MDR - an introduction to Managed Detection and Response and its key components

What is Managed Detection and Response? 

Managed detection and response (MDR) is a cybersecurity monitoring service that focuses on detecting and managing threats in real time. This is done with a combination of security technologies that collect security information - as well as 24/7/365 human monitoring of these systems to perform analysis and interpretation of the information. The main purpose of MDR is to improve the ability of organisations to quickly identify potential threats and rapidly respond to security incidents as they occur. 

What types of organisations need MDR? 

MDR is particularly useful for organisations that may not have sufficient internal resources or experts to monitor and respond to security incidents on their own. By outsourcing these services, organisations can improve their security infrastructure and reduce the risk of serious data leaks or malicious intrusions. 

Key components of the MDR 

MDR includes the following functions;  

• Detection 
• Analysis 
• Response 
• Reporting and feedback 

Detection 

Detection in MDR is a combination of advanced technologies to monitor, analyse and respond to different types of attacks. Two of the most common detection systems are Endpoint detection and response (EDR) and Security Information and Event management (SIEM). 

EDR 

An attacker's route into an organisation is remarkably often via user clients such as computers or smartphones. Therefore, their security is crucial to an organisation's overall cyber protection. An EDR tool analyses what happens on a client and responds to potential threats. This includes not only malicious files but also what the user is doing, how programs are behaving, and data being transmitted. All this is analysed and used to detect malicious behaviour. Through this broad analysis, EDR can detect not only classic viruses and Trojans but also scripts and other dynamic code - i.e. "fileless" malware and other advanced attacks. 

SIEM 

While EDR monitors user clients and other endpoints, SIEM monitors a variety of other sources to detect malicious behaviour. SIEM platforms collect and analyse log data from sources such as network devices, servers, applications and other IT systems. The logs contain information about various events and activities that occur on these devices. The data is compiled and analysed to distinguish normal behaviour from anomalies. SIEM tools use correlation rules and algorithms to identify relationships between different events. This means that SIEM can detect patterns and anomalies that individually might not be suspicious, but together can indicate a potential security incident. Alarms are created based on rules or AI and as soon as suspicious behaviour is detected, the alarm goes off. By taking in large amounts of data, a SIEM can perform advanced behavioural analysis and capture suspicious or malicious activities in real time - detecting threat actors before they can strike.   

Analysis 

Based on collected detection data, expert analyses are performed by experienced MDR analysts. At Iver, this work is done by experts in our Security Operations Centre (SOC). When a security incident is detected through the detection function, our analysts review the incident to understand its scope, how it affects the organisation's security, and assess the severity of the threat. This may include examining what systems and data are involved, how the attacker has moved through the network, and what tools and techniques are used. 

Our experts continuously monitor the threat landscape to identify new threats and understand their characteristics. This is to ensure that the technology used in the detection function is adapted to the latest threats. The overall analysis is thus based both on detection data and knowledge of current threats as well as experience from previous attacks.  

Response 

When a threat or incident is detected, actions are taken to stop the attack and minimise the damage. This may include isolating affected systems, removing malicious code, and implementing measures to prevent future similar incidents.  

For particularly serious events such as ongoing breaches or ransomware attacks, a dedicated Cyber Security Incident Response Team (CSIRT) is called upon.  This expert team works intensively and with focus to stop ongoing attacks and minimise damage. Through well-defined processes and procedures, the right actions can be taken quickly, allowing the IT environment to be restored to normal operating conditions as soon as possible - which is crucial to minimising the impact of the attack on the business.  

Reporting and feedback 

Reporting and feedback is an important aspect of MDR as it gives organisations an understanding of their security posture. Information about identified vulnerabilities in the organisation's IT infrastructure can help businesses to remediate and strengthen their systems to prevent future attacks. A close dialogue is crucial to maintaining an effective and dynamic security strategy.  

Want to know more about how Iver can help your organisation with MDR?
Read more about our MDR service offering or get in touch via the form below.