The world of cyber security is an asymmetric battleground. The attack surface is growing as a result of the growing number of connected devices, malicious apps, the Internet of Things, cloud services and the digitization of business functions. This guest blog from our partners at Masergy goes into further detail on these threats.

Keeping the bad guys out is no longer an option. It’s time for organizations to turn to rapid detection and response. By 2020, 60% of enterprise IT security budgets will be allocated to managed detection and response (MDR). That’s up from less than 30% in 2016, according to Gartner.

Companies are planning to spend more on MDR because attackers are getting in and the goal is to catch them before they can do much damage. The average dwell time, the days between when a compromise is detected and then mitigated, is around 200 days. And close to 70% of breaches are discovered by third parties.

The long tail impact of cyber breaches are many. Once inside a company’s network, hackers can gain persistence by installing backdoor and rootkits across several systems. From there, they can expand access across internal resources and eventually exfiltrate data.

Attack delivery tends to happen quickly in the cyber kill chain, which includes reconnaissance, weaponization, delivery, exploit, installation, command and action. Kudos to businesses whose security prevention tools catch such incursions in any of these stages and stop it cold.

But security experts agree that prevention alone isn’t enough to keep enterprises safe. NIST’s Cyber Security Framework identifies five categories of activities, of which prevention is only one.


Businesses that take prevention efforts without corresponding detection can never be sure that the most critical issues have been addressed. A rebalancing exercise is needed. Detection and response capabilities will typically pay significant dividends in terms of identifying and neutralizing an active threat before it has a chance to do significant damage. And make no mistake – a determined attacker will eventually get into your network.

Organizations are increasingly focusing on detection and response because taking a preventive approach has not been successful in blocking malicious attacks, said Elizabeth Kim, Senior Research Analyst at Gartner. “We strongly advise businesses to balance their spending to include both.”

During the command and control phase of the kill chain, malware is installed and covert network channels are established to evade detection. The software roams the network looking for targets from which to exfiltrate data or to find even more targets. This period presents an opportunity for rapid detection and response to shut these activities down.


Staffing shortages take part of the blame for businesses not being able to detect and react to threats in a timely manner. Security spending will increasingly focus on services in the face of growing threats. It’s especially challenging for mid-sized organizations to put the people, processes and technology in place for rapid detection. Managed security providers have the ability to scale quickly and provide 24×7 monitoring. They also have the personnel expertise to analyze threat behaviors and advise IT departments on the most effective remediation efforts.