The Right Tools for the Job

Building cyber security resiliency through managed detection and response

Written by Jeff Thomas, Author, Partner and Business Unit Leader, Advisory Services, KPMG in Canada

Editor’s Note: This article is reprinted with permission from KPMG. For more great industry insight, visit:

For years, companies have monitored their own digital environments and managed their own detection and analysis of cyber alerts, events, and incidents.  But as cyber attacks become more sophisticated and systems become more complex, organizations need to ask themselves: are we really up to this task?

The challenges of optimal prevention and response are complex.  You can take all the glitches and notifications from network detection response (NDR) and endpoint detection response (EDR), try to correlate them to indicators of compromise, and decipher the signs of a criminal infiltration.  You can assemble tools to monitor both networks and endpoints.  But can you really ensure both that you’re up to date and that you’re using all the available knowledge?

I work alongside Amir Roknifard, a Cyber Security Solutions Architect here at KPMG, who says that “what organizations need is managed detection and response (MDR), which allows you to engage not only experts with access to global information but also a resource capable of building that knowledge into detection tools.”

I couldn’t agree more.

NDR or EDR: Which type of detection?

EDR (Endpoint Detection and Response) focuses on endpoint devices or hardware—things like servers, laptops and workstations—or any type of mobile device or tablet.  But here’s the thing: cyber attacks don’t always target endpoints.  Sometimes, the attacks are on the data floating on the network.  For this, teams need to deploy NDR (Network Detection and Response), which monitors ongoing traffic and suspicious behavior within a digital environment.

Amir simplifies it this way: “Both NDR and EDR are used for prevention, detection, and response, and both provide assurance—but at different points.”  So, both try to prevent lateral movement in the victim’s environment, but if they’re combined, the organization can actually be protected both ways.

A proactive approach to detection and analysis

Most public organizations rely on private vendors for their security and may not budget adequately for cyber security.  When considering how much to invest in detection and analysis tools, it’s important that leadership and management teams consider the potential cost of an attack.  With billions of dollars in potential ransoms at stake—not to mention your clients’ valuable data—it seems to me that do-it-yourself cyber security is misguided at best.

Too often, organizations feel the sting of an attack before they realize the gravity of the situation.  In fact, victims of an ongoing attack generally need more than seven months to realize they’ve been compromised and contain it, before data starts leaking out. Canada is a hot target for attackers because three things attract attackers: money, vandalism and politics—and our natural resource extraction industries in particular have all three.

That’s the difference between reactive and proactive organizations. Those already under attack want to know:

  • How many devices are compromised?
  • What data is leaking out?
  • How fast can we stop it?

Proactive organizations ask a different question: How can we know when we are compromised and to what extent?

MDR (Managed Detection and Response) is your smartest course of action.  By bringing information from disparate systems together, MDR facilitates swift, effective, decisive responses.  Knowing what is an attack—and what is not—is key.

Even with the best tools and talent, it can still be nearly impossible to know what’s going on with an environment.  “Complete visibility” just doesn’t exist. Under all the interfaces, at the memory level of the devices, there are opportunities for hostile actors to infiltrate.  Even with retrospective analysis, it can’t always be determined exactly what has happened, because attacks are becoming increasingly sophisticated.

But with MDR, patterns over time and the linkages between the reported event and other events can be more easily recognized.

Weighing your options

The best defence strategy lies in acknowledging that the cybercriminals already know more than you think.  Engaging MDR services from a reputable provider offers extensive support.  And if your MDR provider is the same as your incident response provider, there’s an opportunity for powerful synergy that is much better to contain and resolve.

I would, however, caution against making the mistake of thinking that the right tools will do all the work for you.  Tools aren’t intelligent enough to understand and evaluate all the data. After all, a tool is only as good as the hands of the worker using it.  Automated investigations still need humans to interpret information and make decisions at critical points.  And you still need to build, manage, train, test, and update.  Most technology solutions don’t cover everything.  They may support certain operating systems but not others.  Another vendor may cover different aspects or have some overlap.

But unless you’ve got a few billion in loose change—and you’re ready to let your professional reputation walk away with your money—prevention is always better than the cure.

The Right Tools for the Job

About the Author

Jeff is the Partner-in-charge of the Advisory Services practice in Calgary.  With over 25 years of experience serving publicly accountable entities, primarily in Western Canada, Jeff is focused on delivering Risk Consulting services to enable decision making, resource allocation, and the achievement of organizational objectives.  Jeff has been helping clients manage IT related risk for most of his career. In the past 5 years Jeff has worked extensively on helping clients to manage Cyber Security risks and risks associated with outsourcing of information systems and services.  A key focus of this work is helping clients to understand Cyber Security risks in the business context so that they can properly prioritize, fund, and manage initiatives that reduce Cyber Security risk to an acceptable level.  Jeff is active in the community and is currently the Board Chair of Springboard Performance.

The Right Tools for the Job

About KPMG

Through helping other organizations mitigate risks and grasp opportunities, KPMG can drive positive, sustainable change for clients, our people and society at large.

KPMG firms operate in 145 countries and territories, and in FY21, collectively employed more than 236,000 people, serving the needs of business, governments, public-sector agencies, not-for-profits and through KPMG firms’ audit and assurance practices, the capital markets.