Last updated at Wed, 26 Jul 2023 22:19:20 GMT
This blog post is part of an ongoing series, MDR Vendor Must-Haves.
Security teams face unprecedented challenges as the threat landscape expands in scope and complexity. More frequent attacks have meant the burden on security teams has increased. Protecting the organization in today’s environment has led to analyst fatigue, with many organizations struggling to respond to both user and host threats in a timely manner.
Why? For starters, almost every attack can look just like any other end use—96% of the time, to be exact. And with three out of every four incidents involving compromised user credentials, it’s no longer adequate to defend at the perimeter and implement security training with the hopes to stop these threats.
What’s worse is attacks can happen any day or night. Even the most caffeinated analysts need sleep at some point. Often, businesses measure response time in hours, days, weeks, or months, instead of minutes.
Over the past few years, a noticeable shift happened in the MDR market, resulting in two types of “response” from MDR providers: “MDR” vs “MDr”. The biggest difference being the “Big R” players separate themselves by using an EDR tool to take remote containment actions on behalf of their customers.
As you can imagine, this leads to a lot of confusion to differentiate between vendors. The bigger challenge is, almost every vendor that has a managed response capability will say they can respond to the threat on your behalf. So, while this capability has become table stakes, the devil is in the details—and not all methods are created equal.
The core difference between these providers comes down to two key questions you should ask:
What types of responses can they take?
Just offering any type of “response” isn’t the best approach. The key to providing response to modern threats requires two elements:
- User Containment: Data from our Threat Intelligence and MDR teams show that 96% of incidents included end user compromise, with three out of every four incidents involving compromised user credentials! WIthout containing both the endpoints and users, your MDR provider is just delaying the next alert, not stopping the next attacker.
- Host/Endpoint Containment: Disabling the host/endpoint’s ability to connect to the network severely limits the damage that can be done by lateral movement, malware propagation, or data exfiltration.
Why are both needed? MDR providers that recommend actions and strategies which index on containing a single element of the threat but not responding to the actual attack just delay the next alert. An effective response must use a strategy to cut an attacker off from both the endpoint and user accounts!
Think of responding to an incident much like fighting a fire. To put out a small fire, you could respond using a fire extinguisher. But that same response method would be useless to stop a wildfire from spreading; you’d need a strategy to suppress the blaze using a control line and air support.
The same goes for when you’re thinking about a response plan. MDR providers that only focus response on the endpoints using automated actions to halt the propagation of malicious activity across user devices is like using a garden hose to respond to a multi-alarm fire. Maybe it would slow the flames, but it’s rare that it’ll be successful at putting it out.
How does the MDR provider initiate response?
Some MDR vendors take the automated approach using rule-based actions to contain the endpoint. Others take a more collaborative approach to engage your team on the action. Others even leverage SOAR solutions to expand the use cases for containment.
It may cause more harm to take automated actions using AI-based rules or shutting off network traffic rather than taking the right containment action on your endpoint or user accounts based on the collective experience of SOC experts.
For example, automated actions can lead to a lot of challenges like:
- Automated actions contain assets but not the compromised user.
- Automated actions cause premature containment based on rules that cause the SOC to miss out on valuable attack context
- Automated containment is now used as an attacker strategy to lock out accounts and debilitate a company's ability to operate.
- Automated actions are contained so a critical user is unable to perform their job/locked out of their account.
- Automated containment of critical servers which takes it offline
- Automated actions to contain mistaken threats may end up severing network communications between a key and BPOs.
Depending on your environment, what you want your MDR provider to take on, and the level of effort you want your team to do, there are a variety of choices for you to consider. While automated actions may be the fastest way, they may not be the best for your business, and you might want to consider leveraging a more collaborative model and/or SOAR technology for further automated response.
How Rapid7 MDR can help
Rapid7 MDR with Active Response can improve Time to Response (MTTR) and save your team time and money with unrivaled response capabilities for both endpoint and user threats.
Active Response eliminates the automated containment risks that plague other MDR vendors. Unlike providers that perform generic containment based on automated rules or blanket actions to cut off network traffic, Active Response only executes actions on validated threats and gives your team the flexibility to configure or cancel responses. Doing so removes the headaches of false-positive quarantines, which can cause more work, not less.
This means that Rapid7 MDR with Active Response can:
Launch on-premises and remote user and host containment
Active response will react as early in the kill chain as possible by containing compromised endpoints or user accounts. Taking action to respond within minutes of finding a threat will prevent malware propagation, cut off lateral movement, or stop data exfiltration attempts.
Set configurations and guidelines for any response action
You can create containment guardrails to prohibit response actions to critical servers, users, or devices. This way, we won’t treat a typical user the same as your Domain Controller.
Provide 24x7 end-to-end detection and response
Say goodbye to frantic, “drop everything and respond now!” moments. Have peace of mind knowing that Rapid7’s MDR experts will take action for you at any time, day or night. Our team will monitor threats, validate them, and take on the initial countermeasures to paralyze the attacker for you.
Allow you flexibility to collaborate with MDR responders, or let our experts handle it all
You’ll have the option to be hands off or to collaborate with our team in order to accelerate or cancel containment actions via Slack on your mobile or desktop devices. You can be as hands off or as hands on as you prefer for each incident.
Keep you in the loop with consistent communication and notifications
We’ll send real-time updates on actions happening through a variety of communication platforms, including Slack, phone, email, or text. Every action is then recorded within the InsightIDR investigation so you’ll have an audit trail and one centralized source of truth.
Give you the freedom to eradicate threats and recovery on your terms
Once Active Response kicks in, your only job is to take the remediation and mitigation actions we recommend in your Findings Report. From there, you can bring the endpoint or user back into production by sending a Slack message. It’s that easy!
Prevent analyst burnout
No one gets into InfoSec because they want to look at alerts all day. Give your team something more important to do besides refreshing their inbox in anticipation of a Findings Report and waiting around to respond to threats. Let our MDR team become a force multiplier for your security program and free up your analysts to provide more value to your business.
Ultimately, Rapid7’s MDR team is highly effective because our actions are executed after thorough human review, granting customers the flexibility to align our service to their specific environment. Our team takes action on only valid threats, and we give the option for the customer to stay in control by leveraging our industry-leading SOAR solution, InsightConnect.
