MDR is a common acronym thrown around in cybersecurity. But what does it really mean? And if you’re in the market for MDR, what should you expect from a provider?
Managed detection and response is a cybersecurity service delivered by experts in a security operations center (SOC) who focus on identifying and mitigating cyberthreats. Aided by technology and threat intelligence, SOC experts monitor the customer’s IT infrastructure, zeroing in on suspicious activity. Once they confirm activity is malicious, they respond, with the ultimate goal of eradicating the threat actor from the environment. As we’ll soon see, both the detection and responses can take various forms, some of which are more effective than others.
Who needs MDR?
In today’s hiring market, cybersecurity expertise is in short supply, so leveraging an external SOC makes sense for companies of all sizes, but most importantly, those looking to scale. MDR is considered an offensive tactic with the goal of not only stopping attacks, but preventing them.
There are a myriad of MDR services on the market, but do they provide the quality of service you need to protect your business? Let’s go behind the acronym and dive into how Blackpoint defines TRUE MDR.
The M in MDR stands for managed, and for us that means fully managed. Once our proprietary MDR tech is active, the Blackpoint SOC takes over operations, monitoring, and response from there. We remove the burden of watching your accounts and take on the heavy lifting of preventing and putting out fires on your behalf.
Detection sounds straightforward enough, but there are different methods for detection. For many providers, detection is based on analyzing static SIEM logs of events that have already taken place.
Blackpoint’s approach to detection is more proactive. We use a combination of proprietary technologies and human threat hunters to identify and respond to threats as they happen, in real time. We detect on threat actor behavior known as “live off the land” tradecraft—activity that’s designed to evade EDR by using the tools and mimicking the behavior of legitimate IT users.
With the ability to detect in real time, Blackpoint can isolate threats much faster than competitors who utilize SIEM logs to detect attacks after the fact. Our purpose-built technology means we’re not hampered by the false positives, alert fatigue, or fragmented tooling present with SIEM-based systems. With Blackpoint handling your security operations, you will benefit from industry-leading detection and response times.
How an MDR vendor responds to an attack can also vary from one to the next. Many vendors classify a response as an automated email informing the MSP of an incident detection, leaving it up to the MSP to investigate. Other providers require the MSP’s permission before responding to an attack.
For Blackpoint Cyber, response means we use our expertise to take immediate action to best protect the customer, whether that means isolating hosts, killing malicious processes, or deleting persistence methods. We then maintain communication with the partner about what has happened and assist with remediation recommendations. In other words, we put out the fire, and then provide guidance in cleaning up the damage.
An MDR provider’s bare minimum response should include:
- The rapid identification of an intruder by a SOC
- An immediate SOC response to stop the intruder (isolating devices, removing account access, etc.)
- Continuous monitoring of the remaining devices and accounts to ensure the threat actor has been fully eradicated
- A phone call to the designated emergency contact at the partner/customer
- A report outlining the SOC findings
- A document outlining the SOC’s remediation recommendations
- A trusted partner and advisor you can call if you have questions regarding the incident
Many providers offer managed detection and response services. But true MDR is a fully managed service that supports human SOC experts with purpose-built MDR technology for intervention as early in the attack cycle as possible. True MDR stops the threat actor in the midst of an active attack, and takes immediate action on behalf of the MSP partner to best protect their customers. In other words, true MDR enables MSPs peace of mind in an increasingly complex, sophisticated, and adversarial digital world.
Thrive, not just survive, in the threat landscape.
Our world-class, nation-state-grade cybersecurity ecosystem is designed to serve our partners by completing the hard work for you. Have your Blackpoint MDR service installed and protecting your business in less than a day.