This is part 1 of a 4 part of CrowdStrike Managed Detection and Response (MDR) series.
The very first thing you should know about managed detection and response (MDR) providers is that the best service can only exist with the best technology. What I mean by that, is that what separates the wheat from the chaff when it comes to MDR providers is most often their technology. You can’t expect Dale Earnhardt to win the Daytona 500 in an old Model-T; same is true for solution providers good solutions require good technological capability.
Nowadays one of the most important pieces of an MDR solution is its cloud first connection. Too many problems can exist at the endpoint security solution prohibiting it from making the necessary connections or archiving the necessary data to perform its function. The modern workforce is incredibly mobile, even more so as many companies remain in a remote work status due to the pandemic, and laptops and mobile devices are often connecting through unknown networks. This setup requires the MDR being able to communicate with the end point no matter where they are in the world or what network you’re on.
Next, machine learning is really table stakes in 2020. If you’re relying on a signature file to download and tell you if you’re getting pwned, you’re already in trouble. This is like waiting for the pony express to arrive with your delivery and you never found out the horse rider was already ambushed and is not arriving. Today’s leading MDR technologies are built on machine learning capabilities that allow for greater statistical analysis. Due to a shifting threat landscape, any machine learning should also be coupled with behavior-based analytics and protections. Any behavior-based analytics should include pre-execution and post execution attacks.
Endpoint detection and response (or EDR) is also important in your technology. This aspect of your technology will come in to use later during investigative phases. But it is important to evaluate your solution provider early to identify if this is in their solution set. Without this capability your solution provider will natively be limited in their ability to conduct comprehensive investigative analysis on suspicious events. This leads me to threat hunting – threat hunting and EDR are similar in nature but in actuality are different technologies. As I mentioned earlier, EDR allows you to see that attack path and execution, but threat hunting allows you to take that IOC (indicator of compromise) or IOA (indicator of attack) and search your environment for the same signature on other endpoints. Not all MDR solutions give your provider the ability to threat hunt.
And here is the biggest and most important factor of all – an MDR solution will only track what’s happening on the endpoint and not what’s happening to the endpoint. By that I mean an attacker will have to conduct an activity on the endpoint in order for the MDR solution to identify that something nefarious is about to occur or has occurred. However, in actuality many attack discovery events occur outside of the endpoint and a series of actions normally happen to the endpoint before something happens on the endpoint. This is an inherent blind spot in all MDR solutions. A real-life example would be having a burglar surveille your house, wait outside the front door, and you’re oblivious to the pending attack because you can’t see them standing on your porch. Only when they breach the door or window can you see you’ve been targeted. Ideally you would want to have visibility and knowledge the burglar is on your front porch BEFORE they breach the door so you can take protective measures.
There are many other technology considerations that should be made when selecting your MDR solution provider. If you are looking for an MDR solution for your organization NuHarbor Security maintains best in breed technology as the backbone for our MDR solution. Our team of security analyst performed full alert monitoring, triage, and detection. While the backbone of our solution is rooted in technology, we also employ red teaming and threat aggregation and analysis. This pedigree allows us to take the best MDR technology and couple it with the best security knowledge and expertise.
If you’re looking for an MDR provider that actually gives a sh*t please contact us today.
by: Hayley Froio
Information Assurance Team Member at NuHarbor Security
Follow us on Social Media for more information: