Managed Detection and Response
What is managed detection and response?
Managed detection and response (MDR) is an outsourced service that provides organizations with threat hunting services and responds to threats once they are discovered. It also involves a human element: Security providers provide their MDR customers access to their pool of security researchers and engineers, who are responsible for monitoring networks, analyzing incidents, and responding to security cases.
What challenges can MDR address?
MDR addresses significant problems that plague modern businesses. The most glaring issue is a lack of security skills within organizations. While training and setting up dedicated security teams that can do full-time threat hunting may be feasible for larger organizations that can afford it, most companies will find it a difficult proposition given their resource limitations. This is especially true for medium and large organizations that often find themselves being the target of cyberattacks but lack the resources or manpower for such teams.
Even organizations that are willing to spend both time and money might find it difficult to actually acquire the right personnel. In 2016, there were 2 million unfilled cybersecurity positions, a number that is expected to rise to 3.5 million by 2021.
Enterprises also face challenges when deploying complex endpoint detection and response (EDR) solutions, which are usually not being maximized due to a lack of time, skills, and funds to train personnel to handle the EDR tools. MDR integrates EDR tools in its security implementation, making them an integral part of the detection, analysis, and response roles.
An often overlooked issue when it comes to cybersecurity is the sheer volume of alerts security and IT teams regularly receive. Many of these alerts cannot be readily identified as malicious, and have to be checked on an individual basis. In addition, security teams need to correlate these threats, since correlation can reveal whether seemingly insignificant indicators all add up as part of a larger attack. This can overwhelm smaller security teams, and take away precious time and resources from their other tasks.
MDR aims to address this problem not only by detecting threats but also by analyzing all the factors and indicators involved in an alert. MDR also provides recommendations and changes to the organizations based on the interpretation of the security events. One of the most important skills that security professionals need is the ability to contextualize and analyze indicators of compromise in order to better position the company against future attacks. Security technologies may have the ability to block threats, but digging deeper into the hows, whys, and whats of incidents requires a human touch.
MDR is designed to solve the problem of an organization’s cybersecurity skills gap. It tackles the issue of more advanced threats that an in-house IT team cannot completely address, ideally at a cost that is less than what the company will need to spend to build its own specialized security team. MDR can also offer the organization access to tools that it may not normally have access to. The diagram below illustrates what an organization stands to gain when MDR comes into play.
How do MDR providers compare with MSSPs?
Organizations have traditionally turned to managed security service providers (MSSPs) for their external security needs. In contrast with MDR providers, which can detect lateral movement within a network, MSSPs typically work with perimeter-based technology as well as rule-based detections to identify threats. Also, the kinds of threats that MSSPs deal with are known threats, such as vulnerability exploits, reoccurring malware, and high-volume attacks. MSSPs have security professionals who perform log management, monitoring, and analysis, but often not at a very in-depth level. In essence, MSSPs are able to manage an organization’s security but typically only at the perimeter level, and their analysis does not involve extensive forensics, threat research, and analytics.
In terms of service, MSSPs usually communicate via email or phone, with security professionals as a secondary access, while MDR providers carry out 24/7 continuous monitoring, which may not be offered by some MSSPs.
However, MSSPs still provide value to organizations. For example, managing firewalls and other day-to-day security needs of an organization’s network is a task that is more apt for an MSSP than an MDR provider, which offers a more specialized service. Accordingly, MSSPs and MDR providers can work in conjunction with each other — with MDR providers focusing on the proactive detection and behavioral analysis of more advanced threats and giving remediation recommendations for organizations once the threats are discovered.
How does Trend Micro’s MDR work?
Trend Micro’s MDR provides a wide array of security services, including alert monitoring, alert prioritization, investigation, and threat hunting. It uses artificial intelligence models and applies them to endpoint, network, and server data in order to correlate and prioritize advanced threats. By investigating prioritized alerts, Trend Micro threat researchers can then work with organizations to provide a detailed remediation plan.
The diagram below shows the basic process of how Trend Micro’s MDR responds to threats.
Trend Micro threat researchers continuously monitor an organization’s network and endpoint data — performing threat sweeps to look for specific indicators of compromise — and from there make decisions in terms of threat prioritization.
Once a detected potential threat is correlated and prioritized, a team of qualified security operations center (SOC) personnel investigate the origin and scope of the attack, after which a detailed analysis of the threat and its impact is determined.
Trend Micro threat researchers will alert the organization of the incident, and will also provide root cause analysis, mitigation recommendations, and toolkits to help the organization handle the incident.
[Learn more about Trend Micro's Detection and Response solutions]