What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Aug 17, 2022
Increase in Observations of Socgholish Malware
THE THREAT Starting in early August 2022 and continuing through the month, eSentire identified a significant increase in Socgholish (aka. FakeUpdates) malware incidents. Socgholish is a loader type…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Sep 20, 2022
eSentire Recognized as Top Global MDR Provider by MSSP Alert, CrowdStrike and G2
Waterloo, ON - September 21, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), celebrated multiple industry recognitions as the leading global MDR provider, over the last week: Named #9, and the top pure play MDR provider on MSSP Alert’s Top 250 MSSPs global rankingRecognized as the CrowdStrike 2022 Global MSSP Partner of the Year Earned G2’s industry-renowned status…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Apr 15, 2021

What is Digital Forensics and How Does it Relate to Incident Response?

Understanding the Relationship Between Managed Detection and Response (MDR), Incident Response (IR) and Digital Forensics (DF)

6 minutes read
Speak With A Security Expert Now

At eSentire we pride ourselves on being the Authority in Managed Detection and Response (MDR) services. When your preventative security controls fail – and they will – we’re there to contain and disrupt threats before they become business-impacting events.

Every cybersecurity professional understands that there is no end to cyber risk and, of course, there is no perfect end state when it comes to cybersecurity. We’re on a continuous improvement journey together and “perfect security” simply doesn’t exist.

Our objective is to prevent a security incident that may impact your organization’s critical assets and overall ability to operate – mitigating legal, regulatory and reputational consequences. It’s imperative that you invest in a capability to disrupt and respond to threats, and it is equally critical that you plan ahead for the worst-case scenario. If a threat actor is successful in achieving their mission and solidifying their presence within your environment, having a Digital Forensics and Incident Response (DFIR) team engaged and on retainer is the most time- and cost-effective way to reduce the impact of a breach.

As our Chief Services Officer, Bryan Sartin, says in a post at the Cloud Security Alliance, “In the midst of a crisis, you need to move quickly — and with purpose. Big decisions need to be made, and it’s important to be decisive. It’s not the time to Google ‘best practices for responding to a data breach.’”

eSentire has the digital forensics and incident response expertise to support your security response needs, end to end—from threat detection, investigation, response and when required complete incident handling. But you may be wondering…

What is Digital Forensics?

How is Incident Response different from Managed Detection and Response?
How do you know which team to engage when?

Managed Detection and Response (MDR), Incident Response (IR) and Digital Forensics (DF)

Safeguarding against threats, investigating incidents and responding to them can involve several security activities:

These services are largely distinct, occasionally intersecting and frequently interdependent—for each, it’s important to understand what it is, and what it isn’t, so you can ensure your organization has the necessary capabilities and provider relationships in place before an incident arises.

What is Managed Detection and Response (MDR)?

“Managed Detection and Response” was officially coined in 2016, when Gartner released their inaugural Gartner Market Guide for Managed Detection and Response Services[i]. This report broke described an emerging category of security service providers—and specifically profiled 12 of them, including eSentire, as representative vendors—that “improve threat detection monitoring and incident response capabilities via a turnkey approach to detecting threats that have bypassed other controls.”

However, in terms of functionality and outcomes, MDR existed well before 2016. For example, eSentire was providing “Collaborative Threat Management” and “Embedded Incident Response” services as far back as 2001. We believe in multi-signal managed detection and response, powered by our cloud-native, XDR platform, and 24/7 threat hunting. Put simply, we hunt, contain and disrupt threats that bypass your preventative controls, so you don’t have a business impacting event.

What is Incident Response (IR)?

Incident Response (IR) focuses on understanding and investigating security incidents, limiting their effects, assisting with recovery efforts and ensuring your organization is better prepared for the future.

In practice, there’s some overlap between the “response” services included within MDR and IR:

Because timing is crucial to containment, investigation and recovery, it’s essential that companies have an IR partner on retainer—you simply don’t have the time or cycles to look for an IR provider when an incident is unfolding.

An effective IR function depends upon having cybersecurity tools in place proactively. These tools provide the response team, which includes members of your own organization and your IR partner, with the capabilities needed to contain and investigate incidents and to restore information and systems.

Just as important to a successful response is having well-defined IR processes, which clarify roles and provide clear instructions for everyone involved while also ensuring you’re able to fulfill notification requirements (whether contractual or regulatory).

What is Digital Forensics (DF)?

Digital forensics is a branch of forensic science that focuses on acquiring, analyzing and reporting on evidence from digital systems.

The field has existed since at least the late 1970s, gained traction within law enforcement agencies starting in the early 2000s and rose to greater prominence in recent years as international standards and training programs emerged.

As the diversity and impact of cyberthreats grew, digital forensics has become increasingly common to support evidence handling and root cause analysis. While DF often appears within cybersecurity and incident response plans, it is not limited to cybercrime; for instance, investigating workplace harassment is an unfortunately common use case.

Working in synergy

Organizations looking to improve their overall threat response and incident resolution capabilities need to find a balance between MDR, IR and DF services:

The combination of all three services can be critical not only to threat detection, security incident resolution and security program improvement, but also when adhering to regional or industry-specific compliance requirements relating to managing incidents and notifying third parties.

What constitutes an “incident”?

In cybersecurity, an “incident” could be as simple as a laptop being lost or a violation of security policies. Or it can be as complex as an advanced persistent threat in which an embedded attacker conducts prolonged cyberespionage or extracts personally identifiable information before suddenly encrypting critical information and making vital systems inoperable.

How you respond to an incident is very much dependent on the nature of the incident itself. For instance, eSentire’s Pragmatic Security Event Management Playbook includes incident response playbooks for 14 different security event types:

As an example, pictured below is the recommended process for responding to ransomware incidents. Of course, it’s important to note that each organization differs in culture, hierarchy, critical data and systems. As such, it is vital that this framework be modified to customize the actions your organization needs to take.

To make sure everyone is on the same page, we recommend aligning with your Incident Response provider to define what “incident” means; that way, all parties involved know when it’s appropriate to use the term and when to invoke Incident Response playbook actions.

Conclusions

It should go without saying—but allow us to reiterate—that organizations must have the ability to detect and respond to threats. eSentire also highly recommends engaging a service provider for emergency preparedness planning and Incident Response support.

Managed Detection and Response, Digital Forensics and Incident Response are vital parts of an overall response capability. The right security provider will be able to assist your organization with assessing your needs and defining your policies, plans and procedures, all of which are crucial to ensuring that you can respond to incidents effectively, efficiently and consistently.

To learn more about eSentire’s approach to Incident Response, read Bryan’s latest blog: Planning Through Recovery: Five Things to Keep in Mind.

To learn more about eSentire’s approach to Managed Detection and Response services visit (https://www.esentire.com/what-we-do) or contact a security specialist today (https://www.esentire.com/get-started )


[i] Market Guide for Managed Detection and Response Services, Toby Bussa, Craig Lawson, Kelly M. Kavanagh, 10 May 2016

Join 100,000+ Security Leaders

Get notified of the latest news, intel and helpful tools & assets. You can unsubscribe anytime.

By clicking the button below I confirm that I have read and agree to the eSentire privacy policy.

View Most Recent Blogs
eSentire
eSentire

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.