Blog | Dec 06, 2019

The Seven Categories of MDR - #3 – MD-Little-r (Multiple Telemetry)

Emerging from the traditional managed security service provider (MSSP) model, Managed Detection and Response (MDR) is an answer to the fact that threat actors have increased their ability to circumvent traditional detection measures. As early as 2011, MDR emerged (uncategorized at the time) with a single guiding principal: Acknowledge that a breach will happen. When it does, minimize threat actor dwell time to reduce risk.

However, as the MDR market has evolved, four criteria remain constant as key to minimizing threat actor dwell time in the event of a breach: visibility, fidelity, detection capabilities and response. When these criteria are measured against in-house resources, risk tolerance and available budget, they can be used to choose the appropriate MDR vendor based on your organizational requirements.

To help organizations make an informed cybersecurity solutions choice, eSentire has authored, The Definitive Guide to Managed Detection and Response (MDR) (and this blog series) which examines seven categories of MDR providers, measured across four criteria, which include:

  • Visibility: Signal sources such as endpoints, IPS/IDS, logs, cloud, vulnerabilities, etc.
  • Fidelity: The depth of information provided by each of the signal sources
  • Detection capabilities: Ability for the provider to detect known and unknown attacker methodologies using commoditized and advanced methodologies
  • Response: Delineation of provider and client responsibilities from investigation, alert, containment and recovery

MDR Category #3 – MD-Little-r (Multiple Telemetry)
MDr-MT is a viable option for organizations that are trying to balance restricted budgets with wider network visibility and that have existing in-house response capabilities.

Profile
MDr (Multiple Telemetry), or MDr-MT, represents the majority of the MDR market today. Vendors in this space leverage multiple telemetry sources but fall short of full stack visibility across on- premises and cloud environments. Typical combinations seen in the MDr-MT space are:

  • Endpoint and log (most common)
  • Endpoint and network
  • Network and log

Vulnerability visibility and integration into detection and response processes vary from provider to provider, as does cloud visibility beyond cloud-based endpoints and logs. Vendors in the space typically utilize machine learning and behavioral analysis software to process large amounts of data to look for unknown threats.

Coverage of the IR lifecycle is limited and incident response retainers are typically available for clients in the event of an incident that cannot be handled in-house. MDr-MT is a viable option for organizations that are trying to balance restricted budgets with wider network visibility and that have existing in-house response capabilities.

Coverage

Varies, but typically two of the following options (note that cloud visibility outside of endpoints, logs and vulnerability varies by provider):

  • Endpoint: process visibility, East/West (internal lateral)
  • Network: things in motion, ingress/egress
  • Log: breadth across network signals and technologies

Strengths

  • Higher level threat expertise than SOCaaS and EDr models
  • Historically proven vendors in the MDR marketspace
  • Use of best-in-class technologies, typically SIEM plus EDR
  • Higher level of visibility compared to SOCaaS and Edr models
  • Able to correlate multiple signals to arrive at more
  • informed decisions
  • More advanced threat detection capabilities that SOCaaS or EDr models
  • Has some degree of integrated machine learning and behavioral processes
  • Deep-level fidelity into endpoint
  • Improved ability to limit false positives
  • Integrated remediation recommendations
  • Deep-level portal visibility
  • Typically supports multiple regulatory measures

Weaknesses

  • Higher level service cost compared to EDr and SOCaaS
  • Client-side resources required to complete investigation, correlation and confirmation of threat presence
  • Client-side resources required for containment and response • Limited visibility in comparison to MDr (Full Telemetry)
  • Limited signal fidelity in certain network components
  • Limited inclusion of active and proactive threat hunting
  • Limited IR Lifecycle coverage
  • Limited scope can lead to longer threat actor dwell time

Questions and considerations:

  • Does included visibility appropriately account for our current and future network infrastructure? What else is required that will have to be managed and provisioned?
  • Does the level of data captured provide the appropriate depth contextual to our threat landscape?
  • Do we have adequate budget for the provider’s services and in-house requirements without sacrificing our overall security posture in other critical areas?
  • Does the provider have integrated automated response for known threats available via APIs?
  • Does the provider have adequate detection capabilities to enable detection of known and unknown threats

While this blog provides a snapshot of one category of MDR, the intricacies and interdependencies are the varying types is complex. To learn more about the strengths and weaknesses for each of the seven MDR categories and how you can make an informed decision about what MDR solution best suits your organization, download The Definitive Guide to Managed Detection and Response (MDR) here: https://www.esentire.com/resource-library/the-definitive-guide-to-managed-detection-and-response-mdr

Akash Malhotra

Akash Malhotra

Technical Developer/Writer

With diverse knowledge of computer security, threat intelligence and front-end web development, Akash has worked with developing and documenting API libraries with Cymon.io, our open source threat intelligence aggregator.