In the past two years, security services represented by MDR (Managed Detection and Response) have attracted more and more attention. No matter the size of the enterprise, it will be considered as an important security supplement. Gartner predicts that by 2024, the number of companies choosing MDR services will increase from the current 5% to 25%. 40% of medium-sized companies will use MDR as the only security service.

Although enterprises have demand, they still hesitate and look forward to the MDR service. They are struggling on the verge of lack of professional ability and dare not try, and wait for others to finish touching the stone before crossing the river by themselves. Which companies MDR is suitable for, where are the key capabilities, what is the difference from MSS, and what are the conventional technical models…..This series of questions can be answered in this article.

Part 1 – Which Companies Are Suitable For MDR

Regarding MDR, Gartner describes it as a company that hopes to establish a service for rapid threat detection and effective response through continuous monitoring and coverage 7×24 hours a day. Most MDR services generate and collect security events and context data through technologies at the host layer and network layer to support threat detection and event analysis.

Specifically, MDR services are mainly applicable to these three types of enterprises:

1. The detection and response capabilities are weak, and MDR is the main security capability of an enterprise. There are no or very few security experts in the team, and the general security work is part-time by IT operation and maintenance. Companies tend to invest more technology in protection, such as multi-functional firewalls, terminal protection platforms, etc. The traditional 7X24 monitoring or security operations can no longer support their response capabilities.

2. Enterprises that have invested in detection technology but cannot establish internal team or process capabilities to support their safe operation goals. Such companies can support and supplement their testing technology capabilities through MDR services.

3. Companies that have invested in detection technology and response technology, personnel, and processes, or plan to invest in these aspects, for example, as part of internal SOC construction. Through MDR services, companies can make up for their capabilities in different links such as security analysis and incident response.

Part 2 – The Key Value Of MDR To Enterprises

In many enterprises, especially the branch offices of large enterprises, most of the security personnel are part-time. They basically focus on ensuring the availability of security equipment. They have no time to take into account the massive alarms or it is difficult to read complex intrusion logs. At this time, professional security personnel and the ability to deal with complex security incidents are very important. Here is a real case of how we deal with emergency response.

Last June, a company was immersed in the joy of resuming work and production. What the person in charge of company security can’t think of is that he actually encountered a “small probability” incident of being hacked. On the morning of the incident, colleagues from various departments went to work and clocked in as usual. Soon, everyone discovered that the files on the computers of multiple key departments, including the finance and production control rooms, were encrypted in the early morning of the day and a blackmail letter was left, requiring a ransom to be decrypted.

Although the company has a size of nearly 1,000 people, the security team is not large. This is the first time that it has been blackmailed. After the safety chief communicated with the leadership, the company had to reluctantly pay the ransom in order to ensure the normal operation of the business. On the other hand, because the hacker has deleted the logs on the encrypted terminal and the number of involved machines is large, it is difficult to continue to analyze the source of the extortion. He found the Weibu online MDR team for emergency handling support. After understanding the company’s overall network architecture and initial investigations to no avail, the MDR team adjusted its analysis thinking from the attacker’s perspective and found out that the hacker was blasting into the company’s Internet port that should not be open to the outside world, and gradually penetrated into a large area. The ransomware was delivered and the company was eventually ransomed.

The key value of MDR to enterprises is to deal with complex security incidents through professional MDR services and quickly make up for shortcomings in their own security capabilities.

Part 3 – Value Difference Between MDR And MSS

At present, there are mainly two types of security services, MSS and MDR. Many companies do not know the difference between these two types of services very well, which may affect the ultimate understanding and judgment of security services.

MSS (Managed Security Service) has a long history. It is mainly used by managed security service providers (MSSP) to outsource the monitoring and management of enterprise security equipment and systems. Common services include managed firewalls, Intrusion detection, virtual private network, vulnerability scanning and anti-virus services. Managed security service providers usually use high-availability security operation centers provided by themselves or third parties to provide 7×24 hours of service. This can not only save the cost of recruitment and training of enterprise security personnel, but also ensure that the enterprise’s own security is within an acceptable range.

At the same time, each MSSP has its own specific product toolkit, focusing on security management and monitoring, using the port as a communication connection interface with customers, performing highly automated interactions, and focusing on receiving alarms and failures of managed devices as a whole. index. If a violation or intrusion is detected, the MSSP will issue an alert to the customer, and the response procedure is generally left to the enterprise itself.

In contrast, the biggest difference between MDR and MSS is response. MDR focuses on pre-threat hunting, detection and response, and can provide 7×24-hour threat monitoring, detection and security incident response. Specifically, there are three important characteristics:

First, the MDR service is realized by deploying the existing technology stack tools of the service provider on the customer premises, such as network traffic analysis tools, terminal activity monitoring and deception technology. Few MDR service providers rely solely on logs generated by customers’ existing security tools to monitor and respond to threats. The place where customers collect logs is at most used as auxiliary data for contextual analysis.

Secondly, in the MSS deployment method, enterprises need to provide their own technology to identify the source of key events and forward the logs to the central collection device. And because MDR providers have their own technology stack toolbox, compared with traditional MSS services, they have faster and more large-scale service deployment and delivery effects. Some MDR service providers even support customers’ original technologies, such as API interfaces, which can simplify service integration.

Finally, unlike the separation of analyst and management functions in the traditional SOC model, MDR mainly uses analysts to perform event classification, and 7X24 monitoring, analysis and alarming of security events, all of which focus on event detection and response. Compared with MSS, the communication between enterprises and MDR analysts is more direct, and there is little emphasis on using ports as the main interface.

Part 4 – Four Stacking Methods Of MDR Service

When choosing an MDR service, you must first decide whether the service provider provides a product stack or uses its own product stack. Companies can consider the following four stacking methods:

1. BYOS (Bring Your Own Stack) stack. The enterprise uses its own product stack to achieve it, and only needs to find a hosting service provider to work on its own product stack. For companies that have deployed their favorite products, or companies that have to use specific tools, this is a more desirable way.

2. Supplier-provided stack. The services of MDR providers rely on trusted software from well-known organizations to provide enterprises with detection and response capabilities, such as the most common multifunctional NSM (Network Security Monitoring) sensors or EDR agent components. This situation is suitable for companies that do not have a complete set of safety equipment for supervision or want to change the technology stack.

3. The supplier directly builds it. This is a very common MDR service method. MDR vendors deploy their products in layers to build a tool stack. Because the products are all from the same supplier, the advantage of this approach is that it can maximize the integration effect of different products.

4. Mixed mode. This method can combine the current situation of the enterprise and the product stacking capabilities of the MDR supplier to maximize the effect. The task of the enterprise is to balance the MDR products and the enterprise’s own software.

No matter what method is adopted, the core capabilities and value of MDR services are detection and response, which can escort the safe operation of enterprises. Since its establishment 6 years ago, Weibu Online has been committed to becoming a threat discovery and response expert for corporate customers, continuously accumulating deep threat analysis and threat intelligence data capabilities, and empowering customers with professional products and services. The microstep online MDR service provides services such as the discovery and disposal of internal and external threats, attacker profile analysis and traceability analysis, in-depth analysis and early warning of major security incidents, and helps companies continue to improve their security protection capabilities. Provide services to leading customers in the government, energy, Internet, high-tech and other industries.