The value of a CERT in the delivery of MDR services

INTRODUCTION 

 

Over the last few years, the awareness of companies regarding cybersecurity issues has been growing strongly, especially as a result of the continuous sequence of threats coming from the cyberspace (malware, phishing, ransomware, etc.). 

The increased complexity of managing security infrastructures requires companies to have specialized in-house skills that are not easily available on the market and, however, they have high costs, which not all companies are able to afford (skill shortage). 

The combination of these trends is pushing small and mid-sized companies (SMEs) to outsource (outsourcing) security management, particularly the incidents management process, to specialized companies able to take charge of the various issues related to Managed Detection & Response services (MDR). 

The MDR service provides effective and timely monitoring, detection, and response to cyber threats, relying on a combination of advanced technologies, data analysis, and threat intelligence supported by cyber security expertise of the assigned personnel, who normally works remotely at a Security Operations Center.  

In some ways, MDR is similar to the Managed Security Service Provider (MSSP) model, as it outsources the security monitoring, detection, and incident response, but it adds additional proactive defense capabilities, including the search for threats within the ICT infrastructure that circumvent the existing security solutions (threat hunting). 

Such a service allows companies to: 

• increase the level of protection of their systems and data, reducing the risk of experiencing malicious cyber attacks; 

• have more visibility and greater coverage from threats, including the sophisticated and persistent ones; 
• improve the ability to detect suspicious or anomalous activities within their network by identifying and validating incidents; 
• have a rapid and effective response to cyber incidents, with control, remediation, and operational recovery activities; 
• benefit from the experience and expertise of the specialists of the security service provider, who offer continuous 24/7 support and advice; 
• optimize costs and resources dedicated to cybersecurity by relying on a managed and scalable outsourced service. 

 

The MDR service, therefore, is particularly suitable for SMEs, but in general for all those companies that do not have a large budget in security, nor adequate personnel and tools to face the challenges of cyber security. These companies can thus take advantage of a service that offers benefits in terms of resilience, competitiveness and regulatory compliance. 

As we will see below, the typical incident response abilities of an MDR service are greatly enhanced with the help of a CERT (Computer Emergency Response Team), a team specialized in preventing and contrast cyber threats, as it adds a proactive defense component, essential in an ever-evolving risk scenario such as the cyber one. 

MDR Services 

MDR services are delivered by specialized providers who, relying on appropriate technologies, well-defined processes and procedures, and on a team of well-skilled cyber security professionals (analysts, incident responders, ethical hackers, forensic investigators), are able to remotely ensure an organization’s cyber security by promptly analyzing and responding to cyber threats. 

An MDR collects and analyzes information concerning a company’s IT security, acting timely when an attack occurs, through a proven security incidents management process to counter cyber threats. It is able to detect intrusions within the corporate perimeter thanks to the continuous monitoring of anomalies detected by the security tools, it carries out actions to contain incidents, and mitigating their impacts, restoring the functioning of attacked systems in order to ensure business continuity through an effective Incident Response process. 

Therefore, the purpose of an MDR is to protect the ICT systems and, more importantly, the data processed by an organization by building an effective defensive strategy, starting with the security monitoring of the whole ICT infrastructure up to the involvement of the impacted business departments, in order to resolve the incident as quickly as possible. 

In addition, an MDR must also be able to prevent threats by studying the behaviors of cybercriminals (threat actors), by understanding which vectors are used to carry out attacks and with what techniques and tactics will be employed to exploit vulnerabilities. Once identified, the company is notified about the risks it faces, and preventive measures are put in place to reduce the probability that it will fall victim of cyber attacks. 

These prevention activities belong to the domain of Cyber Threat Intelligence and are among those typically delivered by a CERT, an increasingly relevant component of a modern MDR service, whose main purpose is also to assist the organization’s users with cybersecurity issues, as well as to prevent possible future incidents and promote culture and awareness in cybersecurity. 

That is not to say that an MDR service must necessarily make use of CERT services, but definitely their coexistence greatly enhances the proactive and reactive defense abilities offered by a provider of such services. Likewise, the presence of NOC (Network Operation Center) services within the MDR offering makes containment activities on customers’ infrastructure even more efficient when they require firewall intervention to isolate network segments suspected of intrusion or early detection of network traffic anomalies. 

The tasks of the CERT that a MDR service can benefit from include: 

• Specialized assistance: CERTs provide support to users who experience or report an IT incident, helping them to solve the problem and restore normal operations. 

• Research and development: CERTs analyze vulnerabilities and threats affecting ICT systems and develop solutions and tools to mitigate or remove them, often publishing them for free on their Github. 
• Training and Awareness: CERTs organize courses, seminars, and workshops to train users on cybersecurity and on the best practices they can adopt to protect their data and devices or to avoid falling victim of social engineering attacks (e.g., phishing). 
• Knowledge Sharing: CERTs spread information and warnings about ICT security threats and vulnerabilities, via websites, bulletins, newsletters, social media and other communication channels, in order to make users aware of the existing risks and countermeasures. 

We would like to clarify that these are services that a CERT can provide regardless of whether or not it is part of an MDR service, but if they are embedded in such a service, they make it even more comprehensive and effective, for the benefit of the client’s organization, since it becomes a single contact point valid for all cyber security issues (one stop shop). 

What is a CERT 

The term CERT has become a generic name for a team that provides a number of services: cybersecurity incident management (core service), security monitoring, vulnerability management, situational awareness and cybersecurity knowledge sharing.  

Over the years, the role of a CERT has evolved from simply providing incident monitoring and management services to coordinating and communicating with various stakeholders, including different countries and specific market sectors. 

There are different types of CERTs, depending on their constituency, that is, the category of users they address. There are national CERTs, which deal with the cybersecurity of an entire country. In Italy this function is covered by ACN, the National Cybersecurity Agency, which absorbed the pre-existing CERT Nazionale and CERT-PA. 

Then there are regional CERTs, which focus on a specific geographic area, sectoral CERTs, which focus on specific communities on a functional basis (e.g., in Italy the CERT-FIN in the financial sector, etc.), and internal CERTs, which deal with the cybersecurity of an individual organization (e.g., the CERT of Poste Italiane, Banca d’Italia, ENEL, etc.). 

CERTs work together nationally and internationally to exchange information and best practices. There are also organizations that coordinate and support the work of CERTs, such as ENISA (European cybersecurity agency), FIRST (Forum of Incident Response and Security Teams), and CERT/CC (CERT Coordination Center), the first CERT established in 1988 at Carnegie Mellon University in the United States, which kept the copyright of the acronym for several years, so that various institutions adopted similar acronyms (CSIRT, CIRT, SIRT, etc.). Only recently CERT/CC released the right for anyone to use the CERT acronym. 

MDR and CERT services offered by Innovery 

Innovery, leader in the cybersecurity industry, offers MDR service, tailor-made for its clients, to meet the needs of different types of companies and entities, able to significantly reduce costs, while considerably increasing security levels. This service is supported by its own CERT where operate cyber security analysts and engineers who deal with a variety of security technologies that are always up-to-date. 

Innovery’s CERT, CERT-INN (www.innovery.net/cert), was born recently by integrating the existing expertise of our SOC with the internal Offensive Security team, and launching a series of project initiatives for the delivery of typical CERT services, including Early Warning, Cyber Awareness, Digital Risk Assessment, Threat Intelligence, etc. in accordance with FIRST’s CSIRT Service Framework. 

CERT-INN’s main objective is to support the security of Innovery’s clients (external constituency), but also its own ICT infrastructure (internal constituency). The process of accreditation is underway from international CERT coordination bodies, such as FIRST and Trusted Introducer. 

In the delivery of MDR services, above all in the prevention and recovery phases, Innovery makes use of their engineering Competence Centers specialized in the different areas of security (SIEM, SOAR, EDR, NetSec, IAM, PAM, DLP, Data Security, etc.), to support the security operation staff, according to a SecOps approach that is particularly effective in facing their customers’ ongoing needs for management and evolution of existing technologies. 

In addition, Innovery also offers NOC services separately or in conjunction with MDR services. In the latter case, it is able to provide comprehensive and integrated coverage of client ICT incident response, including both cyber security incidents and those due to the anomalous functioning of network infrastructure, systems, and applications.