, as are the methods for attackers reaching their end goal. Creative use of ransomware, attacks on supply chains and the cloud, and cryptocurrency mining malware are just some of the more commonly seen methods, and even these can change daily. The result is that organizations are often targeted using previously unseen methods to – for example – steal or hold customer and financial data to ransom, expose strategic or proprietary information, and disrupt or destroy entire systems.


Attackers are remarkably adept at finding ways to work around virtual defenses, which include firewalls, anti-viral software, and even off-the-shelf EDR tooling.

The global skills shortage makes it hard to find and retain the right people

The managed detection and response industry has grown out of the need to defend organizations against a range of known and unknown threat actors. However, it can be difficult for an enterprise’s internal teams to match both the industry’s growth and the pace at which attacker groups have evolved their techniques, tactics, and procedures.


It was recently reported that 70 percent of cyber security professionals have felt the impact of the global skills shortage within their organization, with 22 percent believing their cyber security team was not large enough for the size of their organization. More than two-thirds felt they were too busy with their jobs to put time into skills development and training.[1]


The overhead cost of keeping pace with attacker techniques is often unsustainable

EDR software goes a long way, but on its own is not enough. Many EDR tools do not provide in-built support to monitor or contain an attacker’s movements. To use this tooling to detect and respond requires a number of different skills, including ongoing knowledge of – to name a few – new attacker techniques, the types of tools that may be used, best practice for incident containment, and processes for applying the learnings of any attempted attack to future investment and training.


These teams must be made up of people trained in the attacker mindset. They need to think like an attacker in order to effectively predict, track, and contain an attacker’s movements. The route to achieving this is allowing a healthy percentage of a team’s working hours to research, which could include anything from developing use cases to attending conferences and offensive training courses, from automating processes to devising and testing new attacker methods.


Combining all of these elements increases team effectiveness significantly. Without this dedicated time and investment, even the best employees will find their skills start to atrophy and their experience become obsolete.   


MDR while you upskill

Your industry is full of people who are remarkably adept at building an internal detection and response capability, and it is likely that you are one of them. However, as you know, it is a long game, especially for a large, mature organization that is likely to be the target of advanced attacks by established and well-funded criminal and nation-state groups. Many companies – including MWR – view recruitment as a three-year process for new employees to acquire the skills and expertise to become resilient security professionals.


And this is where we are here to help. Our managed detection and response solution can manage the risks to your organization while supporting you to build your team. Our service comprises a potent combination of people, processes and technology to uncover the tactics, techniques, and procedures deployed by modern day attack teams. Underpinned by our team of threat hunters, Countercept’s MDR service:

  • Adopts the attacker mindset to predict attack vectors and next movements.
  • Continually monitors endpoints, network traffic, and logs to detect anomalies.
  • Is supported by our most recent research and intelligence on emerging threats and attacker techniques.
  • Leverages our proprietary threat hunting platform to view, manage, and respond to every stage of an attack.  
  • Is underpinned by best-practice incident response.


Our next article will focus on the different elements of building an internal detection and response capability, based on our own experience. If you are looking for an MDR provider to support you while you upskill your team, our handy checklist  will help you ensure you partner with the right one. 


Countercept is offering a free customized threat profile to help you answer this question. The first ten respondents will receive an in-depth assessment of who might target you, why, and whether the security structure you have in place can counter the efforts of a range of threat actors and methods. Sign up here.