Emerging from the traditional managed security service provider (MSSP) model, Managed Detection and Response (MDR) is an answer to the fact that threat actors have increased their ability to circumvent traditional detection measures. As early as 2011, MDR emerged (uncategorized at the time) with a single guiding principal: Acknowledge that a breach will happen. When it does, minimize threat actor dwell time to reduce risk.
However, as the MDR market has evolved, four criteria remain constant as key to minimizing threat actor dwell time in the event of a breach: visibility, fidelity, detection capabilities and response. When these criteria are measured against in-house resources, risk tolerance and available budget, they can be used to choose the appropriate MDR vendor based on your organizational requirements.
To help organizations make an informed cybersecurity solutions choice, eSentire has authored, The Definitive Guide to Managed Detection and Response (MDR) (and this blog series) which examines seven categories of MDR providers, measured across four criteria, which include:
- Visibility: Signal sources such as endpoints, IPS/IDS, logs, cloud, vulnerabilities, etc.
- Fidelity: The depth of information provided by each of the signal sources
- Detection capabilities: Ability for the provider to detect known and unknown attacker methodologies using commoditized and advanced methodologies
- Response: Delineation of provider and client responsibilities from investigation, alert, containment and recovery
MDR Category #4 – MD-Little-r (Full Telemetry)
MDr-FT is a viable option for organizations looking for complete threat coverage across all environments and that have in-house capabilities to complete the IR lifecycle.
MDr (Full Telemetry), or MDr-FT, encompasses complete visibility across an organization’s potential threat landscape. Whether on-premises, cloud or hybrid, MDr-FT providers have the capability to adapt visibility and detection wherever workloads reside.
Importantly, vendors in this space have complete visibility and typically deliver full fidelity including log, NetFlow, PCAP, endpoint, vulnerability and cloud data outside of logs.
MDr-FT providers are commonly established in the MDR market, with proven advanced detection capabilities supported by machine learning and behavioral processes. MDr-FT has the potential to deliver full coverage; however, the cost can escalate as visibility increases, putting more technologies in play and greater burden on SOC analysts.
MDr-FT is also limited in IR Lifecycle coverage, putting responsibility on the client for timely threat containment. This category is a viable option for organizations looking for complete threat coverage among on-premises and cloud workloads and that have in-house capabilities to complete the IR Lifecycle.
- Endpoint: process visibility, East/West (internal lateral)
- Network: things in motion, ingress/egress
- Log: breadth across network signals and technologies
- Cloud (beyond logs)
- High level of expertise across multiple telemetry • Typically a highly proven MDR vendor
- Use of best-in-class technologies
- Complete visibility across attack surface
- Able to correlate multiple signals
- Integrated advanced threat detection capabilities
- Integrated machine learning and behavioral processes • Deep-level fidelity
- Limited false positives
- Integrated remediation recommendations
- Deep-level portal visibility
- Supports multiple regulatory measures
- High client-side resources required for containment and response
- Higher service cost compared to SOCaaS, EDr and MDr-MT models
- Limited IR Lifecycle coverage
- Possibility of longer threat actor dwell time due to client-side requirements
Questions and considerations:
- Do we have adequate budget for the provider’s services and in-house requirements without sacrificing our overall security posture in other critical areas?
- Does the provider have integrated automated response for known threats available via APIs?
- Does the provider have adequate detection capabilities to enable detection of known and unknown threats?
- Do we have the internal resources required to hunt, to correlate data from the provider with existing data from other technologies, to conduct forensic investigation and to confirm threat presence in a timely manner?
- What in-house resources are required to quickly contain a confirmed threat, including people, process and technology?
While this blog provides a snapshot of one category of MDR, the intricacies and interdependencies are the varying types is complex. To learn more about the strengths and weaknesses for each of the seven MDR categories and how you can make an informed decision about what MDR solution best suits your organization, download The Definitive Guide to Managed Detection and Response (MDR) here: https://www.esentire.com/resource-library/the-definitive-guide-to-managed-detection-and-response-mdr