管理检测和响应(MDR)

MDR解决了哪些挑战?

Besides the general benefits of alleviating stress 和 giving more time back to overworked analysts, 耐多药:

• 减少警觉性疲劳: 分析师s might be chasing too many false alerts or could eventually become desensitized to meaningful ones. If headcount is low, a team may no longer be able to investigate alerts in a meaningful way. MDR becomes a force multiplier by investigating 和 curating alerts on which their client needs to take real action.  
  
  
• 更快地检测威胁: An overloaded SOC simply might not be able to see or respond to threats in anything close to real time. 与此形成鲜明对比的是, an MDR provider’s sole function is to detect 和 respond to threats on behalf of a customer. 与MDR提供商合作可以快速减少SOC的威胁响应时间, 尤其是上面提到的策划提醒. 当与综合威胁情报相结合时, 由于实时分析，团队应该能够更主动地识别威胁.
    
• 扩展安全功能: 这一切都始于缺乏预算, 但同时又缺乏专业知识和人才, 任何一家公司的安全状况都可能很快变成灾难性的. 团队必须能够做到这一切: 威胁检测, 警报分类, 恶意软件分析, 事件调查, 以及应对——而且必须能够大规模地实现.
  
  MDR can help a security team with limited 资源 extend their capabilities across this spectrum of critical responsibilities. 可以访问提供商的专业D&R专业知识和员工数量, an MDR customer could find a solution at a fraction of the budget 和 time it would take to successfully build out an internal representation of critical 资源.
      
• 增强安全成熟度: Whether a company is a startup or sits in an industry that historically wasn’t a big attacker target, 他们可能拥有被安全领导人视为不成熟的技能. And an immature security program simply cannot exist in today’s hyperactive attacker environment. 每个SOC最终都会面临一个可怕的威胁——或者许多可怕的威胁. 有一个预算来解决不成熟的问题是很好的, 但如果没有战略性的人才获取计划, 那就不会有成功.
  
  An MDR provider can rapidly take on tasks as well as advise a SOC on refining 和 scaling their program. This frees up in-house staff to focus on more strategic projects that help push security maturity to the next level.

耐多药是如何起作用的?

Managed detection 和响应 works by enabling a customer’s ability to leverage the provider’s SOC team for 24x7x365 security operations coverage. MDR可以快速扩展SOC的人员数量，从而使团队能够更好地: 

• 检测到的威胁
• 分析威胁
• 调查的威胁
• 积极应对威胁
• 关注优先事项而不是威胁

通过在客户的整个环境中提供完整的覆盖, MDR can impart security practitioners with the visibility to see when 和 where malicious-looking activity may be taking place. 供应商还应能够帮助客户: 

• 确定对特定环境的目标威胁
• 修复任何受影响的系统
• 集中精力消除威胁
• 为将来更好地保护受影响的系统提供建议
• 剔除良性事件，只报道真正积极的威胁

The ultimate goal of an MDR provider should be to help a customer’s SOC achieve a turnkey D&R程序 without the significant financial investment 和 stress – as well as the time it would take to interview talent while keeping the SOC running – to build a ground-up, 内部程序.

耐多药的好处是什么?

耐多药的好处很多, 特别强调创造一个压力较小的SOC环境. 与真正的MDR合作伙伴合作的其他主要好处包括:

• 改进的安全态势: 通过聘请一组专家来扩展D&R功能, SOC可以更早地发现风险, 缩小攻击面, 准备好调查 数字取证和事件响应(DFIR) 技术.
  
  
• 投资回报: An MDR partner should be able to provide meaningful ROI in a reasonable amount of time (3-5 years). 例如, 快速MDR服务 我们能够为客户提供平均近5.3年5倍的投资回报率. 通过提高警报检测的效率, 调查, 和响应, 安全组织可以节省成本再投资到其他地方.
  
  
• 使用检测和响应工具: MDR客户通常可以访问提供商的D&R技术，这样他们就可以在底层平台上学习. 他们还可以利用该平台执行自己的警报调查. 客户也应该能够访问 网络流量分析、用户行为分析(UBA)等.
   
• 更快的威胁或漏洞修复: 从每周花在补救上的几个小时到每周只花几分钟, a trusted MDR partner should be able to transform a SOC’s ability to perform remediation. The average time to remediate will significantly decrease with the provider’s ability to create a plan of action specifically tailored to a customer’s environment.
  
  
• 使用网络分析进行更快的调查: A good MDR provider should also be able to rapidly ingest network device data so they can put it to work for a customer. 网络数据是轻量级的, 轻松地搜索, 和 can quickly pinpoint the exact location of an attacker in the network to identify the scope of the breach. Leveraging this data allows analysts to take action 和 underst和 what’s going on across the network layer, 将事件关联到 端点. 该过程有助于早期发现威胁, 以及为调查添加上下文以更好地理解攻击者的行为.

MDR用例

由于许多原因，耐多药可能是一种有利的解决方案, but let’s look at some of the specific use cases a managed services partner should be able to address in order to add value to your security organization: 

• 检测受损用户和横向移动.
  
• 通过自动化繁琐的手动任务，为分析人员节省关键时间.
  
• Address host 和 endpoint containment to limit the amount of damage malware propagation – 或者其他攻击 -可以引起.
  
• 通过从用户行为分析中收集见解，以更高的保真度检测攻击者, 日志分析, 攻击者行为分析.
  
• Validate threats with greater visibility by ingesting data from disparate technology environments.
  
• Stay in compliance with regulatory frameworks by implementing specific security controls.

MDR vs. 其他托管安全解决方案

MDR与MSSP或EDR(端点检测和响应)有何不同?? It’s all about the capabilities a SOC is looking to acquire or accentuate 和 the budget earmarked for those specific services. 

MDR vs MSSP

MSSP提供一系列广泛的服务，MDR可能只是其中之一. 所以，如果顾客只想要一个D&R的解决方案, a general MSSP providing SOC-as-a-Service solutions could be more than they need 和 unnecessarily stretch the security budget. 

MDR vs EDR

EDR是一种解决方案 它应该被整合到一个更大的网络和云跨越中&R的解决方案. It is typically an add-on service that focuses specifically on endpoint threats 和 containment. 任何潜在的MDR合作伙伴都应该将EDR作为其托管服务产品的一部分. 

更大的解决方案应该具有威胁检测功能, 狩猎, 和 containment; incident validation 和响应; behavior analytics; automation; 和 a deeper dive into attack details than a st和alone EDR的解决方案 or managed service can offer.

如何选择MDR服务

Researching 和 subsequently engaging the services of an MDR provider is no small task – but it also doesn’t have to be a drawn-out process similar to that of st和ing up an in-house D&R程序. Only the customer searching for an MDR的解决方案 knows the core challenges 和 needs of their SOC.

The following can act as a h和y guide for evaluating a potential MDR provider against eight core capabilities, 根据SOC的具体和独特需求: 

1. MDR分析师经验 
2. 扩展的检测和响应技术
3. 扩展SOC的伙伴关系
4. 威胁狩猎
5. 明确服务期望和结果
6. 扩展MDR专业知识
7. 安全编排、自动化和响应(高飞)
8. 竞争性MDR定价

阅读更多关于托管检测的信息 & 响应

了解Rapid7 MDR服务如何工作

比较MDR供应商

Gartner®报告:选择MDR供应商时要问的问题

MDR, MEDR, SOCaaS:哪个适合你?

管理检测 & 回应:来自博客的最新消息

MDR产品导览