Critical Capabilities for MDR Services - What to Know Before You Buy
•Download as PPTX, PDF•
2 likes•871 views
24/7 coverage and skills shortages for post breach detection and response are driving the need for Managed Detection and Response (MDR) Services. Analysts are predicting 15X growth for MDR services over the next few years as security leaders shift their focus from prevention to detection knowing attacks are evading existing defenses, often without malware by using macros and scripts. Managed services often use MDR marketing messages and this sometimes results in their security monitoring services not meeting expectations. Buyers must learn what to look for in an MDR solution to avoid falling into this trap.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Critical Capabilities for MDR Services - What to Know Before You Buy
Similar to Critical Capabilities for MDR Services - What to Know Before You Buy (20)
More from Fidelis Cybersecurity
More from Fidelis Cybersecurity (15)
Recently uploaded
Recently uploaded (20)
Critical Capabilities for MDR Services - What to Know Before You Buy
- 1. Critical Capabilities for Managed Detection & Response (MDR) Services Know Before You Buy
- 2. © Fidelis Cybersecurity Agenda & Speakers • Introductions • How MDR Evolved • Critical Capabilities • MDR vs MSS • Best Practices Tom Clare Product/Technical Marketing Analyst Relations Fidelis Cybersecurity Mike Stewart Vice President Security Consulting Services Fidelis Cybersecurity 2
- 3. © Fidelis Cybersecurity How Did MDR Evolve? MSSPs… • Focused on security monitoring • Ignored customer needs for response Security Teams… • Invested in EDR tools • Lacked skills to extract value • Short supply of skilled resources MDR Requires… • Network and endpoint visibility • Detection beyond regular expressions • 24/7 pre-approved responses 3
- 4. © Fidelis Cybersecurity Why MDR? 15X Growth by 2020 • Lack of internal skills and expertise • Invest beyond security prevention • Address threat detection and response • 24/7 coverage requires 8-12 FTEs Mid-Sized Enterprises Extra-Large Enterprises 4
- 5. © Fidelis Cybersecurity MDR Critical Capabilities • Managed EDR is the most visible • Broader MDR services include: Network Traffic Analysis (NTA) Endpoint Monitoring (EDR) Deception Technologies Advanced Analytics / Threat Intelligence Lightweight Incident Validation & Response Expertise and Experience Analyst Communications • Full Incident Response (IR) retainers are an option for large incidents 5
- 6. © Fidelis Cybersecurity ‘Response’ is Defining MDR Services • Customers desire lightweight response services with MDR • Disrupt and contain threats until IT resources are back in office Blocking network activity via DNS requests and TCP resets Isolating a process or a host from the network using an endpoint agent Integrating with a customer's network access control (NAC) tool Changing firewall rules via APIs, watchlists and rule updates Locking and suspending user accounts 6
- 7. © Fidelis Cybersecurity MDR Curated Technology Stacks Endpoint Detection & Response (EDR) Network Traffic Analysis (NTA) - Direct - Internal - Cloud - Email - Web Deception Sandboxing METADATA ML Anomaly Detection Cross-Session Analysis Multi-faceted Analysis Content & Context Real-time & Retrospective Threat Intelligence Threat Detection Query, Pivot and Hunt 7
- 8. © Fidelis Cybersecurity Data Options NetFlows - Source/Destination - Transport/Service - Date/Time/Duration - Not Enough Data - No Content/Context SIEMs/Logs - Unstructured Logs - Normalize/Correlate - Activity & Timelines - Compliance/Audits - Slow to Query/Hunt - Rarely Detect Threats Metadata - Applications/Content - Custom Tagging - Indexed, Ready to Use - Threat Detection/Hunting - Data Loss & Theft - Cross-Session Analysis - 90% of Data, 20% of Cost Packet Captures (PCAPs) - Raw Packet Data - Encoded, Unassembled - Forensic Evidence - Expensive to Store - Cannot Apply Threat Intel. - Unable to Query 8
- 9. © Fidelis Cybersecurity MDR Pricing • Full MDR Services average $100/endpoint Full security stack, metadata, detection and response services, analyst interaction • Light MDR Services as low as $10/endpoint Email alerts, threat detection service, cloud-based, short time window (e.g. 7-days) $100/ep$10/ep 9
- 10. © Fidelis Cybersecurity MDR vs MSS Managed Detection & Response versus Managed Security Services 10
- 11. © Fidelis Cybersecurity Converging Markets Basic MSS Basic MDR Advanced MDR/MSS 11
- 12. © Fidelis Cybersecurity Characteristics • Security technology management • Compliance monitoring & reporting • Technology agnostic threat monitoring • Other managed services • Managed EDR, NTA, etc. • Managed threat hunting • Incident response services • Turnkey technology stack • Basic incident response • Threat containment 12 Basic MSS Basic MDR Advanced MDR/MSS
- 13. © Fidelis Cybersecurity MDR vs MSS Comparison Characteristic MDR MSS Deployment Time Simple, Days or Weeks Complex, Infrastructure, Months Data Sources Curated Technology Stack Customer Determined Remote Management Their Stack Only Most Common Security Controls Interface Analyst (Voice, Email) Email and Portal Incident Response Remote Lightweight Included, On-site IR via Retainer Via Retainer (MDR, IR) Containment Tech. Stack via Scripts/ APIs or Customer Security Controls Full Management of Security Controls Compliance Reporting Very Rarely Yes SLAs Rarely Yes 13
- 14. © Fidelis Cybersecurity Buyer Beware • MSSPs adopting MDR marketing should be met with healthy skepticism • Many MSSPs provide security event monitoring, basic threat detection, and alerting services • Security event monitoring services are not meeting expectations, also negative experiences • Validate turnkey technology stack and threat hunting skills of MSSPs • Often managed EDR and basic threat detection services • EDR alone good at response, not as much for detection 14
- 15. © Fidelis Cybersecurity Competitive Playing Field The competitive playing field for MDR compromises of the following: • MSSPs and consultancies broadening current portfolios with specialized offerings • Product vendors wrapping services around software to facilitate adoption • Niche start-ups focused on delivering MDR, and only MDR • Failed MSSPs switching to MDR as the most troubling option 15
- 16. © Fidelis Cybersecurity Fidelis MDR Service 16
- 17. © Fidelis Cybersecurity 24x7 Managed Detection and Response (MDR) Let Us Be Your Threat Hunting and Data Leakage Mitigation Team 17 Deep Visibility and Automated Detection and Response across your Network, Endpoints, Cloud and Enterprise IoT Devices • Full service solution focused on detection, response and remediation - managed and monitored by security experts Discover and Classify Network Assets Enforce Network Detection and Response (NTA) Data Leakage Prevention (DLP) Endpoint Detection and Response (EDR) Deception to identify existing intruders or insider threats • Verifies and enforces your security policies and compliance requirements to ensure the highest standards
- 18. © Fidelis Cybersecurity Fidelis Professional Services 18 Incident Response • Retainers • Subject Matter Experts Customer Success • Security Program Review • IR Readiness Assessment • SOC Assessment Product • Implementations • Training • Cloud Delivery/Subscription A team of highly experienced security assessment and IR professionals who have helped some of the largest organizations investigate and respond to breaches in over 4,000 engagements
- 19. © Fidelis Cybersecurity • Responded to large security cases in commercial and government sectors • Instrumental in building large Government and Commercial security operations centers • Critical roles in the indictment and conviction of multiple organized international cyber criminals • Key members of the security team on average, have over 18 years of incident response experience 19 SECURITY EXPERTISE PROVEN PROCESS ADVANCED TECHNOLOGY Our security professionals have decades of experience assisting organizations of all sizes prepare and respond to security incidents Full IR Lifecycle Advanced Technology Security Expertise Proven Process Fidelis Services: Incident Response Experience Earned on the Front Lines
- 20. © Fidelis Cybersecurity Full Incident Response Lifecycle 20 Initial Response Investigation & Containment RemediationExpulsion • Triage • Scope • SITREP • Actions Taken • Planned Actions • Capabilities • Evidence • Forensics • Malware RE • IOCs • Monitoring • Taxonomy and Timelines • 72 hour Plan • Monitoring • Validation • Tracking • Restore • Report • Roadmap • SME Support • Training • Processes • Policy Fidelis Services: Full Incident Response Lifecycle
- 21. © Fidelis Cybersecurity Fidelis Services: Preparation 1.Need to follow a Security Standard accounts for all enterprise Networks, Systems, and Data (not just regulatory) 2.Need full data accountability and risk (Data Characterization) 3.Know your vulnerabilities A. Red Team B. Pentest C. Vulnerability Management 4.Prearrange 3rd Party IR help A. Outside Counsel B. Forensics C. IR Support D. Law Enforcement E. Help Desk for customer support F. Cyber Insurance 21
- 22. © Fidelis Cybersecurity Fidelis Services: Detection 1.Need full enterprise visibility across the network and endpoints for situational awareness 2.Need lateral visibility 3.Security Policy that supports enterprise wide response Authority 4.Have a Continuity of Operations Plan (COOP) 22
- 23. © Fidelis Cybersecurity Fidelis Services: Response 1.Need an exercised IR plan A. Communications Plan B. Ensure your IR plan covers regulatory requirements C. War room plan D. 3rd party integration E. IR tracking software and repository 2.Decide on your response based on capabilities A. Immediate B. Delayed 3.Don’t stomp on evidence A. Collect evidence before remediation B. Don’t cut off attackers without external advice 4.Know when to call in experts and counsel for privilege 23
- 24. © Fidelis Cybersecurity Selecting MDR Services • Advanced Technology • Expert Partner • Processes and Threat Hunting • Constantly Monitor Security Stack for the Next Smoking Gun • Validated Alerts • Critical Remediation Authority 24
- 25. Questions?
Editor's Notes
- Critical Capabilities for MDR Services – Public Presentation Fidelis Cybersecurity, Inc.
- While we have many customers who rely on our products, many do not have the teams or skillsets to leverage the full value of our detection and response capabilities, so we also offer a 24x7 MDR service with our IR and SOC experts running our platform. You only see alerts that are critical to your business. We can hunt for threats before they reach critical mass and we can eradicate threats from your environment. All of this allows you to focus on your primary business.
- The Fidelis Security Consulting Services team is comprised of industry-leading forensic experts, experienced network security engineers, and dedicated malware reverse engineering specialists who use their deep understanding of malware tactics, techniques, and the advanced threat landscape to stop exploitation by attackers. Our security consulting team combines experience and expertise to respond to advanced malware attacks, insider theft of IP, and coordinated attacks across a multitude of government and commercial sector clients.
- Here we discuss the phases of a breach and how we support counsel What are the 3 or 4 basic questions….how did they get in, what did they take/see, how many, are they still here? Program Managers & Architect assigned to each engagement Facilitate Communications between counsel and client, handling privilege Effective coordination with IT and Security team of client, and use of their tools Solid acquisition of evidence and chain of custody (logs, images, Columbia Facility); Monitoring capabilities during and after the breach, through the incident lifecycle. Scale resources up or down as needed, handle remote breaches; SOW is focused; People are former DoD/Law Enforcement, respect confidentiality (Sony and Target reputation damage resulting from leaks)