Companies engage with a managed detection and response (MDR) provider to help ensure they detect cyber threats before they do any damage. The "response" part of the MDR moniker is key to that effort, making it vital to determine up front exactly what your chosen provider will do when it detects a threat in your environment.
Poll a few MDR providers, and you will quickly find their definitions of response vary. The response may mean isolating a user whose machine is infected and restricting or blocking certain networks or IP addresses. Depending on the severity of the threat, a response could mean launching a forensic investigation or engaging a Digital Forensics and Incident Response (DFIR) team to investigate and contain the threat. You may also be surprised to find that some MDR providers do not take any responses at all.
It all depends on the MDR provider’s capabilities, including any related services the provider offers. Gaining a full understanding of those capabilities is essential to avoid a situation where your MDR provider identifies a serious threat but leaves it up to you to eradicate it or scrambles to patch together a solution.
When it comes to response, there's a notion in cybersecurity of little "r" vs. big "R." Understanding the difference and asking the right questions can help determine what kind of response to expect from a given MDR provider.
Little r refers to the steps a provider can take to contain a threat immediately. That could mean changing the configuration of a firewall to block a specific port or writing a rule on an intrusion prevention system. It could also mean using an endpoint detection and response (EDR) tool to isolate a device that’s under attack to prevent the threat from spreading.
The exact response an MDR provider can take will depend on policies set up beforehand that dictate the provider’s level of access to the environment. Trustwave, for example, uses a risk-based response protocol that uses traffic light colors for every asset it manages. Clients agree that Trustwave can immediately act on devices the client deems low-risk (green), alert the client before acting on medium-risk devices (orange), and alert with recommendations but take no action on high-risk devices (red).
The big R response involves services that are typically outside the realm of MDR but that you may require in response to a confirmed breach.
If a threat results in a security breach, you may need a formal incident response or forensic investigation. Such a response typically involves a digital forensics and incident response (DFIR) team staffed with specialists.
As the name implies, a DFIR team conducts forensic investigations to determine the source and extent of the breach so you can eradicate it.
A DFIR engagement may also include collecting evidence and maintaining chain of custody documentation. Such documentation can be crucial if the incident eventually involves litigation or a criminal case.
Some MDR providers, like Trustwave, have in-house DFIR teams. In such cases, they can be deployed immediately upon learning of a breach—typically within 15 minutes in Trustwave's case. Depending on your business, it may also be important to ask about the geographic reach of a DFIR team. While DFIR teams can conduct many engagements remotely, some require boots on the ground, meaning your provider needs to have a presence in any region where you have offices.
MDR providers that do not have DFIR in-house may partner with a third-party provider. In such cases, ask the provider what kind of response time to expect. Anything more than an hour is probably not palatable. Ask, too, about how the DFIR provider will be onboarded in an emergency situation and provided with access to data about your environment and its configuration. If the provider starts from ground zero, investigators will need to spend valuable time getting up to speed.
For Trustwave MDR clients with Trustwave’s in-house DFIR services, the Trustwave DFIR team will have immediate, real-time access to the latest information on an active investigation of a confirmed breach. Upon suspicion of a breach, Trustwave DFIR immediately engages with the MDR team to begin the forensic investigation process. No valuable time is lost before starting remediation actions.
Such complementary services help set Trustwave MDR apart from the competition and ensure you get a proper response when needed, whether it's little r, big R, or both. To learn more, visit the Trustwave MDR webpage, download the 2023 Gartner Market Guide for Managed Detection and Response Services, or read about Trustwave’s inclusion in the 2023 Gartner Market Guide for Digital Forensics and Incident Response Services.