Increasing the value of Managed Detection & Response (MDR)

If you read this, you probably have an operational Managed Detection & Response (MDR) solution up-and-running, either outsourced or developed in-house. Is this the end? Can you now lean back and enjoy the hard work? The honest answer is, you could, but you could also increase the value of all your hard work!

A quick recap

Let's summarize what you have achieved by having a MDR solution in place:

  • You have a 24/7 service that is capable of detecting threats & responding to threats;
  • You have deployed the service based on the threat model relevant to your organization;
  • You have ensured that different data sources are used and that the detection coverage matches the threat model tactics & techniques;
  • You have tested and verified that the response is adequate and capable to deal with the relevant threats;
  • During this process you have gained insights in your gaps as well as your infrastructure;

Now let’s explore how you can further increase the value of the service for your company!

Helping yourself by helping the MDR service

An important part of a functional MDR service is the reduction of noise, false positives as well as an increase of the overall maintainability of the environment that is protected as well as the preventative measures.

This can be achieved by specifically working on the following topics:

  • Root causes: Which alerts or signals are repetitive and a sign of an incorrectly maintained environment? Ensure your MDR service provides these on a regular basis.
  • Vulnerabilities: Which vulnerabilities or misconfigurations are present in the data that is processed by MDR? Use this information to further enhance your vulnerability management process.
  • Asset management: Which assets are in view of your MDR service? How does this compare with your own CMDB? Use this information to further enhance your asset management process.
  • Change detection: Improve your processes by asking your MDR provider to detect specific changes that are considered critical and should only happen after all parties have been informed.
  • Administration methodology: How would you like to perform system administration? What are the deviations? Ask your MDR provider to frequently report on deviations. The more you clean these up, the easier you can detect when an attacker deviates.

In other words: if you want to get the most out of your MDR service you need to ensure that you provide the MDR service with the best possible environment to detect deviations and anomalies. To achieve this you can use the information that the MDR service already collects to augment your security operations.

Threat intelligence

Which threat intelligence is truly relevant for your organization and how does it affect you? Ensuring that your MDR provider is able to answer these questions will aid you in avoiding reactions that are driven by fear instead of facts or data.

The mapping of new threat intelligence to tactics and techniques to determine if they are covered by the MDR service can provide you with piece of mind knowing that the behavior of relevant attackers is already acted upon. This also aids you in determining if you need to wake-up your system administrators or if you can follow the regular patch cycle.

The retention of data also plays an important part in your MDR service. Part of received threat intelligence is of course the famous Indicators Of Compromise (IOC) which are pieces of data that can be matched against the collected data. When you receive new threat intelligence you also want to match this information against the historically collected data, any MDR service could have missed something. So you need to know if these IOCs are or have been present anywhere within your infrastructure.

Besides the searching, matching & determining if the newly acquired threat intelligence information affects you, you also need your MDR service to pro-actively block certain IOCs to prevent a potential breach. Specially when the received threat intelligence warns of a potential incoming wave of attacks.

Continuous threat landscape alignment

Threats evolve over time, whereby time is relative. Sometimes they evolve over months and sometimes they evolve in just a couple of days. To ensure that the MDR service is aligned with the threat landscape a continuous alignment should be performed. Which tactics and techniques are relevant to your organization, what data sources provide coverage and which detection logic is in place to ensure detection & response?

This should ideally be performed in an automated manner, however a human intervention to ensure that discrepancies or errors are caught early in the process.

Additional reading:


Keep me informed

Sign up for the newsletter