Emerging from the traditional managed security service provider (MSSP) model, Managed Detection and Response (MDR) is an answer to the fact that threat actors have increased their ability to circumvent traditional detection measures. As early as 2011, MDR emerged (uncategorized at the time) with a single guiding principal: Acknowledge that a breach will happen. When it does, minimize threat actor dwell time to reduce risk.
However, as the MDR market has evolved, four criteria remain constant as key to minimizing threat actor dwell time in the event of a breach: visibility, fidelity, detection capabilities and response. When these criteria are measured against in-house resources, risk tolerance and available budget, they can be used to choose the appropriate MDR vendor based on your organizational requirements.
To help organizations make an informed cybersecurity solutions choice, eSentire has authored, The Definitive Guide to Managed Detection and Response (MDR) (and this blog series) which examines seven categories of MDR providers, measured across four criteria, which include:
- Visibility: Signal sources such as endpoints, IPS/IDS, logs, cloud, vulnerabilities, etc.
- Fidelity: The depth of information provided by each of the signal sources
- Detection capabilities: Ability for the provider to detect known and unknown attacker methodologies using commoditized and advanced methodologies
- Response: Delineation of provider and client responsibilities from investigation, alert, containment and recovery
MDR Category #2 – EDr aka ED-Little-r (Single Telemetry)
EDr vendors are a viable option for organizations that have in-house resources to correlate data from other signal sources to confirm, triage and contain threats in a timely manner.
Profile
Endpoint Detection Response (EDR) and MDR are used interchangeably by many Managed Endpoint Detection and Response providers. EDR—or in this case ED-little-r (EDr)—is a subset of the MDR market providing expertise focused solely on endpoint.
Providers in this space typically emerged as software vendors that have since added SOCs with deep-level expertise specific to managing and monitoring proprietary technology.
As a category, EDr providers offer advanced detection capabilities for endpoint threats; however, the majority of theIR Lifecycle—including containment—is the client’s responsibility.
EDr vendors are a viable option for organizations looking for endpoint monitoring and detection and that have in-house resources to correlate data from other signal sources to confirm, triage and contain threats in a timely manner.
Coverage
- Process visibility
- East/West (internal/lateral)
Strengths
- Use of best-in-class endpoint technology
- Can offer bring your own endpoint technology model (i.e., BYO)
- Can include endpoint prevention under singular agent, eliminating redundancy
- High level of expertise contextual to endpoint
- Advanced endpoint threat detection capabilities Deep-level fidelity into endpoint (e.g., process, binary, etc.)
- Limited false positives
- Integrated remediation recommendations
- Deep-level portal visibility into endpoint
- Can include integrated response capabilities, which can be enacted from the client side within provider’s portal
- Lower cost
Weaknesses
- Commonly represents newer, inexperienced entrants to MDR market
- Unproven SOCs
- Reliance on single security signal
- High client-side resources required to complete investigation, correlation and confirmation of threat presence
- No visibility beyond endpoint
- No signal fidelity outside of endpoint
- Hunting capabilities limited to endpoint only
- Response support limited to endpoint only
- Requires client-side response team for stages outside of IR Lifecycle coverage
- Limited scope can lead to longer threat actor dwell time
Questions and considerations:
- Does endpoint data alone provide appropriate visibility across current and future network infrastructure?
What else is required to manage and provision to complete missing visibility? - Does the endpoint data captured provide the appropriate depth of data to cover our contextual threat landscape?
- Does the provider have integrated automated response for known threats available via APIs?
- How will our team correlate endpoint data with data from technologies across the network? Do we have adequate internal resources to do so?
- How can data be ingested into existing technologies and processes to facilitate additional investigation?
- Does the provider have adequate detection capabilities to enable detection of known and unknown threats?
While this blog provides a snapshot of one category of MDR, the intricacies and interdependencies are the varying types is complex. To learn more about the strengths and weaknesses for each of the seven MDR categories and how you can make an informed decision about what MDR solution best suits your organization, download The Definitive Guide to Managed Detection and Response (MDR) here: https://www.esentire.com/resource-library/the-definitive-guide-to-managed-detection-and-response-mdr
