MDR sounds simple; it is only three letters, so how complicated can it be? The answer to this may surprise you. Managed Detection and Response (MDR) is more than just overseeing what’s happening in your environment. The intricacies that go into an operational MDR approach are what makes security simple for the end user, while the cogs are working 24×7 behind the scenes.
Here’s what goes into an operational MDR approach:
- Logs from all software and systems are vetted (reviewed) to develop a streamlined solution. This takes the burden off the end user – the one whose environment is being protected. Through the integration and systemization of these tools and people, the output of MDR looks like a simple plan of action that can be followed. Without the operational approach though, MDR can become a mess within the end user’s environment if they take on the task by themselves, with disconnected systems producing all sorts of unconfirmed alerts. It is easier to work with partners that have already vetted and streamlined the software and systems, so you can reap the rewards.
- Not all abnormalities detected by the sensors are actual events; these false positives create all the noise within an environment. This in turn can cause the true events to be missed. In an operational MDR solution, the actual events are found because of the analysts going through each alert. When one (event) is found to be a security threat, it is time for response and remediation.
- MDR should not just be informational – alerts coming into your inbox. Each alert should have a remediation plan attached to it. The operational MDR approach has the system in place, as mentioned above, and that process will deliver a tailored plan to remediate any abnormalities that are found. If you consider MDR to be simply collecting alerts and identifying which ones should be fixed, then that can cause severe gaps in your security. MDR is not a point product; it is an ongoing solution.
- Remediation is key in MDR. The “R” stands for Response, which can be as simple as a report. The next step though is the actual remediation and execution of the response plan. In an operational MDR approach, specific instructions are provided in order to properly respond to the security event in line with the severity, and ongoing guidance on how to reduce risk in the future. Executing the recommended actions is what will reduce your attack surface over time.