By: David S.
MANAGE. DETECT. RESPOND.
In any organization that uses computers to manage or operate their business, there is inherent risk of a cyber incident. The level of risk can vary based on the structure of systems, controls in place, the storage or transfer of sensitive information (e.g. financial, personal, health, or intellectual property), or how critical the systems are to the success of operations.
Cybersecurity protects data, networks, and devices from cyber threats. Some common threats can include ransomware, malware, and denial-of-service attacks that can cause financial or repetitional damage to an organization or personal harm to people. Most computers have intrinsic, basic layers of security that protect this data and information from being exploited by hackers, however these layers are not always sufficient in guarding against social engineering (phishing), misconfigurations, or other unknown vulnerabilities in systems. The following analogy shows how Managed Detection and Response, or MDR, is a modern, proactive approach to cybersecurity that ensures a secure environment in an evolving threat landscape.
What is MDR?
Let’s break it down by imagining your computer as a house.
1. The fence around the house is the firewall, the first layer of defense. This is going to keep some threats out but those with some athletic ability can hop the fence undetected or find a hole in the side to break in.
2. Continuing with our comparison, a dog represents the antivirus. They are trained to keep an eye on known potential threats while growling and biting to get rid of them. Dogs can be trusted companions; however, they are not always the perfect guardian. Sometimes they enjoy barking and chasing rabbits.
3. Next, you have the alarm systems, surveillance cameras, and motion sensors as the endpoint detection and response (EDR) sensor (more on EDR below) around and inside the house. This can alert you to movement or intruders but is a tool that needs to be constantly monitored to get value. You need to make sure this technology is detecting the right alerts while disregarding known routine activities.
4. Further, your home’s own experienced professional security guard is the MDR agent, monitoring in and around your home day/night with vast knowledge of the behaviors of an intruder. Utilizing the EDR sensor and detector technology, they can analyze potential threats or suspicious activity. This security expert will not bother you with squirrels running around your house or birds landing on your roof (false positives). If there is a break-in, the security professional will validate the threat and immediately respond to the threat and advise on further actions. They will halt the trespasser from getting closer to your family, investigate the situation, and advise on steps to return your home to a secure state. MDR is a proactive approach to security that gives you confidence that your home (computer) is more secure and minimizes the risk of an impact of a breach.
5. Now imagine the impact of security guards at every house within your neighborhood (network), similar to a Neighborhood Watch program. The group of alarm systems, surveillance cameras, motion sensors (EDR sensor) and security guards interact directly with the satellite control center (MDR solution) that provides oversight and comprehensive protection management. The control center receives this intel for analysis and in turn provides security guards with new insights and ongoing training to stay up-to-date on the latest threat behavior. Furthermore, each residence benefits from what is learned or experienced from issues at other homes and in other neighborhoods managed by the same MDR solution.
Managed Detection and Response (MDR) is an always-on security service that combines human expertise and technology to monitor, identify, and respond to cyber threats in real-time.
How does MDR work?
24x7x365 Extension of Your Team / Resources
MDR provides around the clock eyes on the events happening across endpoints (desktops, laptops, servers), which many companies do not have the capability to do themselves. Endpoints represent key vulnerable points of entry and often the target of the attack for cybercriminals. Organizations may lack the staffing, expertise, or resources to monitor these devices, so acquiring this service will put them in a position where they have never been before. This service re-directs staff to be able to focus on other tasks better suited to business objectives.
Behavior-Based Monitoring
MDR, unlike traditional anti-virus (AV), focuses on monitoring suspicious behaviors or patterns rather than simple rule-based signatures. AV signatures only protect against “known bad,” so what happens when threat actors develop something new? It is not “known bad,” so legacy AV is not going to cut it. With emerging vulnerabilities or misconfigurations, the attackers can bypass AV or firewalls to gain a foothold and move around unseen. This is another facet that MDR addresses by detecting this behavior. A robust MDR provider is constantly developing its own custom detectors and deploying updates to deal with emerging threat behaviors.
Eliminate Alert Fatigue
MDR will investigate and triage all alerts, communicating only what is actionable and validated as a security issue. This filters out false positives so that companies only need to be alerted to legitimate security concerns.
Immediate Response
MDR can provide response capabilities to instantly isolate issues, begin investigation, and assist with remediation activities to reduce impact from incidents. This ensures that the malware or ransomware is removed, the point of entrance can be closed, intruders are ejected, and endpoints are returned to a known good state.
MDR vs EDR
Endpoint Detection and Response (EDR) is part of the technology set used by MDR providers. In short, EDR is the tool and MDR is the human cybersecurity expertise element with established processes to monitor and respond with deep security knowledge. EDR records and stores behaviors/events on endpoints into analysis systems. When an anomaly is detected, it is sent to the security team for human investigation. EDR gives security teams the ability to use more than just signatures to gain a better understanding of what is happening in their environment. MDR takes this solution a step further by managing the technology and enhancing the detection and response capabilities.
MDR vs MSSP
Managed Security Service Providers (MSSPs) attempt to cover a large number of products or applications so none are handled with comprehensive protection. MSSPs do not typically have trained responders so they are unable to provide in-depth security insights. When an alert appears, they lack the expertise or response capability, so they will simply alert the client. MDR leverages the knowledge of expert incident responders and detection analysis to communicate validated issues with the client and assist with response activities.
Soteria MDR
Soteria’s full-service MDR utilizes the expertise of our security team to guard against endpoint threats. We develop and continuously update custom detectors to defend against emerging malicious attacks. Soteria professionals monitor endpoint activity, perform detection analysis and filter out the noise. During an incident, we provide immediate response through containment and assist with remediation, all while only communicating actionable security issues, so that you can focus on your business.