What is Managed Detection & Response
The last two questions are particularly important, as they can determine what kind of control and visibility you will have in determining the direction of your new security environment. Information on alerts needs to be accessible from one device and one platform, and it should be accessible at any time and place to ensure critical threat and response information is always available as it happens.
As you’re evaluating solutions, it’s important to determine if what you’re evaluating is a Managed Security Service Provider (MSSP) or true MDR. An MSSP takes incident and event data and monitors it 24×7. But an MSSP can be overly broad and does not dive deeply into the underlying causes of alerts. MDR providers use their own SOC, security processes, and infrastructure to investigate alerts and uncover the hidden reasons behind them. Effective MDRs also have a much deeper and more sophisticated response plan in place to identify both vulnerabilities and threats and then they move forward with an active, dynamic response to resolving those issues.
Exactly what information should be fed into an MDR process is an interesting question. Many providers simply ingest data from Endpoint Detection and Response tools. These tools primarily search for advanced threats on endpoints, with activities such as registry monitoring, searching for modifications to file structures, and validating signatures. The behavioral analysis ability of these tools also provides a capability for forensics during incident response.
But to be truly effective, MDR must process more. Data from Security Incident and Event Management (SIEM) tools is also essential, as it can identify, monitor, record and analyze security events in real time. It provides a comprehensive and centralized view of the entire security scenario of an IT infrastructure. It can provide correlation to offer context on data and to create relationships based on predefined rules, architecture, or alerts. It’s also adaptable to different vendors, sources of information, and data formats. While many companies neglect SIEM or relegate it to log collection and compliance needs, any MDR approach must be comprehensive enough to make use of all the robust capabilities that SIEM has to offer.
And this comprehensive approach also means using XDR to take the information coming out of EDR and SIEM to the next level. XDR provides something that is missing from both EDR and even SIEM platforms. That something is context. XDR joins related alerts together into security incidents to tell a story. These incidents provide clarity into what’s really happening in an environment while requiring fewer resources to make an actual threat determination. Combining MDR with XDR is the key to helping you operationalize your security investment and reduce risk acceptance.
The most essential component of any successful MDR provider is that every alert collected must be treated equally. With thousands of alerts pouring in from EDR, SIEM, and XDR tools, many vendors will actually disable detection logic to prevent alerts that they feel do not require attention. Others may rank alerts by categories such as critical, high, medium, low or informational, and only focus on the alerts that appear critical (or maybe high if they have the time.)
The problem is that attackers are increasingly being detected through a SIEM platform appearing through medium, low and even informational alerts. A top-down approach to dealing with alerts is simply not sufficient in today’s threat environment.
A far more effective strategy is to use a trust-oriented approach to handling alerts at scale. An MDR vendor should work with their client to determine which alerts indicate normal behavior and can be trusted. Resources can then focus on suspicious alerts, regardless of how threatening they may appear at first, to ensure every alert has the attention it deserves.
When working with an MDR firm, if they have the right team, tools, methodology, and process to protect your organization, then over 99 percent of security alerts should be resolved effectively.
We’ve also found that many companies accept dwell times, or the time from when an incident is first detected to the final resolution, of 100 days or more. With the right MDR in place, we’ve found that dwell time should be 22 minutes on average.
The Critical Start approach to MDR follows all of the highly successful strategies outlined here and through an industry-first combination of the following:
Once you have selected an MDR partner, there’s several things to keep in mind to ensure a successful relationship. Your new partner must be willing to work with you to develop a registry of known-good and safely trusted alerts so that the MDR team knows exactly where to focus their attention. They need to clearly define roles and processes to help you understand the relationship so that both partner and internal teams can maximize their performance. They need to provide thorough training and a constant point of contact so that everyone within your organization feels comfortable with the level of provided protection. And your partner must be ready to constantly evolve to help you stay ahead of a shifting threat matrix.
CRITICALSTART® and MOBILESOC® are federally registered trademarks owned by Critical Start. Critical Start also claims trademark rights in the following: Cyber Operations Risk & Response™ platform, and Trusted Behavior Registry®. Any unauthorized use is expressly prohibited.