This is part one of a four-part CrowdStrike Managed Detection and Response (MDR) series.
The very first thing you should know about MDR providers is that the best service can only exist with the best technology. What separates the wheat from the chaff when it comes to MDR providers is most often their technology. You can't expect Dale Earnhardt to win the Daytona 500 in an old Model-T; same is true for solution providers. Good solutions require good technological capability.
These days, one of the most important pieces of an MDR solution is its cloud-first connection. Too many problems can exist with the endpoint security solution, prohibiting it from making the necessary connections or archiving the necessary data to perform its function. The modern workforce is incredibly mobile, even more so as many companies remain in a remote work status due to the pandemic, and laptops and mobile devices are often connecting through unknown networks. This setup requires the MDR being able to communicate with the endpoint no matter where you are in the world or what network you're on.
Next, machine learning is really table stakes in 2020. If you're relying on a signature file to download and tell you if you're getting pwned, you're already in trouble. This is like waiting for the pony express to arrive with your delivery and you never found out the rider was ambushed and isn't coming. Today's leading MDR technologies are built on machine learning capabilities that allow for greater statistical analysis. Due to a shifting threat landscape, any machine learning should also be coupled with behavior-based analytics and protections. Any behavior-based analytics should include pre-execution and post execution attacks.
Endpoint detection and response (EDR) is also important in your technology and will come in to use during investigative phases. It's important to evaluate your solution provider early to identify if this is in their solution set. Without this capability, your solution provider will be natively limited in their ability to conduct comprehensive investigative analysis of suspicious events. This leads me to threat hunting. Threat hunting and EDR are similar in nature but in actuality are different technologies. EDR allows you to see the attack path and execution, but threat hunting allows you to take the indicator of compromise (IOC) or indicator of attack (IOA) and search your environment for the same signature on other endpoints. Not all MDR solutions give your provider the ability to threat hunt.
And here's the biggest and most important factor of all: An MDR solution will only track what’s happening on the endpoint and not what's happening to the endpoint. By that I mean an attacker will have to conduct an activity on the endpoint in order for the MDR solution to identify that something nefarious is about to occur or has occurred. However, many attack discovery events occur outside of the endpoint and a series of actions normally happen to the endpoint before something happens on the endpoint. This is an inherent blind spot in all MDR solutions. Here's a real-world example. A burglar is surveilling your house, waiting outside the front door, and you're oblivious to the pending attack because you can't see them standing on your porch. Only when they breach the door or window can you see you've been targeted. Ideally you'd want to have visibility and knowledge the burglar is on your front porch before they breach the door so you can take protective measures.
There are many other technology considerations that should be made when selecting your MDR solution provider. If you're looking for an MDR solution, NuHarbor maintains best-of-breed technology as the backbone of our MDR solution. Our team of security analysts perform comprehensive alert monitoring, triage, and detection. While our solution is rooted in technology, we also employ red teaming and threat aggregation and analysis. This pedigree allows us to take the best MDR technology and couple it with the best security knowledge and expertise available in the market today.
If you're looking for an MDR provider that actually gives a sh*t, contact us today.
