An SMB’s Guide to Cybersecurity Monitoring, Detection and Response

They provide continuous protection, early threat detection, and rapid response to potential breaches. However, the marketplace for these cybersecurity solutions is overrun with complex terminology, redundant categorization, and over-hyped “must have” technology. This short guide will help you break through this confusion and feel confident in making the right choice for your business.

Many small-medium businesses (SMBs) underinvest in cybersecurity and are left at high risk by the growing indiscriminate nature of cyber-attacks.

• Software Supply Chain Risk: With the explosion of Software-as-a-Service (SaaS) subscriptions and cloud infrastructure, SMBs are incredibly connected to the software supply chain. It’s a mischaracterization to think “I’m too small to be targeted” because you don’t have to be targeted at all to be attacked. The well-known SaaS subscriptions (i.e. Salesforce, Quicken, Microsoft 365, etc.), remote monitoring tools (i.e. GoTo, ConnectWise, etc.) and cloud infrastructure (i.e. Azure, AWS) may be the target and their customers greatly impacted.

• Cybercrime-as-a-Service: Just as the SaaS model has brought powerful functionality down-market to any size business, the SaaS model has brought powerful malware down-market to any size hacker. No longer does a hacker need to be an extremely talented software programmer to create malware or ransomware. They can simply buy the toolkit on the Dark Web and deploy it. This makes it possible, even practical, for the local low-skilled criminal to target local businesses.

In fact, according to Coveware, 82% of ransomware attacks in 2021 were against companies with fewer than 1,000 employees.  

Driven by the seriousness of cyber threats, the market is awash in vendors to choose from. In addition, due to the speed at which cyber threats have evolved, cybersecurity technologies and techniques are ever changing as well. The result has been comparable to the Tower of Babel. With a massive number of vendors in the market, each fighting to standout, companies and industry analysts have coined many terms and categories to make sense of them all. However, without any standardization or consolidation, these cybersecurity monitoring, detection, and response solutions go by many names. It’s important that you are aware of them so that you can translate the techno-babel and identify what really matters when choosing a solution. You’ll come across the following terms in your hunt for the right solution:

• SIEM (Security Information & Event Management): This software ingests, correlates, and normalizes all sorts of network data and system logs ultimately to alert you to any suspicious activity. Without expert implementation and ongoing tuning, these systems are notoriously noisy and thus historically only practical for enterprise businesses with the wherewithal to run them.

• EDR (Endpoint Detection & Response): This software is installed on laptops, workstations, and servers (aka endpoints) to monitor these systems at a more granular level (i.e. processes, executables) and also not only alert but take preventative measures to block malicious activity.

• XDR (Extended Detection & Response): With the explosion of available security tools, this software has recently come onto the scene to reduce the need for some tooling and provide a single pane-of-glass for others. There is still a wide-range of capabilities between vendors of this category, but the expectation is an XDR solution should complete your IT estate coverage by accounting for networks, endpoints, cloud infrastructure, SaaS applications, and other security tools.

In all these cases above, we’re speaking about products – technology only. Similarly, there are services you can purchase to avoid running the technology yourself.

• Managed SIEM: As described above, SIEM platforms require expert skill and bandwidth to be effective. A Managed SIEM service promises to provide that skill and bandwidth. In some cases, the provider may also be the owner of the SIEM platform. In other cases, they may license the platform from another vendor.

• Managed SOC (Security Operations Center):  The team that provides 24×7 monitoring, detection and response services is known as a SOC. Therefore, Managed SOC, to put it in simple terms, is a subscription-based service in which you may acquire a fractional SOC service sized to meet your needs. However, what is unstated is what technology this service is using – a SIEM, EDR, XDR, or who’s – yours, theirs, or another vendor.

• MDR (Managed Detection & Response): This category initially rose from the need for managed EDR services. However, today, what scope of detection and response is provided can vary. There isn’t truly much difference in definition between MDR and Managed SOC. It’s debatable, but one may suggest that MDR is more narrowly focused on threat detection and response while Managed SOC is more broad to include more security and compliance support.

• Managed XDR: As you may have suspected at this point, this service grew out of a need to couple XDR technology and SOC expertise as a more encompassing cybersecurity monitoring, detection, and response solution. A buyer should beware that “extended” detection is a relative term and one should inspect the coverage of each XDR option to ensure they support your assets and data that make up your IT estate. Some XDR vendors are considered Native XDR in that they offer extended coverage of all security tools and telemetry owned by that vendor. Some XDR vendors are Open XDR in that they are not in the business of creating any other tools than the XDR platform and thus their mission is to openly integrate with as many third-party vendors as is useful.

Armed with this back story as to not be thrown by the many solution categories you’ll come across, here is a more controlled approach to finding the right solution.

To help simplify things, compare cybersecurity monitoring, detection, and response to home security monitoring. Think of the components – technology and service – of a provider such as ADT.

 1. Assess Your Needs

Just as ADT customizes home security solutions to fit your specific needs, it’s vital to assess your organization’s unique security requirements. Consider factors like the size of your business, the industry you operate in, your budget, and your existing security infrastructure.

2. Choose Your Monitoring Level

ADT offers various monitoring levels, from basic to advanced. Similarly, cybersecurity monitoring levels include which systems will be monitored (servers, endpoints, cloud, network), when will they be monitored (24x7x365 or not), and how will they be monitored (logs only, anomalous behavior too, proactive threat hunting). Determine which level aligns with your threat detection and response needs.

3. Installation and Integration

Just as ADT integrates with your existing home security infrastructure, cybersecurity monitoring solutions should seamlessly integrate into your current IT environment. Ensure compatibility with your existing tools and systems for smooth implementation.

4. Round-the-Clock Monitoring

ADT’s 24/7 monitoring service is analogous to cybersecurity continuous, real-time monitoring. Look for a solution that offers 24/7 threat detection and response capabilities, providing peace of mind that your organization is always protected.

5. Threat Detection

ADT’s motion sensors and alarms detect intruders, while cybersecurity monitoring solutions use continuously changing threat intel feeds, advanced algorithms, and AI to detect anomalous activities, potential threats, and vulnerabilities within your digital environment.

6. Alerting Mechanisms

ADT alerts homeowners and emergency services when a security breach occurs. Likewise, cybersecurity solutions should provide rapid alerts to your security team when a potential threat is detected, allowing for immediate action.

7. Incident Response

Just as ADT dispatches security personnel when needed, cybersecurity solutions should have an incident response plan in place. Evaluate their response time, incident handling procedures, documentation, and the expertise of their security analysts.

8. Data Protection

Ensure that cybersecurity solutions prioritize data protection and compliance with industry regulations. Your data is valuable, and it should be safeguarded accordingly.

9. Scalability

Consider your organization’s future growth. Like ADT can be scaled up to accommodate larger properties, choose a cybersecurity solution that can grow with your business without compromising its security posture.

10. Cost Considerations

ADT offers various pricing packages, and cybersecurity solutions vary in cost. Understand the pricing structure, including any hidden fees, to ensure that the solution aligns with your budget.

11. Customer Support

ADT provides customer support for any issues or questions. Similarly, cybersecurity solutions should offer robust customer support, including a dedicated support team and clear communication channels.

12. Reviews and Recommendations

Just as you might ask for recommendations before choosing ADT over another provider, seek referrals and read reviews from other organizations that have used the cybersecurity solution you’re considering. This can provide valuable insights into the solution’s effectiveness.

Selecting a cybersecurity monitoring, detection, and response solution for your organization is as important as choosing a home security system. It’s an important decision and you need to make an informed decision that ensures the safety and security of your digital assets and operations. It can seem complicated on the surface, but ultimately it isn’t much different than choosing a security provider for your home or office building.