minute read
Managed Detection and Response in 2023 (PDF)
Alongside other security solutions, we provide Kaspersky Managed Detection and Response (MDR) to organizations worldwide, delivering expert monitoring and incident response 24/7. The task involves collecting telemetry for analysis by both machine-learning (ML) technologies and our dedicated Security Operations Center (SOC). On detection of a security incident, SOC puts forward a response plan, which, if approved by the customer, is actioned at the endpoint protection level. In addition, our experts give recommendations on organizing incident investigation and response.
In the annual MDR report, we present the results of analysis of SOC-detected incidents, supplying answers to the following questions:
- Who are your potential attackers?
- How do they currently operate?
- How to detect their actions?
The report covers the tactics, techniques and tools most commonly used by threat actors, the nature of high-severity incidents and their distribution among MDR customers by geography and industry.
Security incident statistics for 2023
Security events
In 2023, Kaspersky Managed Detection and Response handled more than 431,000 alerts about possible suspicious activity. Of these, more than 117,000 were analyzed by ML technologies, and over 314,000 by SOC analysts. Of the manually processed security events, slightly under 90% turned out to be false positives. What is more, around 32,000 security alerts were linked to approximately 14,000 incidents reported to MDR customers.
Geographic distribution of users
In 2023, the largest concentration of Kaspersky MDR customers was in the European region (38%). In second place came Russia and the CIS (28%), in third the Asia-Pacific region (16%).
Distribution of incidents by industry
Since the number of incidents largely depends on the scale of monitoring, the most objective picture is given by the distribution of the ratio of the number of incidents to the number of monitored endpoints. The diagram below shows the expected number of incidents of a given criticality per 10,000 endpoints, broken down by industry.
In 2023, the most incidents per 10,000 devices were detected in mass media organizations, development companies and government agencies.
In terms of absolute number of incidents detected, the largest number of incidents worldwide in 2023 were recorded in the financial sector (18.3%), industrial enterprises (16.9%) and government agencies (12.5%).
General observations and recommendations
Based on the analysis of incidents detected in 2023, and on our many years of experience, we can identify the following trends in security incidents and protection measures:
- Every year we identify targeted attacks carried out with direct human involvement. To effectively detect such attacks, besides conventional security monitoring, threat hunting is required.
- The effectiveness of the defense mechanisms deployed by enterprises is best measured by a range of offensive exercises. Year after year, we see rising interest in projects of this kind.
- In 2023, we identified fewer high-severity malware incidents than in previous years, but the number of incidents of medium and low criticality increased. The most effective approach to guarding against such incidents is through multi-layered protection.
- Leveraging the MITRE ATT&CK® knowledge base supplies additional contextual information for attack detection and investigation teams. Even the most sophisticated attacks consist of simple steps and techniques, with detection of just a single step often uncovering the entire attack.
Detailed information about attacker tactics, techniques and tools, incident detection and response statistics, and defense recommendations can be found in the full report (PDF).