Essential Requirements for MDR Vendors


Assessing Managed Detection and Response (MDR) vendors is no easy task. However, evaluating each based on predetermined tactical prescriptions for what a provider can offer your business can help ensure you are hiring the right fit for you and your team.

One key area your MDR vendor must excel in is the deep observation of real-time endpoint data. This blog post will cover why this is such an important part of the MDR promise and break down the Rapid7 MDR team’s approach.

The importance of endpoint data

These days, few significant breaches occur without attacker activity on the endpoint, whether these are workstations, laptops, servers, or cloud assets. The best MDR services combine deep visibility at the endpoint, including real-time forensics capabilities with authentication, network, and log data. Without  endpoint telemetry, it’s impossible to see start/stop processes and correlate notable events to determine whether there’s anomalous activity indicative of an attacker.

But this doesn’t mean endpoint detection and response (EDR) is always the answer. It takes a combination of User Behavior Analytics (UBA), Log Analytics, and Attacker Behavior Analytics (ABA) to correlate and detect attackers with higher fidelity.

MDR services that only place sensors on the endpoint will not only miss attacks, but they’ll lack context on who does what in the company. Unlike your internal team, third-party analysts don’t know who is regularly on the road or who requires elevated privileges to do their job.

For example, employees may need to expose themselves to interesting extensions when delivering webcasts with third-party providers. This would be a less than ideal time for their asset to be contained mid-demo.

Not only is an EDR-like tool needed for endpoint fidelity, but it also needs to provide visibility for your MDR provider to see Enhanced Endpoint Telemetry (EET) into when processes start and/or stop on each endpoint.

Typically, finding the entry point on an endpoint isn’t straightforward – maldocs may be delivered via phishing emails, browsers can be exploited using tools like BeEF, exploitable programs may have opened ports on a users laptop, etc.

Those instances are more difficult to detect and require MDR analysts to use process start/stop data to identify when a document spawns processes it’s not supposed to—like a Microsoft Word doc spawning PowerShell.

Response and reporting from your MDR provider

The job of your MDR provider is to tell you exactly what happened, including answering questions such as:

  • How did the attacker get in?
  • What TTPs did the attacker use?
  • Where did the attacker move to?
  • What credentials were used?
  • What data was accessible?
  • What data was exfiltrated?
  • Is the attacker still in the environment?
  • Did they establish any persistence mechanisms?
  • What specific steps can you take to remediate?
  • What can you do to prevent these types of attacks from happening in the future?

While some of these questions can be answered with network data, thoughtful endpoint data collection captures authentication, file system, process execution, and forensic artifacts that are critical across the entire incident response lifecycle.

The importance of network device data ingestion

Having endpoint visibility doesn’t mean analysts shouldn’t value the information from network devices, event sources which monitor it (IDS, DPI, DHCP, DNS), or network flow. On the contrary, attackers will inevitably use the network in their attack.

Network data is lightweight, easily searchable, and can quickly identify the exact location of an attacker throughout the network to identify the scope of the breach. Leveraging this data allows analysts to take action and understand what’s going on across the network layer, while correlating events to the endpoints.

This data can be helpful for early detection of potential compromise, as well as adding context to investigations to see how attackers entered or moved around a network. Together, alongside the existing user, log, and endpoint data, the MDR team can leverage network traffic analysis to help analysts:

  • Ensure continuous visibility everywhere.
  • Recognize compromise quickly using combined IDS and network metadata analysis.
  • Trace the steps of potential attackers across systems and applications.

Said another way, Network Traffic Analysis shines a light on the dark corners of the network. It provides increased visibility and an additional axis for early threat detection, as well as rich device and activity information to accelerate investigations.

The key is to couple both North-South Network traffic inspection with Network Flow (East-West) traffic to get the full picture of what’s happening.

Typically North-South traffic inspection is easy, and tools have been around forever so any security operations team can add network visibility to their technology stack and correlate this activity with endpoint data.

East-West traffic, on the other hand, is tougher because of a lack of visibility. This traffic doesn’t traditionally hit a firewall and the data you get out of switches can vary wildly due to performance concerns of capturing and exporting netflow data at that level. Don’t even get us started on monitoring East-West traffic in virtual environments.

Typical things that are monitored for in East-West traffic flows would be recon/network mapping using a tool like Nmap, scanning for vulnerabilities or open ports and transferring exploits or moving files around with netcat, etc. Other cases for monitoring East-West traffic is insecure protocol usage (TLS anything below 1.2, SMB v1 or v2, etc.) and shadow IT.

Ingestion of Other Technology Investments

By the time you’re ready to invest in a Managed Detection and Response (MDR) service, you’ve likely already invested in a number of different security tools aimed at preventing threats and detecting breaches. MDR is a continued investment in this technology, not always a pure replacement. MDR is a complement of any program with a “defense in depth” technology stack.

When designing modern submarines, the Navy uses a thought process of “assume breach,” meaning at some point a flood door or bulkhead will fail and there needs to be multiple failsafes to ensure adequate protection.

The same is true for a security program. Utilizing an “assume breach” mentality in the network, instead of just having a firewall at the perimeter and endpoints on the interior of your network, the defense in depth strategy would layer a firewall with an IDS/IPS, EDR on the endpoint. Then, going further, you would look beyond point solutions to include network segmentation, strong passwords, patch management, etc.

The best MDR providers will want to use all that data as part of delivering their service because it improves threat detection and validation accuracy. More data means more visibility, more ways to correlate threats, and more ways to track attackers.

This includes ingesting your cloud services data. The modern network extends beyond your perimeter. Software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) are now the norm for the modern enterprise.

To complicate things, your users are mobile, working remotely and traveling while using traditional remote access solutions (in addition to modern cloud-based services). Your MDR provider must be able to identify and respond to threats regardless of where these threats are materializing.


Leave a Comment

Your email address will not be published. Required fields are marked *