Managed Detection and Response with a Focus on Known Good

When faced with the prospect of encountering a bad situation, sage advice would say to put preventative measures in place and avoid—where and whenever possible—the probability of “bad” occurring. Now, preventing a potential physical security incident by deciding not to walk alone down a dark alley in the middle of the night may be possible, but avoidance of incidents in cyber space aren’t as easy. Digitalization is a fact in today’s business operations, and thus cyber risks and threats are inherent. While companies spend, on average, 18% more on preventative cyber security controls than they do on detective ones[i], with even greater margins over containment or remediation, detection and response capabilities are as critical—some might claim more so—to building a secure and resilient organization.

Businesses have been increasing reliance on technology steadily over time. Correspondingly, the cyber attack landscape and associated risk of compromise has grown, and businesses have had to determine an appropriate risk calculation. Interestingly, business leaders have dealt with all flavors of risk since time immemorial; it was cyber security practitioners—the fierce protectors of their company’s networks—who saw a more cut and dried scenario: Either a network, its systems, and its data were free of compromise or they were not. The acceptance of cyber security as a risk that may involve acceptance of an incident was harder for security pros to swallow. Yet, over time security teams accepted the inevitable—they are the ones on the front lines, after all—and started realizing that the world needed better detection and response capabilities to prevent an incident or breach from growing into something catastrophic.

Less time on the inside

By 2010/2011, the idea of mean time to detect and mean time to respond were becoming critical to the security conversation. At the time, the best tools for these efforts were SIEMs and MSSPs, but soon entrepreneurial security practitioners were starting to think about building the next big thing: managed detection and response (MDR) platforms to zone in on finding the proverbial “needles in the haystack.”

In 2012, Critical Start was founded to address the detection and response needs they saw exploding among enterprises. The company’s founder, Rob Davis, felt that other vendors in the space were too focused on compliance and wanted to build an MDR technology that could deal with the alert scale and transparency security and operations teams craved. With attacks growing more rapid every day and affecting larger parts of companies’ infrastructures, Davis and his team built a platform that would be easier to configure than anything they saw on the market at the time and would reduce the alert fatigue so common in security tooling.

Today, Critical Start is a multinational organization offering MDR, incident response, and professional services. TAG Cyber spoke with CTO Randy Watkins about the company’s MDR. “Our focus,” he told us, “is to decrease the number of alerts. We use advanced data processing techniques to identify ‘known good’ rather than focusing on ‘known bad.’ We wiped out the idea of alert prioritization because there is no viable way to address risk with an arbitrary risk ranking.” The company's belief is that there is no upside to filtering and ignoring alerts; “medium” and “low” alerts make up 99% of the alerts organizations see, yet the “critical” and “high” categorizations don’t always accurately reflect the state of the organization's cyber risk, (as was evident in the Home Depot or Equifax breaches, for example).

90% of alerts are similar

The way Critical Start accomplishes high-efficiency, high-accuracy detection is through their Trusted Behavior Registry, a catalog of known good behaviors they’ve accumulated over the years and which is based off billions of alerts examined. But the efficacy doesn’t just come from the technology, and they aren’t relying on machine learning or AI as a selling point. Instead, Watkins says the company’s secret sauce is human investigation by their team of 24x7x365 SOC analysts who look into every unknown alert and escalate the ones they deem important based on context. That data is then fed back into the registry to further build out baselines and better inform the platform and their analysts’ knowledge.

Watkins described Critical Start’s MDR as “tech enabled services that allow human analysts to be more efficient, effective, and add value” to security operations. This approach was not inexpensive to build, but given the model, the effort was mostly front loaded, he said; today, the company’s analysts only need to investigate ~10% of findings that appear as new behaviors because everything else is contained in the registry.

This results in faster, more accurate investigations for customers, and Critical Start can boast a 99% customer retention rate to substantiate their method. One other aspect of the offering that keeps customers coming back is the company’s “100% Transparency” model, meaning, customers are free to view the same data as Critical Start’s SOC analysts, giving them the opportunity to see and understand how their events are being handled. Customers may also choose to co-manage the platform rather than handing it over to Critical Start completely.

Integration and enablement

The platform integrates with dozens of common alerting and monitoring tools like SIEM, EDR, DNS, and EPP via API and is deployed as a cloud-based solution. One of the unique aspects of customer support is Critical Start’s mobile app, though which most customers interact, said Watkins. Rather than having to sit at a terminal and login to a dashboard, customers can pull up (or be notified by) their app to view alerts that include details of findings, actions taken by Critical Start’s SOC team, and any recommended steps that need to be taken in the customer environment.

A combination of solid technology accompanied by the human element makes Critical Start a compelling market solution. Enterprises will like the personalized approach and the transparency provided, plus the fact that the tool can be as noisy as possible without putting an onus on their own team. The model of “accept no risk” seems in line with the zero trust model so prevalent today, but in reality, “no risk” is unattainable. If, however, Critical Start can reduce the noise and decrease attacker dwell time through its Trusted Behavior Registry approach and skilled SOC team, it’s a platform to investigate for increasing security and resiliency in the enterprise.


[i] https://Critical