Managed Detection & Response (MDR)
Has been noticed an increasing trend in the number of cyber threats that now specifically targeting endpoints. At the same time, the number of sophisticated cyber threats continues to grow and the perimeter security controls that traditionally relied on the organizations are now insufficient.
These have made it necessary the use of technologies that will help organizations identify and disturb threats in the early stages of the attack, and also to address threats that may be able to bypass the security perimeter.
Netbull, a pioneer in information security, provides the Managed Detection and Response (MDR) service for the timely detection and elimination of confirmed security incidents on endpoints, as well as the taking of appropriate actions to prevent and deal with such incidents around-the-clock.
It is a service that integrates with the security incident monitoring and management service, for the immediate and effective response to attacks.
The technical and functional characteristics of this service are:
- Integration with the Security Incident Monitoring and Management Service (SOCaaS). For the immediate detection of security incidents our company has completed the MDR service, through the Security Incident Monitoring and Management Service (SOCaaS), providing a range of attacks detection and response technologies such as threat intelligence, IBM QRadad with Watson, etc. MDR security events are forwarded via an API to the IBM QRadar platform and analyzed (normalization, correlation) by the SOCaaS service.
- Immediate response. Once an incident is detected, Netbull I-nSOC analysts take immediate action to recover as quickly as possible to reduce the risk of spreading attacks and limit any damage. Using EDR technology can isolate the attacked devises, which is the first key step in preventing the threat from spreading throughout the corporate environment.
- Threat Intelligence. The analysis of logs takes into account threat intelligence information coming both from the internal infrastructure of processed information of our company and from external commercial or non-commercial sources such as IBM X-Force, Talos, etc.
- Machine learning analysis. The service is trained by learning algorithms at the end points, to detect malicious files and activities based on the characteristics of known malware. Machine learning capabilities are supported by a cloud service to ensure a better and more accurate model. With this technique it is possible to detect zero-day malware.
- Vulnerability Detection. The service detects vulnerabilities in endpoint software to reduce the chances of a successful attack exploiting a software vulnerability. The endpoints used by the vulnerable software are recorded and prioritized based on the Common Vulnerabilities and Exposures CVE rating.
EDR vs MDR
What is EDR?
Endpoint Detection and Response (EDR) is a term used to describe cyber security technologies that help organisations detect threats that target devices such as laptops, servers and desktops. EDR combines elements of next-gen antivirus with additional functionality to deliver real-time anomaly detection, support threat hunting and help automate incident response processes.
EDR solutions work by collecting endpoint data and using behavioral analytics to examine it for evidence of suspicious activity. When an anomaly is detected, an alert is generated for human investigation. Endpoint telemetry can be used to perform kill chain analysis, contain and quarantine infected devices, create custom threat watchlists and block malicious IPs. This provides security teams with a crucial layer of visibility to identify and respond to intrusions.
What is MDR?
Managed Detection and Response (MDR) is a term used to describe a service that combines human expertise, threat intelligence and a range of network and endpoint detection technologies to help organisations detect and respond to threats.
Managed Detection and Response services, delivered by specialist MDR providers, are designed to help organisations that lack extensive internal expertise and resources to achieve an enterprise-grade cyber security capability at a fraction of the cost of building the same capabilities in-house.
MDR acts as a virtual extension of an organisation’s in-house team to hunt for and respond to cyber threats around-the-clock. Going well beyond the scope of a traditional managed security service, MDR service providers proactively hunt for, investigate and provide the support needed to swiftly remediate threats 24/7.
Does MDR service include EDR?
EDR technologies form a crucial part of the MDR services, enabling security teams to leverage endpoint telemetry to achieve deeper threat visibility and coverage.
However, in most cases, EDR just one of several tools included as part of an MDR service. To achieve comprehensive visibility, MDR service providers also include logging and network monitoring solutions like SIEM, intrusion detection, network traffic analysis and vulnerability management tools. In delivering an MDR service, the provider will deploy, configure and monitor all technologies included as part of the service.
Unlike legacy managed security services, MDR services are not defined by their underlying technologies – these services instead offer a turnkey approach built around defined outcomes and goals to address specific security use cases.
In-house monitoring vs MDR services
What are the challenges faced by organizations in the event that they decide the in-house endpoint monitoring and how the services of MSS providers are evolving?
The challenges of in-house endpoint monitoring
- As the number of sophisticated cyber threats continues to grow, the perimeter security controls that have organizations traditionally been relied upon, are now insufficient. This has made it vital to swiftly detect and respond to threats that are able to bypass the security perimeter.
- With an increasing number of cyber threats now specifically targeting endpoints, EDR technologies have become essential in helping organisations to identify and disrupt threats at the earliest stages of attack. The problem for many organisations, however, is that they lack the skills and resources needed to get the most out of these technologies.
- Even though the cost of buying and integrating the necessary technologies is already extensive, organisations also need to hire and train dedicated staff to manage them.
- Many organisations rush into expensive technology investments without considering the resource burden. The potential that solutions like EDR offer is significant, but no organisation can expect to unlock this potential without a dedicated team to proactively configure, manage and monitor them around-the-clock.
- Overstretched IT teams without specialist security training often struggle to implement technologies effectively to maximise their value, and can quickly find themselves suffering from alert fatigue, leading to important information being ignored and rendering the technology redundant.
These challenges have led many organisations to seek out managed security services to help bridge their resource gap.
The rise of MDR
Managed Detection and Response has emerged in recent years in response to growing concerns in the market that traditional managed security services (MSS) are proving insufficient to protect businesses from modern cyber threats.
Many MSSPs have been criticised for ‘passing threats over the wall’, because they offer only basic monitoring and alerting whilst failing to provide the level of context and guidance organisations need to identify genuine security incidents and effectively respond to and remediate them.
MDR goes well beyond the scope of a traditional managed security service, adopting a more proactive, outcome-driven approach. Elements typically included as part of MDR include security orchestration, continuous network and endpoint monitoring, threat hunting and integrated response measures such as remote threat containment and disruption.
Some advanced MDR services may also offer extended cloud service coverage. This could include detection and response in AWS, Azure and GCP, or common SaaS application suites like Office 365 and G Suite. Some providers - Netbull is the first one in Greece -
are also expanding these capabilities across ICS and SCADA systems in operational technology (OT) environments.
The outcome-focused approach of MDR has proved an effective antidote to legacy MSSP limitations, and this has made it one of the fastest growing sectors in the industry. Gartner predicts that, by 2024, a quarter of organisations will be using MDR services, up from less than 5% today. In that same timeframe, 40% of midsize enterprises will use MDR as their only managed security service.
Why choose NETBULL as your MDR provider?
Netbull Managed Detection and Response service, provides the extensive capabilities your organization needs to hunt for and eradicate threats across your on-premise, cloud and hybrid environments.
MDR services of Netbull have technology agnostic approach, so we integrated our services with various well known EDR solutions / technologies such as CISCO AMP, CHECKPOINT Sandblast, FORTINET FortiEDR, FIREEYE Endpoint Security etc.
Functioning as an extension of your IT team, our services combine world-class security expertise, leading network and endpoint detection technologies, and aggregated security intelligence to help hunt for threats and shut down breaches before they can damage and disrupt your business operation.