Security Diaries

What is MDR?

by

Manindra Simhadri
in , ,

MDR stands for Managed Detection Response. Its a type of Detection Response and before we dive deep into MDR let’s understand what is Detection Response and will discuss about MDR later in the post. 

Topics we will be covering this post

  • What is Detection response?
  • Introduction to MDR
  • How different MDR is from traditional security solutions
  • How MDR works


What is Detection Response?

Detection response is an information security process that helps in identifying threats and mitigating them. 

Identifying the threats is detection and mitigating them is a response. Mitigating threats is subjective, MDR responds to the threat but can it eliminate the threat? Yes sometimes, it depends on the response action you configured. 

How different MDR is from traditional antivirus, firewalls and SIEM?

Antivirus detects malware but dones’t remediate if infected and it works based on signature. Similarly firewalls and SIEMs work on rules but MDR can respond to any detected malware. Respond actions include isolating devices, taking a backup, enabling termination protection and many more.

One of the advantages of MDR is, Antivirus is limited to endpoints but MDR can be integrated to any platform.

Firewalls, antiviruses are like locked doors but MDR is like a SOC team that investigates and responds to incidents. 

 Let’s not get too much deep into MDR as it has very wide range of scope and we can discuss about it all day long. Let’s dive into its working

How MDR works?

Before getting to know about how MDR works, there are few components we need to discuss

  • Data collection
  • Threat Intelligence integration
  • Analysis and Detection
  • Automated Response
  • Post incident

Above are things that usually all MDRs will have and they work on top of these. Let’s take a look at these. 

Data collection: This component consists of all the data sources from which MDR needs to collect data like logs, alerts, events and more. You can integrate any tool with MDR and tune MDR to identify threats and respond

Threat Intelligence: MDRs get their data from all their feeds to keep them updated with latest threats and

Analysis and Detection: This is where the MDR does some investigation to analyse and detect whether the event is security incident or just any other event.

Automated Response: Most of the MDRs work on top of playbooks which are sequence of steps built by AI or via human assistance. These playbooks defines what response has to be initiate.
Example: A malware has been detected in any of the corporate devices and the response action is disable its network cards or kick the device from any VPN. There are so many actions you can tune the MDR and sky is the limit. 

Post Incident: This part is optional like if you would like to collect any data for forensics or mitigating the vulnerability like uninstalling vulnerable app or patching it. 

MDR is like having your own SOC team that doesn’t sleep. This is very brief overview of what is MDR and how it works.

0 Shares

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.