Challenge your MDR Provider

We received quite the welcome with our recent article on “Alert Time is Obsolete” [Alert Time is Obsolete | CyberMaxx], where CyberMaxx shared what so many of our clients have come to know; that Mean Time to Alert SLA’s have been surpassed by Mean Time to Respond. The gamification of Mean Time to Alert has resulted in a loss of confidence, where CyberMaxx leads and aligns with our clients, that what matters most is ‘what were the conditions and time to respond for risk remediation’.

By this reception, we are continuing with what we will call our organic series of ‘saying the quiet part out loud.’ In this article we provide you with a framework for evaluating your MDR provider, insuring they are not placing an MDR wrapper around an MSSP operating model, which occurs far too often, leaving businesses with a flood of alerts which they are obligated to assess for risk and action; while the pseudo-MDR / actual-MSSP postures with the guise of protection. Enough already, here are the tools you need to challenge your MDR provider and determine if they are nothing more than a masquerading MSSP.

Fundamental difference between an MDR and MSSP security provider

When identifying a suspicious/malicious security event, an MDR security provider will perform Response action on behalf of the client, contrasting with an MSSP which will notify and escalate to the client for evaluation and response.

! WARNING – If your security provider emphasizes Alert Response Time as a key performance indicator, they are an MSSP. It’s easy to respond quickly with an Alert & Notify service when all you are doing is passing the security alert through your hands, making the bulk of the investigation and response a client responsibility.

Evaluation Criteria – MDR providers will perform response actions on behalf of the client. MDR providers will emphasize Response Time as the truest key performance indicator.

Breadth of Response

CyberMaxx speaks of the ‘Big R’ in contrast to the little ‘r’ when presenting our modern MDR service. The difference comes in the breadth of response. MSSPs will speak of ‘r’esponse, when depending exclusively on EDR detections and auto-disruption when a malicious artifact is detected. For true, full-service MDR providers, this is just the beginning. CyberMaxx Modern MDR delivers on ‘R’esponse beyond EDR platform detections, to include:

• Zero-Latency Response, where Threat Responders are staffed 24x7x365 to conduct incident triage, isolation, and containment
• Full Scope of Compromise evaluation is where CyberMaxx brings enhanced Response services, where our Threat Responders look beyond the initial threat vector to include tangential paths among trusted relationships.

! WARNING– If your security provider equates EDR platform response with the ‘r’ in MDR services, they are offering marginal protection and operating as an MSSP with endpoint monitoring services. This doubles your efforts, as now the client must handle the bulk of the investigation and response for the endpoint in addition to the SIEM.

Evaluation Criteria – MDR Providers will respond beyond the inherent EDR platform alerts. The best will include Threat Responders within the SOC, as first-stage Incident Response, reducing latency in the case of a breach, limiting risk to full exposure

TIP: See CyberMaxx ‘Tales from the SOC’ [Tales from the SOC eBook | CyberMaxx] for case studies of Big ‘R’

Novel and Native Detections

MSSPs masquerading as MDR providers will emphasize Platform Native Detections, inherent with their maintained platforms – this in the absence of Novel Detections authored by the organization. Here’s the problem – with the absence of Novel Detections, clients are receiving a ‘me too’ service, meaning the same as every other MSSP, with equal dependency on Platform Native Detections of the SIEMs and EDRs they claim to support.

The CyberMaxx Cyber Threat Unit is a dedicated team of Threat Researchers AND Detection Engineers, for Optimization, Enrichment, and Authorship of Novel and Native Detections, delivering comprehensive protection for our clients through CyberMaxx MDR.

• CyberMaxx Threat Research for original authorship of Novel Detections, where these have an effective true positive rate of 185% than native detections alone. We protect clients when they are most vulnerable during the early days of novel malware.
• CyberMaxx Detection Engineering for optimizing Native Detections, enhancing incident fidelity, avoiding alert fatigue for our clients, who otherwise would be responding to excessive false positive alerts, inherent with in-the-box Platform Native Detections, where we boast a handling rate of 99.99%. We at CyberMaxx do the work for you.

! WARNING – If your security service provider is exclusively dependent on Platform Native Detections, they are an MSSP.

Evaluation Criteria – MDR providers will gladly showcase their investment in Threat Research and Detection Engineering. This is one of the most important areas of focus for not only differentiating between an MDR and MSSP provider but also measuring value amongst various MDR providers. Ask about custom detections for Novel events.

Federated Intelligence

MSSPs operate exclusively in reactive mode, taking telemetry from the SIEM and EDR platforms when evaluating security incidents. The fact is that most MDR providers operate in the same way, with a lower level of maturity, placing exclusive dependency on client-chosen log sources. For many clients, their selection in log sources was heavily influenced by the cost associated with the volume of telemetry consumed by the SIEM. It’s one thing to have a platform capable of unrestricted consumption; it’s another to be able to afford it. As a result, many clients find themselves having to choose among log sources that are most critical.

CyberMaxx MDR breaks the economic stranglehold:

• First, CyberMaxx MDR offers unlimited log source ingestion. Where others force you to choose, CyberMaxx respects our clients in determining which log sources matter most, without restriction
• Plus – CyberMaxx includes Continuous Threat Exposure Management (CTEM), with our Modern MDR service. No additional cost, all the while running in parallel to the client-delivered event stream.

Yes! CyberMaxx CTEM brings federated intelligence, such as data and detections, to supplement log sources provided by our clients. CTEM is for our clients, with full MDR services, 24x7x365. CyberMaxx CTEM includes detections through:

CyberMaxx MDR Federated Intelligence also includes Deception Technology for establishing decoys, presenting as business assets of our clients

• CyberMaxx Novel Detections will alert to malicious behavior, which is then reviewed by the CyberMaxx Threat Response team, determining risk, as might be associated with early indicators of ransomware
• CyberMaxx Offense Fuels Defense philosophy is on full display when applying Threat Actor Behavioral Analytics, in evaluating activity associated with Deception Technology
• CyberMaxx Vertical Expertise comes into play particularly with Deception Technology, where experience in HealthCare, Financial Services, Municipalities, and other regulated industries informs the evaluation of Threat Actor Behavior specific to the industry vertical

! WARNING – Ask your security service provider about their application for Federated Intelligence. If you receive a blank stare, you are speaking to an MSSP

Evaluation Criteria – Federated Threat Intelligence is in the domain of modern MDR providers, where CyberMaxx leads the way, with our experience in application and inclusivity with CyberMaxx MDR. We stand alone in offering this value to our clients.

Whether you currently partner with an MDR provider or are evaluating one for a future partnership, I hope you find this article useful in challenging your MDR provider to ensure you are receiving the most value for your service investment.