What We Do
How we do it
Resources
SECURITY ADVISORIES
Oct 19, 2021
Hackers Infect Employees of Law Firms, Manufacturing Companies, and Financial Services Orgs. with Increasingly Pervasive Infostealer, SolarMarker
SolarMarker Infects 5X More Corporate Victims Using Over a Million Poisoned WordPress Pages Key Takeaways eSentire has observed a fivefold increase in SolarMarker infections. Prior to September, eSentire’s Threat Response Unit (TRU) detected and shut down one infection per week. Beginning in September, TRU averaged the detection and shutdown of five per week. SolarMarker is a…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Oct 12, 2021
eSentire Launches MDR with Microsoft Azure Sentinel Extending Response Capabilities Across Entire Microsoft Security Ecosystem
Waterloo, ON – Oct. 12, 2021 -- eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), today announced the expansion of its award-winning MDR services with Microsoft Azure Sentinel, as part of its integration with the complete Microsoft 365 Defender and Azure Defender product suites supporting Microsoft SIEM, endpoint, identity, email and cloud security services.…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
PARTNER RESOURCES
Apply today to partner with the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Apr 15, 2021

What is Digital Forensics and How Does it Relate to Incident Response?

Understanding the Relationship Between Managed Detection and Response (MDR), Incident Response (IR) and Digital Forensics (DF)

At eSentire we pride ourselves on being the Authority in Managed Detection and Response (MDR) services. When your preventative security controls fail – and they will – we’re there to contain and disrupt threats before they become business-impacting events.

Every cybersecurity professional understands that there is no end to cyber risk and, of course, there is no perfect end state when it comes to cybersecurity. We’re on a continuous improvement journey together and “perfect security” simply doesn’t exist.

Our objective is to prevent a security incident that may impact your organization’s critical assets and overall ability to operate – mitigating legal, regulatory and reputational consequences. It’s imperative that you invest in a capability to disrupt and respond to threats, and it is equally critical that you plan ahead for the worst-case scenario. If a threat actor is successful in achieving their mission and solidifying their presence within your environment, having a Digital Forensics and Incident Response (DFIR) team engaged and on retainer is the most time- and cost-effective way to reduce the impact of a breach.

As our Chief Services Officer, Bryan Sartin, says in a post at the Cloud Security Alliance, “In the midst of a crisis, you need to move quickly — and with purpose. Big decisions need to be made, and it’s important to be decisive. It’s not the time to Google ‘best practices for responding to a data breach.’”

eSentire has the digital forensics and incident response expertise to support your security response needs, end to end—from threat detection, investigation, response and when required complete incident handling. But you may be wondering…

What is Digital Forensics?

How is Incident Response different from Managed Detection and Response?
How do you know which team to engage when?

Managed Detection and Response (MDR), Incident Response (IR) and Digital Forensics (DF)

Safeguarding against threats, investigating incidents and responding to them can involve several security activities:

These services are largely distinct, occasionally intersecting and frequently interdependent—for each, it’s important to understand what it is, and what it isn’t, so you can ensure your organization has the necessary capabilities and provider relationships in place before an incident arises.

What is Managed Detection and Response (MDR)?

“Managed Detection and Response” was officially coined in 2016, when Gartner released their inaugural Gartner Market Guide for Managed Detection and Response Services[i]. This report broke described an emerging category of security service providers—and specifically profiled 12 of them, including eSentire, as representative vendors—that “improve threat detection monitoring and incident response capabilities via a turnkey approach to detecting threats that have bypassed other controls.”

However, in terms of functionality and outcomes, MDR existed well before 2016. For example, eSentire was providing “Collaborative Threat Management” and “Embedded Incident Response” services as far back as 2001. We believe in multi-signal managed detection and response, powered by our cloud-native, XDR platform, and 24/7 threat hunting. Put simply, we hunt, contain and disrupt threats that bypass your preventative controls, so you don’t have a business impacting event.

What is Incident Response (IR)?

Incident Response (IR) focuses on understanding and investigating security incidents, limiting their effects, assisting with recovery efforts and ensuring your organization is better prepared for the future.

In practice, there’s some overlap between the “response” services included within MDR and IR:

Because timing is crucial to containment, investigation and recovery, it’s essential that companies have an IR partner on retainer—you simply don’t have the time or cycles to look for an IR provider when an incident is unfolding.

An effective IR function depends upon having cybersecurity tools in place proactively. These tools provide the response team, which includes members of your own organization and your IR partner, with the capabilities needed to contain and investigate incidents and to restore information and systems.

Just as important to a successful response is having well-defined IR processes, which clarify roles and provide clear instructions for everyone involved while also ensuring you’re able to fulfill notification requirements (whether contractual or regulatory).

What is Digital Forensics (DF)?

Digital forensics is a branch of forensic science that focuses on acquiring, analyzing and reporting on evidence from digital systems.

The field has existed since at least the late 1970s, gained traction within law enforcement agencies starting in the early 2000s and rose to greater prominence in recent years as international standards and training programs emerged.

As the diversity and impact of cyberthreats grew, digital forensics has become increasingly common to support evidence handling and root cause analysis. While DF often appears within cybersecurity and incident response plans, it is not limited to cybercrime; for instance, investigating workplace harassment is an unfortunately common use case.

Working in synergy

Organizations looking to improve their overall threat response and incident resolution capabilities need to find a balance between MDR, IR and DF services:

The combination of all three services can be critical not only to threat detection, security incident resolution and security program improvement, but also when adhering to regional or industry-specific compliance requirements relating to managing incidents and notifying third parties.

What constitutes an “incident”?

In cybersecurity, an “incident” could be as simple as a laptop being lost or a violation of security policies. Or it can be as complex as an advanced persistent threat in which an embedded attacker conducts prolonged cyberespionage or extracts personally identifiable information before suddenly encrypting critical information and making vital systems inoperable.

How you respond to an incident is very much dependent on the nature of the incident itself. For instance, eSentire’s Pragmatic Security Event Management Playbook includes incident response playbooks for 14 different security event types:

As an example, pictured below is the recommended process for responding to ransomware incidents. Of course, it’s important to note that each organization differs in culture, hierarchy, critical data and systems. As such, it is vital that this framework be modified to customize the actions your organization needs to take.

To make sure everyone is on the same page, we recommend aligning with your Incident Response provider to define what “incident” means; that way, all parties involved know when it’s appropriate to use the term and when to invoke Incident Response playbook actions.

Conclusions

It should go without saying—but allow us to reiterate—that organizations must have the ability to detect and respond to threats. eSentire also highly recommends engaging a service provider for emergency preparedness planning and Incident Response support.

Managed Detection and Response, Digital Forensics and Incident Response are vital parts of an overall response capability. The right security provider will be able to assist your organization with assessing your needs and defining your policies, plans and procedures, all of which are crucial to ensuring that you can respond to incidents effectively, efficiently and consistently.

To learn more about eSentire’s approach to Incident Response, read Bryan’s latest blog: Planning Through Recovery: Five Things to Keep in Mind.

To learn more about eSentire’s approach to Managed Detection and Response services visit (https://www.esentire.com/what-we-do) or contact a security specialist today (https://www.esentire.com/get-started )


[i] Market Guide for Managed Detection and Response Services, Toby Bussa, Craig Lawson, Kelly M. Kavanagh, 10 May 2016

eSentire
eSentire

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.