WHAT IS MDR & WHY DO YOU NEED IT?
MDR stands for Managed detection and response. MDR is a key element in the NIST framework to implement a comprehensive Defense in Depth approach. The NIST Framework is composed of Identify, Protect, Detect, Respond, and Recover. Managed Detection and Response (MDR) covers the detection and response elements. To put this in further context below is the Pyramid of Pain (POP). Anti-Virus and Next Generation Anti-Virus (NGAV) technologies from companies like Microsoft, Symantec, Kaspersky, etc. cover aspects of prevention which are the base of the POP. The middle and top portions of the POP are the domain of Endpoint Detection and Response (EDR) technologies and human based threat hunting.
The detection and response portion of MDR security services is often intended for devices such as servers, desktops, or notebooks. The MDR term can also encompass a wider range of information security services focused activities that support Endpoint Detection and Response or “EDR” tools. One example is the use of EDR tools along with threat hunting that leverages available third-party threat intelligence to uncover the Tactics Techniques and Procedures or TTPs of Advanced Persistent Threats (APTs) that are otherwise not detected using traditional signature-based tools and analysis focused on prevention. Threat hunting is usually offered by MDR service providers on an optional basis and the work is conducted by Security Operation Center (SOC) analysts to enrich and improve the threat detection capabilities provided by EDR tools. These managed service SOC analysts are also normally working with other detection methods such as Security Information and Event Management or SIEM event correlation and can capture suspect files and conduct sandbox analysis to see how they behave.
MDR SECURITY SERVICES
MDR security services, including active threat hunting, is critical in uncovering advanced threats that can be found within environments of all sizes. This is a service that would be particularly attractive to organizations that may not have the budget or desire to maintain security teams with experts in EDR, MDR, and threat hunting for a starter, but the valuable part of MDR is found in the realm of remediating issues when they are found. The expertise to detect and respond to threats is one of the most expensive skillsets to maintain and cultivate organically inside of an organization. Incident Response, the R in MDR, means once SOC analysts have detected a threat is present, they isolate the impacted device or devices, identify the threat, remove it, and return the impacted devices to service and continue monitoring for additional Indicators of Compromise (IOCs) after the initial outbreak has been dealt with.
To have a comprehensive Defense in Depth approach in place at any organization requires covering all elements of the NIST framework which ensure base to tip protection indicated by the POP from threats. There is a plethora of tools commercially available on the market that can provide Endpoint Detection and Response capability. The tools are from companies like Infocyte, Crowdstrike, BlackBerry Cylance, Carbon Black, etc. Unfortunately, just purchasing a tool and deploying does not yield significant protection for detection and response. The technologies are complex and require specialized cybersecurity skill sets to configure, to monitor, and to respond. To effectively do this most companies operationalize a proper Securities Operation Center (SOC) with the necessary automation and human capabilities to make optimal use of EDR technologies and yield significant protections and efficiencies in the detection and response cycles.
EDR technology vendors realize this and offer their own services layered on top of their technologies at an added cost, but many companies adopt the EDR tools without necessarily employing the necessary additional human driven SOC capabilities. Additionally, the EDR vendors will provide endpoint protection as well and will try to displace your AV or NGAV solutions in place. From a procurement and technology management perspective they present a tempting proposition. There is a large flaw in taking this approach from a fundamental cybersecurity strategy perspective. The inherent issue is explained by the Prevention Paradox, a term coined by incident response professionals working with the United States Air Force.
What is the Prevention Paradox? The Prevention Paradox describes how over reliance on prevention methods, like traditional Anti-virus, can cause organizations to be blind to attacks. This happens as preventing every attack vector the tools can detect causes a team to lose visibility on adversaries that adapt to defenses and eventually, when they bypass them, the attack goes unnoticed due to a lack of detection capability. By going to a single vendor solution and relying on them for endpoint protection you only have visibility to what that single vendor can detect. No single vendor can detect everything.
In fact, most endpoint protection engines hover around approximately 90% detection rates. If you cannot detect the threats after prevention methods have failed to stop them, you cannot respond to what you failed to see. This is especially true in a single vendor solution environment. That is why the dwell times of bad actors can be indefinitely large in such an environment it allows the attackers the ability to slowly consolidate efforts and launch their attacks when they are ready.
The way around the Prevention Paradox is to employ different technologies for endpoint prevention and endpoint detection or EDR. The technologies providing these two functions must necessarily be separated. Detection is much more difficult for an adversary to model or understand how they were found and removed. Whereas, again, in a single technology environment an adversary ultimately understands the preventative measures in place and can eventually circumvent them without threat of detection and response.
PREVENTION PARADOX EXPLAINED IN A VIDEO
The EDR companies understand the Prevention Paradox, but simple economics necessitates they push a unified single solution. EDR is expensive and the market is much smaller than the market for endpoint protection. Landing endpoint protection and expanding with EDR is a very viable approach to increasing sales. The video below is a webinar Dark Rhino Security presented on the prevention paradox along with our EDR partner Infocyte™.
As managed security service providers, Dark Rhino Security’s approach to providing Defense in Depth under the NIST framework separates prevention from detection and response, provides a human based SOC with attested security controls, and does it at cost that small and medium businesses can afford to readily consider implementing a comprehensive cybersecurity approach. Dark Rhino Security to MDR utilized BlackBerry Cylance as the endpoint prevention technology and EDR technology from Infocyte. DRS’s provides a fully managed MDR offering that utilizes Six Sigma based approach in delivery and execution to provide a very high quality of MDR service backed by aggressive SLA’s. The Managed Detection and Response service offering from Dark Rhino Security is termed I𝜋&r. I𝜋&r is an acronym which stands for Incident Prevention, Incident Identification, and Response.
Managed Detection and Response services from Dark Rhino Security is aimed at Small Medium Businesses (SMB). Many SMB clients have all the regulatory requirements or threats that much larger enterprises, and infrastructure companies face but until now they had no way to address the issue.
MDR OR EDR–WHICH ONE IS RIGHT FOR YOU?
Managed Detection and Response takes a service-based approach to EDR. The key difference is MDR eliminates the need for costly personnel, as the service provider brings this expertise to the table along with the EDR solution. In the case of Managed Detection and Response providers like Dark Rhino Security, we have experienced security professionals running the EDR solution, a process driven Security Operations Center that can provide up to 24×7 monitoring, and the ability to remotely isolate, remediate, restore to service, and monitor for follow on malicious activity. All at a fraction of the cost of what a company could hope to achieve in house.
Endpoint Detection and Response is best employed by an organization that can afford to have dedicated team members that are experts in information security and the EDR platform or tool in use. The level of effectiveness of a given EDR solution rests upon the knowledge level of those managing the tool and the process defining the tool’s employment within the environment it is meant to protect. This team must know how piece together alerts from the EDR tool with additional threat intelligence to confirm threats. The team must then know how to isolate impacted devices, remediate the threat, return the devices to service, and monitor for follow on outbreaks.
Dark Rhino Security’s Iπ&R Service vastly exceeds the level of protection provided by simply buying an EDR tool or signing up for run of the mill Managed Detection and Response security services. The name Iπ&R stands for Incident Prevention Incident Identification and Response. Unlike Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR), the service behind Iπ&R consists of IT security professionals deploying a suite of vendor asymmetric tools to the client environment as opposed to the one tool for EDR and MDR. Iπ&R is backed by a service process developed by professionals with over 70 years of security, process, and engineering experience that provides for guaranteed response times.
The tools within the Iπ&R service provide the following capabilities which exceed Managed Detection and Response:
- Prevention – Next Generation Antivirus – Essential for prevention and limited detection, of known and unknown malwares. Powered by BlackBerry Cylance
- Threat Detection and Response – Incident Response (IR) Solution – By monitoring for indicators of compromise using a solution and process that can uncover compromised devices regardless of whether the malware has been seen before detection of advanced threats becomes possible. Because it ties into devices, upon finding IOC’s on a device, Dark Rhino’s trained SOC personnel can remotely Isolate, Investigate, Remediate, Restore to service, and Monitor for follow on outbreaks across environments large and small. Powered by Infocyte.
- Event Correlation – Security Information and Event Management (SIEM) – DRS has put together a proprietary SIEM solution leveraging proven technologies in use at major brand name enterprises. DRSIEM is effective and affordable for organizations of any size and event collection and correlation can be tuned to suite the needs of any client environment. Monitored by Dark Rhino’s SOC team. Events that matter are brought to the surface and can be addressed swiftly.
- Compromise Protection – Phishing Protection – Email gives attackers direct access to a company’s employees and phishing attacks are devastatingly effective. Year over year the number of phishing attacks is growing at an alarming rate. Last year, over 80% of all instances of compromise had an element that included phishing email. Dark Rhino protects user mailboxes using a method that does not try to prevent but rather detect the methods used commonly by attackers. In many cases we can remediate malicious emails in mere seconds. We can also launch educational awareness campaigns to help users learn to spot and report suspicious emails effectively removing one item that nearly all attacks have had in common.
WHY CHOOSE US?
WE’RE DRIVEN BY VALUE INNOVATION
We’ve developed strategic partnerships and vendor relationships with industry experts to offer world-class tools at exceptional rates. We’re constantly scanning the market to modernize our services, thus equipping our clients with comprehensive solutions and an infallible security posture. We render the competition irrelevant through value innovation, thus opening market opportunities that have historically been untapped.
Protecting all aspects of your business is our priority. Our dedicated staff will coordinate an exhaustive consultation process with your team to understand your unique requirements. From the conception phase to post-project support, we promise to deliver custom solutions to suit your needs, every step of the way!
Whether you require a turn-key solution or select services to address gaps with your in-house security team, we’ve got you covered! Our polyvalent approach is designed to improve your on-premise and cloud-based cybersecurity posture, around the clock, no matter the size of your company, infrastructure and budget.
We have multiple teams readily available and are constantly expanding to new markets. Along with our head office in Columbus (US), we have experts in London (UK), Montréal (Canada) and Copenhagen (Denmark).
WE GIVE BACK
We support organizations that have a positive impact in their communities. We invest in philanthropic programs and rally around charitable work and causes that are important, because it’s part of our core values.
In recognition of their service to our country, Dark Rhino Security actively seeks to recruit and employ veterans throughout its workforce. The brave service members who have served our nation’s interests deserve employment and academic opportunities, once their military service is at an end. We are very proud that almost 50% of our team have served our country
Our team is highly certified and offers training. Because our field is constantly evolving, we prioritize ongoing education and invest in cutting-edge technologies to respond to emerging trends with razor-sharp precision. As a result, our skilled engineers can deliver in-depth cybersecurity training to professionals of all paths.
We have multiple teams readily available and are constantly expanding to new markets.
Whether you require a turn-key solution or select services to address gaps with your in-house security team, we’ve got you covered!
Our team is highly certified and offers training.
Client Success Story: How DRS Implemented a Robust IAM Solution on Complex Legacy Systems with Minimal Operational Downtime
Our client, a major player in North American cross-border trade, has service locations at major gateways along the Canada-U.S. border, in addition to trusted logistics partners around the world. They help ensure on-time and cost-effective distribution of their customers’ goods and offer services to importers and exporters across the continent. They use real-time and innovative technology tools, web portals and service specialists to provide a wide variety of time-sensitive and logistically complex services. They facilitate global trade through Canada/U.S. customs [...]