MDR Use Cases
Managed Detection and Response
Network Attack Detection
Most cyberattacks are carried out over the network. This is an advantage to many organizations since cybersecurity defenses deployed at the network perimeter can help to identify and block many of these attacks.
However, threat actors are aware of cyber defense capabilities and work to develop means of bypassing or overwhelming an organization’s cyber defenses. In the cases where prevention-based security defenses don’t work, an organization needs access to threat detection capabilities to tie anomalies on the network to potential compromise of systems and take action to remediate the incident.
Cloud Attack Detection
Almost all organizations have adopted cloud computing in some way. However, the cloud is a very different environment from on-premises deployments, and many organizations are struggling to adapt. Only about a quarter of security professionals find the Shared Responsibility Model, a crucial concept for security in the cloud, to be “very clear.
A lack of understanding about how to properly use and secure cloud resources means that many organizations likely have holes in their defenses. As a result, cyber threats may be able to gain access to these cloud deployments, possibly without the owner’s knowledge.
As a result, the use of detection-based security is essential in cloud environments. Without the confidence to say that a cloud deployment cannot be penetrated by an attacker, an organization needs the capability to identify and remediate threats that have gained access to its cloud-based resources.
Cyber threats are becoming increasingly sophisticated, and one area of active research is defense evasion. Most antivirus systems work based upon signature detection, where a unique fingerprint is generated for each malware variant.
Malware authors are aware of these defenses and are deliberately designing their malware and attack campaigns to slip through these defenses. Recent trends in malware include the use of a unique variant for each target organization and fileless malware, which doesn’t have a file to compare a signature to.
These new attack types are much more likely to slip past an organization’s cyber defenses. With MDR, an organization gains access to threat hunting capabilities that can help to identify and remediate malware infections on internal systems.
Malware Command and Control
Most malware is not designed to operate with complete autonomy. Commonly, malware communicates with one or more command and control (C2) servers to exfiltrate data, receive commands, and download additional malicious content to a compromised machine.
Since the malware’s C2 communications are key to its ability to operate, malware authors typically design malware to conceal its C2 traffic among normal traffic. Intercepting malware C2 traffic can provide an opportunity to render the malware non-functional or even to determine what operations it has performed on an infected machine.
Accomplishing this often requires capabilities beyond that of simple cybersecurity protection. With MDR, an organization can access an incident response team with experience in identifying and decoding malware C2 traffic and remediating the infection based upon extracted information.
Organizations are responsible for complying with an increasingly complicated regulatory landscape. Most of these new regulations are focused on data protection but take very different approaches to ensuring the security of this data. As a result, complying with all of the necessary regulations can be complex.
With MDR, an organization has access to experts in cybersecurity and regulatory compliance and to specialized detection capabilities for identifying intruders targeting protected data within the network. By deploying strong data security protections and implementing threat hunting capabilities, an organization can both improve their ability to achieve and maintain regulatory compliance and better defend itself against attempted data breaches.
A good cybersecurity strategy is based upon risk analysis. An organization determines its vulnerability to cyber attacks, identifies ways that it can mitigate or eliminate some risks, and accepts the risk. Ideally, the choice of security controls put in place diminishes risk to an acceptable level while remaining within the available budget.
Without detection-based security capabilities, an organization can only do so much to manage their risk. With the modern cyber threat landscape, an organization will suffer cybersecurity incidents and needs to be able to detect and remediate these intrusions. By leveraging MDR capabilities, an organization can dramatically decrease their exposure to cyber risks.
The first system that an attacker gains access to on a network is unlikely to be their final objective. An intruder will probably gain access via an employee computer and then move laterally through the network to identify and exploit more valuable systems.
Lateral movement within a network is difficult to detect without detection capabilities. Usually, an attacker gains access to one or more legitimate user accounts and leverages this access to access additional systems.
Since this mimics legitimate behavior on the network, identifying these attacks requires active detection and threat hunting capabilities. With MDR, an organization can detect and act upon indicators that point to lateral movement within their network. These include access to unusual systems in the network, use of unusual protocols, and abnormal behavior for a user account.
Most organizations have policies and procedures in place that define what activities are allowed on these systems. These policies are designed to restrict employees from taking actions that are illegal or may pose a security risk to the organization.
MDR provides an organization with the technology and expertise needed to identify when an individual is disobeying or circumventing the organization’s policies and security controls. These violations could be caused by a negligent or malicious insider or an attacker who has compromised an employee’s account. Investigation of the incident allows an organization to determine and take the appropriate actions to remediate the issue.
Watering Hole Attacks
A watering hole attack involves tricking the target into visiting a malicious website. This can either involve compromising a website known to be commonly used by the target or by creating a fake website that the target is likely to be interested in and pointing them to it.
Since watering hole attacks can make use of benign and commonly-used web pages, there may be no malicious IP addresses or other indicators of attack. Identifying and responding to this type of attack requires detection capabilities that can correlate visits to the potentially malicious website with later malicious activity on compromised systems.
Mobile Device Security
In the past, most of an organization’s assets were stationary and always connected to the enterprise network. This made it easier to defend these assets since cyber defenses placed at the network perimeter always stood between external threats and internal assets.
The modern business uses a plethora of mobile devices that can leave and reenter the company network at will. While outside the network, these devices can become infected and carry this infection into the network, past an organization’s perimeter-based defenses.
To combat these threats, an organization cannot rely upon perimeter-based prevention-focused cybersecurity solutions. Detection-based capabilities are necessary to find the threats carried into the network by infected devices and to determine and eradicate the full scope of the infection.
CollectNetwork, Cloud, Endpoints and Existing Security
- Threat Intelligence from multiple best-in-class feeds
- Vulnerability Management (regular scans with the latest vulnerability data)
- Asset Discovery (network and cloud)
- AWS and Azure Public Clouds
- Network Traffic
- Workstations, servers and devices
- Business Applications such as Office365, and GSuite
- Existing Security investments such as Firewalls, and Anti-virus
DetectExpert Security Analysts, SIEM and AI
- Expert Analysts using MITRE ATT&CK™
- Threat Hunting and continuous monitoring
- SIEM and Log Management
- Network Intrusion Detection (NIDS)
- Cloud Intrusion Detection
- File Integrity Monitoring
- Endpoint Detection & Response (full forensics)
- Behavioral Analysis
- USB Monitoring
- Dark Web Monitoring
RespondExpert Guidance and Auto-Containment
- US based Security Operations Center (SOC)
- Expert Guidance by phone and ticket
- Advanced Reporting (including pre-configured and customized)
- Respond by disable networking and/or shutdown device
- Assigned security analysts
- Respond with security products (such as Carbon Black and Palo Alto)
- Detailed Compliance Reporting and Assistance
- Guidance with tuning strategies, customized policies, and best practices