News
  1. Home
  2. News
  3. Insights
  4. ...
18 December 2024

Managed Detection & Response: An Essential Service!

Retelit -
Insights

This year’s Clusit Report on ICT Security in Italy (updated October 2024) once again confirms the increasing trend in security incidents (+23% globally) recorded in the first half of 2024, without any surprises or plot twists. This growth is attributed to the rising impact of cybercrime and the persistent intelligence activities observed over the years, further exacerbated by the escalation of the conflict between Israel and Iran-backed Islamic militias across various Middle Eastern countries.

The data and analyses in the report provide valuable insights into cyberattacks, offering a clearer understanding of the environment we all now operate within:

  • Attack Effectiveness Is Increasing
    In Italy, 58% of detected attacks are rated as high or critical in severity. This underscores both the attackers’ growing sophistication and the increasing difficulty organizations face in responding effectively. The reasons are varied and often interconnected, such as inadequate protection of exposed surfaces, poorly organized security management (often reflecting a risk underestimation), and an inability to manage active attacks due to unclear procedures or insufficient resources.

  • Attacks Are Easy, Low-Cost, and Profitable
    In Italy, 51% of attacks are caused by malware, while 27% exploit DDoS techniques. Malware offers attackers a wide range of possibilities for system compromise. It is often hard to detect, has a high success rate, and is low-cost, making it a highly lucrative tool, especially when used on a large scale. Organizing a DDoS attack can be equally straightforward and affordable: as-a-service platforms are readily available on the dark web, requiring little technical expertise. For the more enterprising, there are even detailed guides on how to execute an attack.

  • Every Organization Is a Potential Target
    The report highlights that nearly all industry sectors have been impacted by cyber incidents, albeit with varying percentages.
    Ranked second in the most targeted categories are "Multiple Targets" (13% of total attacks). These are attacks aimed at simultaneously hitting multiple objectives, planned with industrial logic to maximize impact and success. This strategy makes no distinction based on size, industry, or security level.
    Furthermore, 71% of total incidents are attributed to cybercriminals, followed by activists (27%). The primary motive for cybercriminals remains profit: they target any company or organization, provided the attack is advantageous.

The increasing sophistication of attacks and the expanding attack surface, amplified by the widespread adoption of cloud solutions, are rendering traditional measures ineffective, despite their continued necessity. Solutions like endpoint protection or perimeter security (firewalls, web application firewalls) prove limited when implemented as isolated tools. While they perform their specific tasks adequately, they lack the ability to "perceive" and evaluate the surrounding environment, compromising the ability to respond to more complex attacks.

What Needs to Be Done

It’s crucial to understand that even with the best security measures, the possibility of an attack always exists. Therefore, it is essential to be ready to face and manage it effectively. Managing an attack involves, above all, stopping the attacker through key actions:

  • Intercepting the attack by monitoring all potential vectors.
  • Assessing and defining the best containment strat
  • Identifying and executing specific actions to contain the attack.
  • Reassessing the strategy based on the outcomes of implemented actions.

To ensure the effectiveness of this process, four critical factors must be prioritized:

  • Time: Speed and continuity are crucial. Operations should include 24/7 monitoring, real-time event analysis, and immediate, uninterrupted execution.
  • Organization: a well-defined blue team with clear roles, responsibilities, and established procedures is essential. Coordinated management during crises can make all the difference.
  • Know-how: the team must consist of professionals with deep expertise, updated certifications, and solid experience.
  • Tools: advanced technologies capable of detecting, analyzing, and integrating information to support the team are necessary. The use of artificial intelligence and machine learning is fundamental to automating repetitive tasks, ensuring accuracy and speed, such as in managing false positives.

MDR: The Right Answer

Managed Detection & Response (MDR) is the optimal solution for identifying and containing attacks.
This service combines the expertise and professionalism of a Security Operations Center (SOC) with a predefined integrated platform composed of multiple security components and solutions. It provides clients with the necessary resources 24/7 to effectively counter attacks through a coordinated SOC team that operates based on predefined processes and procedures:

  • Attack Identification: primarily performed by the integrated platform.
  • Event Analysis: the SOC analyzes notifications generated by the technology stack to determine their relevance, urgency, and intervention priority. This stage filters and classifies alerts generated by monitoring tools, ensuring SOC resources focus on the most critical threats. Additional insights are derived from threat intelligence.
  • Threat Hunting: the SOC conducts thorough event and telemetry analysis to identify traces of unknown, active threats that may have gone unnoticed. The main goal of threat hunting is to detect potential incidents before they negatively impact the organization.
  • Attack Response. the SOC develops a containment strategy, communicates, and coordinates activities to block the attack according to predefined playbooks, identifying the roles and responsibilities of those involved. Where possible, automated remediation integrations can be implemented.

The SOC utilizes a predefined technology stack included in the MDR service, which:

  • covers and monitors endpoints (servers, workstations), networks, and event logs from systems and cloud resources.
  • includes components for processing, interpreting, and correlating events and telemetry data from monitored devices. The use of artificial intelligence and machine learning algorithms ensures rapid data processing and generates specific alerts for potential attacks or anomalies.
  • enables remote activation of initial containment actions (e.g., isolating compromised endpoints).
  • integrates seamlessly with the company’s existing defenses or previously implemented security tools, preserving the client’s investment and know-how.
  • is fully managed by the MDR service provider, ensuring its ongoing functionality and evolution.

The MDR service allows organizations to outsource threat detection and management, reducing pressure on internal teams and improving operational efficiency through the expertise of the SOC and the technological stack used. This turnkey approach, combining expertise and technology, enables:

  • avoiding investments through the use of “as-a-service” technology components and minimizing implementation time by simply integrating the client’s devices with the service’s technology stack.
  • reducing IT complexity and management: avoiding the introduction of new security tools that need to be managed and maintained.

Retelit’s Offering

Retelit has developed a cybersecurity service catalog divided into three main categories, each designed to address specific needs and tackle various stages of improving an organization’s security posture:

  • Analysis: services that help clients assess their security posture and define an improvement path.
  • Protection: services for the managed protection of a company’s data and infrastructure provided as-a-service.
  • Defense: specialized services for monitoring and managing security incidents.

Within the Defense suite, Retelit has developed the Managed Detection & Response (MDR) service, a solution designed to effectively manage cyberattacks. Built on the key principles outlined earlier, the MDR service combines the use of advanced technologies, such as artificial intelligence and machine learning, with the expertise of the Security Operation Center (SOC) — a team of professionals organized into three levels (analyst, specialist, expert specialist).

The platform is designed to integrate with the client’s security solutions (e.g., SIEM, EDR, next-generation antivirus, anti-phishing solutions), respecting prior investments and operational workflows.
The modularity of the service also allows for complementing existing technologies with others capable of covering additional attack vectors, granting the SOC greater visibility and scope of action.

Entrusting the management of cyberattacks to Retelit’s expertise and professionalism represents the ideal solution for tackling an increasingly complex challenge. By combining advanced technologies and specialized skills, we ensure effective attack management, minimizing risks and potential harmful consequences for our clients.



Insight provided by Andrea Priviero - Product Marketing Retelit

Contact us to receive additional info about Retelit products and services