Retrospective Discovery
Looking back in time to find patterns of activity. (e.g. every 6 months large data transfer occurs to the same group of domains.)
Managed Detection and Response relies on tools and analysts to provide ongoing monitoring of known/unknown threats to an organization’s environment. It should be noted that this includes using host and network tools in an environment to gain visibility and a baseline of activity.
A managed detection and response solution provides the right mix of tools, data, and expertise to significantly reduce dwell time that is associated with a breach. Dwell time is the length of time that a threat actor goes undetected on an organization’s network before they are found and contained.
The 2018 Ponemon Breach Report details the following concerning dwell time:
MDR services also address the cybersecurity skills shortage that many organizations face by providing the expertise of seasoned security operations professionals, analysts, incident responders and threat hunters along with deep forensic capabilities to ensure 24×7 coverage of an organization’s environment to quickly detect and respond to real threats.
There are 3 types of Threat Hunting efforts associated with MDR to include:
Looking back in time to find patterns of activity. (e.g. every 6 months large data transfer occurs to the same group of domains.)
Using tools to help find artifacts tied to patterns of activity based on statistics or frequency. (e.g. A group of parked domains created every 6 months, which is tied to IP Addresses from the same ASN attack the infrastructure every 3 months at 1am Pacific time.)
Using tools to help identify potential behavior that oftentimes can be tied to malicious activity. (e.g. process migration)
Managed Detection and Response services and MSSPs are oftentimes misunderstood. The two services differ in three fundamental ways:
Managed Detection and Response is a cybersecurity service that provides continuous threat monitoring of the environment, and the ability to take immediate actions against identified threats. MDR can be used to completely outsource detection and response capabilities or augment existing security teams. MSSPs focus primarily on managing firewalls and other basic security infrastructure, but don’t typically have the expertise or advanced tools to provide detection, response and threat hunting capabilities.
Some MDR providers focus on monitoring and managing the endpoint environment. The issue with limiting managed detection and response to only the endpoint environment is that there are clear visibility gaps. For example, visibility is limited if only on the endpoint in these situations:
The most effective managed detection and service offering will provide 24×7 monitoring based off of a full stack that provides visibility across the entire environment.