Managed detection and response (MDR) solutions rapidly detect, analyze, investigate, and actively respond to threats. The MDR tech stack usually includes endpoint detection and response (EDR), network and cloud protection, and logs.
MDR solutions collect telemetry from the customer environment and analyze the data. Experts skilled in threat hunting and incident management can then investigate incidents and offer actionable advice.
MDR is valued for its 24×7 approach to delivering detection and response services—a boon to companies that do not have deep security expertise within their IT teams. According to Gartner, “by 2025, 60% of organizations will be actively using remote threat disruption and containment capabilities delivered directly by MDR providers.”
What are the capabilities of an MDR solution?
The core capabilities should include:
- 24×7 remotely-delivered detection and response functions. The MDR solution provides around-the-clock monitoring and analysis of attacks, allowing analysts to rapidly address threats.
- Turnkey delivery. The MDR solution should include a standard playbook of workflows, procedures, analytics, and telemetry. The solution should also integrate with third-party detection and response technologies.
- Unlimited triage, investigation, and management of responses and threats. The MDR solution shouldn’t limit the number of threats investigated, nor should it limit the time needed for the discovery and investigation process.
- Expert guidance. MDR technology and automation should be paired with a dedicated security team that can provide guidance on building resilience into security programs.
- Hypothesis-based threat hunting. The MDR provider should conduct hunts for unusual logins, patterns, user behaviors, and more, addressing undetected risks across environments. Hypothesis-based threat hunting is different from standard threat hunting, which hunts for known threat techniques.
- Vulnerability prioritization. This feature spots vulnerabilities that are the most risky for the business, allowing the security team to apply patches or updates to these vulnerabilities right away.
MDR solutions include which technologies and systems?
In some cases, an MDR provider will provide the following technologies if the customer doesn’t already have them. In other cases, MDR solutions can integrate with existing technologies.
Log detection
This process involves gathering and examining electronic audit logs for signs that unauthorized security-related activities are being attempted or performed on a system or application. The logs include data that can be used to execute static rules or advanced machine-learning algorithms to identify malicious or unexpected behavior.
Security information and event management (SIEM)
A SIEM system captures data and alerts from numerous security tools and IT systems. Keep in mind that an organization might not need a SIEM, particularly if other existing tools or partnerships are handling these tasks. For example, if the organization has limited log sources and no regulatory requirements, it may not be necessary to invest in a SIEM. Either way, an MDR provider should be able to help organizations get the most out of a SIEM solution.
Endpoint detection and response (EDR)
This technology analyzes system, process, and user activity to detect security threats. EDR tools require the security team to install an agent on each endpoint. In return, the team can record and store endpoint system behaviors and events. These events typically include tracking processes, registry alterations, file system activity, and network connections on all hosts where the agent is installed. Security teams can use this event stream to detect and investigate suspicious activity that occurs in their environment.
Network intrusion detection systems (NIDS)
NIDS systems are central to collecting and analyzing the vast amounts of data a security operations center (SOC) typically sees in a day. NIDS solutions monitor and detect malicious and suspicious traffic coming to and going from all devices connected to the network. The NIDS technology can be hardware- or software-based.
Security orchestration, automation, and response (SOAR)
SOAR is a group of software programs that helps an organization collect data about cybersecurity threats and respond to security events with little or no human assistance. SOAR platforms can improve the efficiency of physical and digital security operations. Broadly, SOAR technologies help organizations integrate the security tech that’s already in place and weave it together so it saves time.
