Fidelis Cybersecurity

What is Managed Detection and Response (MDR)?

Defining Managed Detection and Response (MDR)

Managed Detection and Response relies on tools and analysts to provide ongoing monitoring of known/unknown threats to an organization’s environment. It should be noted that this includes using host and network tools in an environment to gain visibility and a baseline of activity.

Why is Managed Detection and Response Important?

A managed detection and response solution provides the right mix of tools, data, and expertise to significantly reduce dwell time that is associated with a breach. Dwell time is the length of time that a threat actor goes undetected on an organization’s network before they are found and contained.

The 2018 Ponemon Breach Report details the following concerning dwell time:

  • “The faster a data breach can be identified and contained, the lower the costs”
  • Average Time to identify a threat is 197 days and contain it is 97 days.
  • On average, companies that identify a breach in less than 100 days can save more than $1 Million.

MDR services also address the cybersecurity skills shortage that many organizations face by providing the expertise of seasoned security operations professionals, analysts, incident responders and threat hunters along with deep forensic capabilities to ensure 24×7 coverage of an organization’s environment to quickly detect and respond to real threats.

Gain 24x7 Monitoring of Your Environment with Managed Detection and Response

Learn More

What types of Threat Hunting efforts are associated
with Managed Detection and Response?

There are 3 types of Threat Hunting efforts associated with MDR to include:

Retrospective Discovery

Looking back in time to find patterns of activity. (e.g. every 6 months large data transfer occurs to the same group of domains.)

Artifact Discovery

Using tools to help find artifacts tied to patterns of activity based on statistics or frequency. (e.g. A group of parked domains created every 6 months, which is tied to IP Addresses from the same ASN attack the infrastructure every 3 months at 1am Pacific time.)

Activity Discovery

Using tools to help identify potential behavior that oftentimes can be tied to malicious activity. (e.g. process migration)

How does Managed Detection and Response
differ from Managed Security Service Provider?

Managed Detection and Response services and MSSPs are oftentimes misunderstood. The two services differ in three fundamental ways:

  • technology
  • expertise
  • relationship with the client

Managed Detection and Response is a cybersecurity service that provides continuous threat monitoring of the environment, and the ability to take immediate actions against identified threats. MDR can be used to completely outsource detection and response capabilities or augment existing security teams. MSSPs focus primarily on managing firewalls and other basic security infrastructure, but don’t typically have the expertise or advanced tools to provide detection, response and threat hunting capabilities.

How do Managed Detection and Response services differ?

Some MDR providers focus on monitoring and managing the endpoint environment. The issue with limiting managed detection and response to only the endpoint environment is that there are clear visibility gaps. For example, visibility is limited if only on the endpoint in these situations:

  • an attacker can hide their tracks and while there might not be anything found on the host, it may be reported on the network
  • over time, DNS or IP addresses cannot be tracked as the attacker traverses the network
  • there is no way to pair up changes in movement on the network with what is being seen on the host (know/validate lateral movement and if the attacker has changed ports to something that is a standard service such as DNS)
  • there is no way to truly validate if data is being exfiltrated out of the network via large file transfers or continuous encrypted sessions

The most effective managed detection and service offering will provide 24×7 monitoring based off of a full stack that provides visibility across the entire environment.