What is MDR?
The purpose of MDR services is to quickly identify and reduce the impact of security incidents on customers. These services focus on 24/7 monitoring, detection and targeted threat response activities. In ETEK we use a combination of host and network layer technologies as well as advanced analysis, threat intelligence, forensic data and human expertise for investigation, threat research and response to detected threats.
- Monitoring and threat detection: Dedicated monitoring to look for traces of security threats.
- Incident response: Initial automated response capabilities supported by playbooks.
- Threat Hunting: Continuous search for cyber threats that are not detected by traditional security controls.
- Event: Observable occurrence in a system or network
- A user connecting to a shared resource
- A user sending an e-mail message
- Blocking a connection attempt through a firewall
- Incident: Actual or imminent violation of an organization’s information security policies
- Users are tricked into opening a “legitimate” report and infecting them with a malicious program (Malware).
- Connecting workstations to addresses recognized as command and control (C&C) centers.
- A user sending an e-mail message.
- Unavailability of services due to malware attacks
Use Cases and Playbooks
- Use case: Service designed to improve the way companies detect threats, respond to incidents, and monitor their IT assets continuously
- Playbook: A Playbook is a checklist with the steps and actions needed to successfully respond to specific incident types and threats. Incident response Playbooks provide a simple step-by-step, top-to-bottom orchestration approach. They help to establish formalized incident response processes and procedures within investigations and can ensure that the steps are systematically followed.
Risks that are mitigated with MDR services
- Loss of or lack of access to data required for the operation
- Data leakage that is stored and shared massively that can lead to the disruption of the business operations.
- Loss of data confidentiality and its further disclosure that may benefit the competition
- Loss of customers due to theft and unauthorized disclosure
- Reprocessing that may affect the organization’s productivity.
- Unauthorized modification of content of files.
- Data availability loss due to configuration information exposure and available ports
- Carry out cyber attacks on the identified addresses and ports
- Leakage of data that is stored and shared that can lead to business disruption
- Financial loss due to either losing customer or lawsuits
- Flaws in access to information required for the business operations
Teams featured in MDR
- Red Team: Emulates attacks on the enterprise security posture to measure the effectiveness of its security controls.
- The Red Team performs a process of emulating threat scenarios that an organization may face.
- It generates indicators of compromise for new attacks.
- Use case testing.
- Supports the Blue Team in developing customized scenarios for client demos.
- Ethical hacking
- Vulnerability analysis
- Cybersecurity compliance
- Social Engineering
- Exploiting fraud vectors.
- Malware scenarios
- Blue Team: Responsible for executing computer network defense activities in a company’s information system.
- The main objective of the Blue Team is to perform assessments of the diverse threats that can affect organizations.
- Monitor security activities (network, systems, etc.)
- Suggest action plans to mitigate risks.
- Incident response.
- Forensic analysis
- Establishing detection measures for future cases
- Event Correlation
- Incident response.
- Configuration of use cases and Playbooks.
- Availability Monitoring
- SIEM rules tune-up.
- Purple Team: They work to ensure and maximize the effectiveness of the Red and Blue teams. They do this by integrating Blue Team’s defensive tactics and controls with the threats and vulnerabilities identified by the Red Team
- The main purpose of a Purple Team is to manage the security of the organization’s assets
- Perform tests to check the effectiveness of security mechanisms and procedures
- Define/develop additional security controls to reduce the risk of the organization.
- Playing the role of facilitator between both teams, Red & Blue
- Enables improvements in detection and defence
- Defines Use Cases.
- Defines Playbooks.
- Create strategies based on customer needs.
Overview of MDR service components
- Proactive monitoring
- knowledge of customer service architecture and CMDB
- Use cases knowledge base up-to-date
- Continuous CyberWar Exercises
- Device management leveraged by proactive detection and automation capabilities
- Threat hunting
- Incident response based on best practices
- Staff with multiple skills and certifications
- Demonstration videos
- Contact us
- Brochures and papers
- Successful cases