Managed Detection and Response (MDR) Service

What is MDR?

Managed Detection and Response (MDR) is a cybersecurity service that combines technology and human expertise to perform threat hunting, monitoring, and response. The main benefit of MDR is that it helps quickly identify and limit the impact of threats without the need for additional personnel.

MDR remotely monitors, detects, and responds to threats detected within your organization. To do this, the service provider uses an endpoint detection and response (EDR) tool and provides the necessary visibility into security events at the endpoint. Once visibility is achieved, telemetry data from the endpoints is collected in a central console where, with the help of threat intelligence data and advanced analytics, suspicious events are quickly detected and responded to.

What are the main characteristics of the services offered by MDR?

The most basic characteristic of the services offered by MDR is to perform detailed detection of cyber attacks that cannot be detected and prevented by classical protection solutions and to intervene in these attacks at their source as much as possible. In order to operate the advanced detection and intervention processes offered by MDR at endpoints, software equipped with special capabilities called EDR is used.

Within the scope of the MDR service, cyber threat intelligence regarding cyber attacks against the relevant institution or other domestic and foreign institutions in the same sector is defined broadly for use in all processes. In this step, many commercial and non-commercial cyber threat intelligence sources are utilized.
Regardless of the SOC processes operated by the organization, the technologies mentioned above that increase visibility at the endpoint and network layer are monitored and operated on a 24/7 basis by the special team providing MDR service.

If the institution already has an outsourced SOC service, MDR and SOC service providers can work in a coordinated manner and feed each other with data flow. However, MDR assumes the most critical role required for the detection of cyber incidents and rapid and accurate response to these incidents. Defined processes in the institution are reviewed and rearranged specifically for this issue.
Since traditional security monitoring approaches are cumbersome and inadequate for incident response, MDR service is of critical importance to detect and intervene in a cyber attack on the corporate network in the fastest and most accurate way. Accordingly, MDR service has started to be used by more and more companies and businesses every day.

What is MDR used for?

Reduces the probability or impact of successful attacks.
It provides 24/7 visibility and covers all assets in the organization.
Ensures continuity by conducting research on new threats and security vulnerabilities.
It balances technology with human experience at its core to deliver accuracy and value.
Provides tailored response approaches that reflect the business and attack context and cause.
It provides reliable, accessible and useful results and reports.

SOC and MDR Comparison

MDR services are sometimes confused with services offered by SOCs. The following diagram from Gartner explains this.

Cybersecurity monitoring and management services provided within the scope of SOC aim to detect and prevent cyberattacks using traditional security tools and with the help of known cyberattack signatures (at the endpoint, gateway level or log collection center). SOCs, which monitor and manage the cybersecurity infrastructures of organizations, are of critical importance in preventing known cyberattacks. In addition, many relevant organizations accept that today's cyberattacks are very advanced and that the technologies and processes used in the classic SOC approach are inadequate in detecting and responding to these advanced cyberattacks. The MDR service increases the resistance of organizations against advanced cyberattacks by introducing technologies and services that center on people. Below, comparisons of SOC and MDR services are provided considering the main steps of the incident response process.

VERIFICATION

The biggest problem that SOC analysts face is the need to perform detailed verification of all events that are flagged as cyber attacks by the technologies used by the relevant SOC and generate an alert in this context. It is known that all SOCs deal with a high number of false positive alerts and even incorporate many technologies into their security infrastructures in order to minimize the number of these alerts. Even in this case, the biggest problem for a SOC analyst is to determine whether an incoming alert is true or not. Especially in cyber attacks, since the events before and after the alerts detected far from the center of the attackers' actions are not recorded, one of the most fundamental problems for SOCs is that it is not known whether the relevant alert message belongs to a real cyber attack and, if the attack is real, what happened before and after the incident.

One of the most fundamental characteristics that distinguishes MDR analysts from SOC analysts is the technologies they use. Having access to detailed trace records that can verify a cyber attack on the components where it occurs on the internal network, and attack alerts generated based on behavioral models related to similar attacks, MDR analysts can perform real-time cyber incident detection and take very rapid action on detected cyber attacks. Especially when you consider that advanced cyber attackers aim to reach their targets in a very short time, it becomes clear how vital the ability to quickly verify and take action is.

DETAILED REVIEW

The essence of the processes operated by SOCs is the collection of records collected from many sources in a centralized log server (SIEM) and the verification of these records by detecting them. Especially the collection of a large number of records from many different systems in a centralized location necessitates the correlation of these records. The first condition for a successful correlation is the collection of the correct records from the relevant technologies. In most cases, many SOC processes remain incomplete and a successful incident investigation cannot be carried out because the relevant technologies do not have sufficient detail in the records and these technologies require some additional processes to be run to detail the records.

Thanks to the detailed records and processes provided by the technologies used by MDRs, the root cause of a cyber attack can be determined very quickly. Rapidly revealing the root cause plays a key role both in preventing the encountered cyber attack quickly and in revealing the actions that need to be taken to prevent similar cyber attacks from occurring in the future.

PREVENTION

The processes in place to prevent cyberattacks detected by SOCs often depend on actions taken by third parties, which can slow down the response and allow the cyberattack to continue during this time.

The most important feature of the technologies used by MDRs is that they have advanced intervention capabilities to prevent detected cyber attacks as quickly as possible. In this way, MDRs can intervene in cyber attacks without the need for support from any third party and, when necessary, isolate the component subject to cyber attack over the network, collect digital traces of the relevant cyber attack, and quickly search for similar attack traces on all other system components monitored by MDRs to reveal the extent to which the cyber attack has spread.

PROACTIVE CYBER HUNTING AND THREAT HUNTING

Many technologies used in SOC infrastructures are signature-based, and the success of preventing a cyber attack depends on whether the signatures of the relevant attack exist in the technologies used. In particular, the fact that the signatures of almost all of the advanced cyber attacks encountered today are either completely unknown or that the attackers use their own operating system tools without bringing any external tools while carrying out the cyber attack makes it impossible to detect these attacks using signature-based systems.

The entire toolkit used by MDRs aims to provide full visibility on systems. In this way, all the tools and methods used by attackers are recorded in detail on the systems. Detailed examination of these records is also carried out by MDR analysts, and threat hunting processes are carried out to detect cyber attacks that have not been detected by the technologies used.

EDR Platforms

Thanks to the EDR technologies used within the scope of the MDR service, records of all operations performed on the operating system are collected through an agent installed on all servers and clients and sent to the central server. In this way, records of all activities performed on the computer, such as applications run, files opened, and network addresses connected, are kept on a central server and cyber incident detection can be done very quickly thanks to the cyber threat intelligence sources activated on this server.

This method provides very good results, especially in detecting cyber attacks that are indicated by certain behavioral patterns and in revealing the root causes of cyber attacks. Another feature of these platforms is that they have the ability to intervene in cyber attacks. In this way, computers or servers that have been subjected to cyber attacks can be completely isolated from the network, applications can be run on these systems using the EDR platform, or the necessary files can be collected from endpoints for detailed analysis of the cyber attack.

As META CYBER, we use technologies developed by leading manufacturers in the MDR service we offer. We ensure that our customers benefit from our MDR service in the best way possible thanks to the visibility gained after the deployment of the appropriate EDR technology, which is selected completely by considering the needs of our customers.

SOC

MDR

DETECTION

Cybersecurity monitoring and management services offered within the scope of SOC aim to detect and prevent cyberattacks using traditional security tools and with the help of known cyberattack signatures (at the endpoint, gateway level or log collection center). Comparisons of organizations' cybersecurity SOC and MDR services are provided.