The document discusses critical capabilities for Managed Detection and Response (MDR) services, highlighting their evolution and importance due to the lack of internal cybersecurity expertise. It outlines key features such as network traffic analysis, endpoint monitoring, and lightweight incident response, emphasizing the need for tailored solutions to combat modern threats. The document also compares MDR and Managed Security Services (MSS), warning buyers to critically evaluate MSSPs transitioning to MDR offerings.

1. Critical Capabilities for
Managed Detection & Response
(MDR) Services
Know Before You Buy

2. © Fidelis Cybersecurity
Agenda & Speakers
• Introductions
• How MDR Evolved
• Critical Capabilities
• MDR vs MSS
• Best Practices
Tom Clare
Product/Technical Marketing
Analyst Relations
Fidelis Cybersecurity
Mike Stewart
Vice President
Security Consulting Services
Fidelis Cybersecurity
2

3. © Fidelis Cybersecurity
How Did MDR Evolve?
MSSPs…
• Focused on security monitoring
• Ignored customer needs for response
Security Teams…
• Invested in EDR tools
• Lacked skills to extract value
• Short supply of skilled resources
MDR Requires…
• Network and endpoint visibility
• Detection beyond regular expressions
• 24/7 pre-approved responses
3

4. © Fidelis Cybersecurity
Why MDR? 15X
Growth
by 2020
• Lack of internal skills and expertise
• Invest beyond security prevention
• Address threat detection and response
• 24/7 coverage requires 8-12 FTEs
Mid-Sized
Enterprises
Extra-Large
Enterprises
4

5. © Fidelis Cybersecurity
MDR Critical Capabilities
• Managed EDR is the most visible
• Broader MDR services include:
 Network Traffic Analysis (NTA)
 Endpoint Monitoring (EDR)
 Deception Technologies
 Advanced Analytics / Threat Intelligence
 Lightweight Incident Validation & Response
 Expertise and Experience
 Analyst Communications
• Full Incident Response (IR) retainers are an option for
large incidents
5

6. © Fidelis Cybersecurity
‘Response’ is Defining MDR Services
• Customers desire lightweight response services with MDR
• Disrupt and contain threats until IT resources are back in office
 Blocking network activity via DNS requests and TCP resets
 Isolating a process or a host from the network using an endpoint agent
 Integrating with a customer's network access control (NAC) tool
 Changing firewall rules via APIs, watchlists and rule updates
 Locking and suspending user accounts
6

7. © Fidelis Cybersecurity
MDR Curated Technology Stacks
Endpoint
Detection &
Response (EDR)
Network Traffic
Analysis (NTA)
- Direct
- Internal
- Cloud
- Email
- Web
Deception
Sandboxing
METADATA
ML Anomaly Detection
Cross-Session Analysis
Multi-faceted Analysis
Content & Context
Real-time & Retrospective
Threat Intelligence
Threat Detection
Query, Pivot and Hunt
7

8. © Fidelis Cybersecurity
Data Options
NetFlows
- Source/Destination
- Transport/Service
- Date/Time/Duration
- Not Enough Data
- No Content/Context
SIEMs/Logs
- Unstructured Logs
- Normalize/Correlate
- Activity & Timelines
- Compliance/Audits
- Slow to Query/Hunt
- Rarely Detect Threats
Metadata
- Applications/Content
- Custom Tagging
- Indexed, Ready to Use
- Threat Detection/Hunting
- Data Loss & Theft
- Cross-Session Analysis
- 90% of Data, 20% of Cost
Packet Captures (PCAPs)
- Raw Packet Data
- Encoded, Unassembled
- Forensic Evidence
- Expensive to Store
- Cannot Apply Threat Intel.
- Unable to Query
8

9. © Fidelis Cybersecurity
MDR Pricing
• Full MDR Services average $100/endpoint
Full security stack, metadata, detection and response services, analyst interaction
• Light MDR Services as low as $10/endpoint
Email alerts, threat detection service, cloud-based, short time window (e.g. 7-days)
$100/ep$10/ep
9

10. © Fidelis Cybersecurity
MDR vs MSS
Managed Detection & Response versus Managed Security Services
10

11. © Fidelis Cybersecurity
Converging Markets
Basic MSS
Basic MDR
Advanced MDR/MSS
11

12. © Fidelis Cybersecurity
Characteristics
• Security technology
management
• Compliance
monitoring &
reporting
• Technology agnostic
threat monitoring
• Other managed
services
• Managed EDR, NTA, etc.
• Managed threat hunting
• Incident response services
• Turnkey technology stack
• Basic incident response
• Threat containment
12
Basic MSS
Basic MDR
Advanced MDR/MSS

13. © Fidelis Cybersecurity
MDR vs MSS Comparison
Characteristic MDR MSS
Deployment Time Simple, Days or Weeks Complex, Infrastructure, Months
Data Sources Curated Technology Stack Customer Determined
Remote Management Their Stack Only Most Common Security Controls
Interface Analyst (Voice, Email) Email and Portal
Incident Response Remote Lightweight Included,
On-site IR via Retainer
Via Retainer (MDR, IR)
Containment Tech. Stack via Scripts/ APIs or
Customer Security Controls
Full Management of Security
Controls
Compliance Reporting Very Rarely Yes
SLAs Rarely Yes
13

14. © Fidelis Cybersecurity
Buyer Beware
• MSSPs adopting MDR marketing should be met with healthy skepticism
• Many MSSPs provide security event monitoring, basic threat detection, and alerting services
• Security event monitoring services are not meeting expectations, also negative experiences
• Validate turnkey technology stack and threat hunting skills of MSSPs
• Often managed EDR and basic threat detection services
• EDR alone good at response, not as much for detection
14

15. © Fidelis Cybersecurity
Competitive Playing Field
The competitive playing field for MDR compromises of the following:
• MSSPs and consultancies broadening current portfolios with specialized offerings
• Product vendors wrapping services around software to facilitate adoption
• Niche start-ups focused on delivering MDR, and only MDR
• Failed MSSPs switching to MDR as the most troubling option
15

16. © Fidelis Cybersecurity
Fidelis MDR Service
16

17. © Fidelis Cybersecurity
24x7 Managed Detection and Response (MDR)
Let Us Be Your Threat Hunting and Data Leakage Mitigation Team
17
Deep Visibility and Automated Detection and Response
across your Network, Endpoints, Cloud and Enterprise
IoT Devices
• Full service solution focused on detection, response and
remediation - managed and monitored by security experts
 Discover and Classify Network Assets
 Enforce Network Detection and Response (NTA)
 Data Leakage Prevention (DLP)
 Endpoint Detection and Response (EDR)
 Deception to identify existing intruders or insider threats
• Verifies and enforces your security policies and compliance
requirements to ensure the highest standards

18. © Fidelis Cybersecurity
Fidelis Professional Services
18
Incident Response
• Retainers
• Subject Matter Experts
Customer Success
• Security Program Review
• IR Readiness Assessment
• SOC Assessment
Product
• Implementations
• Training
• Cloud Delivery/Subscription
A team of highly experienced security assessment and IR professionals who have helped some
of the largest organizations investigate and respond to breaches in over 4,000 engagements

19. © Fidelis Cybersecurity
• Responded to large security cases in commercial
and government sectors
• Instrumental in building large Government and
Commercial security operations centers
• Critical roles in the indictment and conviction of
multiple organized international cyber criminals
• Key members of the security team on average,
have over 18 years of incident response
experience
19
SECURITY
EXPERTISE
PROVEN
PROCESS
ADVANCED
TECHNOLOGY
Our security professionals have decades of experience assisting
organizations of all sizes prepare and respond to security incidents
Full IR
Lifecycle
Advanced
Technology
Security
Expertise
Proven
Process
Fidelis Services:
Incident Response Experience Earned on the Front Lines

20. © Fidelis Cybersecurity
Full Incident Response Lifecycle
20
Initial Response
Investigation &
Containment
RemediationExpulsion
• Triage
• Scope
• SITREP
• Actions Taken
• Planned
Actions
• Capabilities
• Evidence
• Forensics
• Malware RE
• IOCs
• Monitoring
• Taxonomy and
Timelines
• 72 hour Plan
• Monitoring
• Validation
• Tracking
• Restore
• Report
• Roadmap
• SME Support
• Training
• Processes
• Policy
Fidelis Services:
Full Incident Response Lifecycle

21. © Fidelis Cybersecurity
Fidelis Services: Preparation
1.Need to follow a Security Standard
accounts for all enterprise Networks,
Systems, and Data (not just regulatory)
2.Need full data accountability and risk
(Data Characterization)
3.Know your vulnerabilities
A. Red Team
B. Pentest
C. Vulnerability Management
4.Prearrange 3rd Party IR help
A. Outside Counsel
B. Forensics
C. IR Support
D. Law Enforcement
E. Help Desk for customer support
F. Cyber Insurance
21

22. © Fidelis Cybersecurity
Fidelis Services: Detection
1.Need full enterprise visibility across the network and endpoints for situational awareness
2.Need lateral visibility
3.Security Policy that supports enterprise wide response Authority
4.Have a Continuity of Operations Plan (COOP)
22

23. © Fidelis Cybersecurity
Fidelis Services: Response
1.Need an exercised IR plan
A. Communications Plan
B. Ensure your IR plan covers regulatory
requirements
C. War room plan
D. 3rd party integration
E. IR tracking software and repository
2.Decide on your response based on
capabilities
A. Immediate
B. Delayed
3.Don’t stomp on evidence
A. Collect evidence before remediation
B. Don’t cut off attackers without external advice
4.Know when to call in experts and counsel for
privilege
23

24. © Fidelis Cybersecurity
Selecting MDR Services
• Advanced Technology
• Expert Partner
• Processes and Threat Hunting
• Constantly Monitor Security
Stack for the Next Smoking Gun
• Validated Alerts
• Critical Remediation Authority
24

25. Questions?