MANAGED SECURITY

Small and Medium Businesses have all recently started to suffer the same security issue. Digital threats have been evolving for the past years, and they have reached such a point now that they can no longer be detected and defeated by just deploying endpoint security solutions such as AntiVirus or EDRs.

Complex threats require complex detections, and those imply dedicated security experts. Needless to say, a fully fledged 24/7 security team this is by all means unaffordable for an SMB. But there’s good news: that we are here to help you by managing those security solutions so your team can be relieved of the headache.

With our expert team managing your security technologies, we provide you with continuous monitoring and proactive defense of your digital environment. Your IT team will be able to focus again on your core business activities confident that we are safeguarding your digital assets 24/7.

What is managed detection and response (MDR)?

Managed Detection and Response (MDR) is a cybersecurity service that combines Endpoint Detection and Response (EDR) technology with human expertise to rapidly identify and limit the impact of threats by performing 24/7 security monitoring, threat hunting, and instant response.

MDR is essentially the only security solution that bundles an EDR with a “Blue Team” of security experts, all at an SMB-affordable price. So, this services’ main benefit is that it quickly helps in limiting the impact of threats without the need for additional staffing, which can be overly expensive.

Since Cloud assets are vital as well, we also offer the Detection & Response services for non-endpoint assets such as M365 accounts, where an EDR is not available but threats shall be monitored in similar ways. This ensures organization-wide coverage on hybrid environments.

MDR benefits

Organizations using an MDR solution can immediately reduce their breach time-to-detect (and thus, time to respond) from the average 204 days to as little as a few minutes — thereby drastically reducing the impact of a security event.

Companies can also:

Greatly improve security posture and become more resilient to potential attacks by proactively hunting every suspicious event and starting investigations.
Quickly discover intruders as soon as they try establish an initial access in your systems thanks to non-stop security monitoring.
Identify and kill hidden, complex threats that were idling in your networks as soon as MDR is deployed thanks to proactive threat hunting.
Relieve your in-house IT teams from the pain and task of being in charge of security management. Modern threats require security specialists to be identified and stopped.

Operational Challenges without MDR

Challenge #1: Security Personnel and Budget

In-house defensive security teams working 24/7, also known as Blue Teams, are only affordable by very large corporations. This leaves SMBs stranded with traditional security technologies and overall half-blind solutions. Even the famous EDR products are designed to be managed by expert security analysts, so if they are deployed and left on their own, their ability to detect and stop threats decreases significantly.

Challenge #2: Alert Fatigue

Even if some security experts could be hired, the amount of infrastructure and staff required for proper detection, investigation and quick response of all the incidents happening in real time is constantly growing, as well as the quantity of alerts and events generated all the time.

This leads to what’s known as “Alert Fatigue”, which saturates limited security teams with alerts to review, leading to high chances of threats slipping by as regular activity. This is even worse nowadays, since Endpoints multiply in the forms of IoT, remote workers, supply chain partners, and hybrid networks.

Endpoint & Cloud Managed Security

To ensure a full security coverage of your organization, we offer two Managed Detection & Response flavors: Endpoint protection, and Cloud protection for Microsoft 365. They can be deployed separately on cloud-only or on-premise environments for example, or integrated together in hybrid structures.

ENDPOINT Managed EDR

To protect all your Windows and MacOS endpoints, we provide you with an EDR agent which will be managed by our team of security experts 24/7. This means that every single alert and event raised by the EDR will be monitored, processed, triaged and investigated if suspicious, to further neutralize it and guide you in every remediation step. We’ll cover you from the first hints of suspicious activity all the way to remediation.

MDR for Microsoft 365

Microsoft’s cloud integrations are really common in nowadays corporations, and M365 accounts are an increasingly targeted asset due to their lack of security monitoring. We will help you change that through Microsoft 365 Managed Detection and Response. Our expert security team will collect all sorts of events, identify suspicious behaviors, analyze them, and neutralize the found threats in real-time. Some common events that we will investigate are suspicious logins, malicious inbox rules, and privilege escalations, all of theme capable of leading to a Business Email Compromise if not detected.

How MDR works

Through the Managed Detection and Response service, all of your organization’s threat intelligence, advanced analytics, and forensic data are passed to our expert human analysts to remotely monitor, detect, and respond to threats found within your organization. They will also perform triage on the raised alerts and determine the appropriate response to reduce the impact and risk of confirmed incidents.

Our MDR service bundles an externalized, fully fledged security team including a human-led 24/7 Security Operations Center (SOC) monitoring, Threat Hunters for proactive investigation and neutralization of bad actors and malware, incident reports and most importantly, guided and one-click remediations. For endpoints, our lightweight and telemetry-rich EDR is provided as well.

Our MDR service works as follows:

01: Collection

In protected endpoints and M365 cloud accounts, our security experts look for signs and events indicating that there are threat actors or malware performing malicious activities.

02: Analyze

Once events are collected, we move beyond automated detection with contextually aware, human-verified analysis. Our SOC analysts review all the available telemetry to catch even the sneakiest threats.

03: Investigation

Once any suspicious event is detected, an investigation is immediately started by the Threat Hunting team. They are specialized in searching every corner possible to discover and kill any live threats and attackers in your systems.

04: Incident Report

After investigating the incident and neutralizing the threats, we send you a custom incident report to share our findings and outline next steps.

05: Remediation

We will proceed to apply the mitigations depending on the severity of the incidents and how we have previously agreed to take actions with each specific customer. This will all be defined personally during the onboarding process.

MDR Service – FAQs

Can your MDR Service replace my current EDR solution on my Endpoints?

Absolutely. We will provide a fully featured EDR agent managed by our team which will be deployed in the endpoints to protect. We are agnostic of other EDR agents in you endpoints, so if you decide to start a free demo of our service, you won’t need to uninstall the other security solutions.

This new EDR’s telemetry is what our team will be processing and analyzing. The key difference now is that it will be investigated in real time, whereas on an EDR-ony scenario, it is all “thrown away”. Some example telemetry sources are Process Events (new processes, state, privileges, loaded modules…), User Events (logon events, failed authentications…), Registry Events (key/value states, new entries…), File Events (Create – Read – Update – Delete for monitored files), Network events, autoruns, scheduled tasks and many more. Contact us for the full technical details.

What access is needed for your MDR service to operate?

We will always have the least possible access in your networks, and remain on what is strictly necessary, to avoid supply-chain risks.

Managed EDR Agent on your endpoints: Once the EDR agent is installed, we can operate completely. No need at all for domain accounts or anything similar.
MDR for M365 Accounts: Audit Logs will be enabled on your Tenants, and through a Global Admin account of yours, on the onboarding you’ll need to provide us access to logs, incidents, security events, mailbox settings (NOT the mails themselves, we don’t need to scan or read those) among some others.

How will the remediations work?

All threats found will be neutralized as soon as possible. This could mean for example that a host being used as an initial access by attackers has been isolated to stop the threat, and some actions have to be taken. It will depend on the severity of the issue: malware artifacts will be quarantined or removed instantly, but a compromised user can simply be freezed until you, as the administrator change his password.

This decision-making procedure will all be discussed and defined with our customers prior to the service deployment.

There are certain mitigation steps which we can not perform, mostly Active-Directory related. For example, the attacker has created a malicious GPO, or a domain user with replication privileges. The threat will have been stopped and neutralized of course, but we can’t delete these attacker traces at an endpoint level, so your IT administrative team will be given the exact and concise taks to do. Following this example: Delete the malicious GPO whose GUID is: “xxxxx”. Although, it is up to the customer to grant us temporary access or similar for us to implement the mitigations.

How will the MDR provider communicate with your team?

Communication between our customers and us, the service providers, will be defined prior to deployment, establishing channels for each type of interaction.

Also, at some point we will hand-off our workflow to your team, usually for remediations. The decision-taking procedures will all have been agreed previously (see FAQ above).

Is your service 24/7?

The vast majority of organizations do not staff their security operations around the clock. Our MDR service will bring you coverage around the clock, because while law-abiding citizens are sleeping, attackers are hard at work.

Sounds interesting, but why would I change my current EDR solution?

We have an entire article explaining how EDRs work, and why they are not enough by themselves to stop modern malware. There’s even a custom malware artifact we made to show how it bypasses a major EDR vendor’s detections. Link here!

EDR products are amazing and really valuable. Although they are designed as a tool for security Blue Teams, that is the defensive teams. EDRs are very complex and difficult to use in depth, and processing their provided telemetry is basically impossible for most IT teams, since that requires a complex infrastructure and, again, 24/7 coverage. Or else attackers just have to wait until non-office hours.

Salespeople and EDR providers have pushed hard this technology on almost all SMBs out there, and while selling them standalone works because of their decision algorithms and cloud Machine Learning, they fall short against complex attacks, which are increasingly common. Although, the attackers are usually recorded in the EDR’s telemetry, it’s just that no one is processing it.