The world of IT can be a confusing place.聽
There are many different sectors and disciplines, and they all have their own ways of approaching and solving problems. This inevitably leads to confusion, as each company or department uses the same terminology with a variation in definition depending on their own thoughts and ideas.聽
We鈥檝e decided that we wanted to provide some clarity about these confusing situations and dive into the wonderful world of 鈥榤anaged鈥 cybersecurity.
First off, the word 鈥渕anaged鈥 is pretty self-explanatory. We鈥檙e not here to pick any fights with Merriam-Webster.聽
But when looking at the word 鈥渕anaged鈥 in the world of cybersecurity, there鈥檚 some variation in how vendors will use the word to describe the solution or service they offer. This comes up a lot with endpoint detection and response (EDR) 蝉辞濒耻迟颈辞苍蝉.听
When we talk about managing an EDR, this is the element of human interaction鈥攕omeone actively looking into security issues that the solution flags and curating a report or response to mitigate the threat.
We will give examples of what we鈥檝e seen 鈥榤anaged鈥 mean in our space and dive down into what managed means to us.
Touching on the original point made around confusion, this really does stem from the acronym soup that is prevalent within our space. We explored a much broader look at this chaos in a previous blog. Today, we are going go with a depth-first approach, talking about:
Anyone looking at this list and thinking it鈥檚 a little 鈥榣ight鈥 would be correct. There are many more managed acronyms out there that refer to some level of management; however, we wanted to add a little specificity to what we are looking at and define it more toward 杏吧传媒.聽
Starting with the most general of this group, the MSSP (managed security services provider) acronym describes an organization that takes a generalist approach to managing security technologies. An MSSP often manages many tools from different vendors for their customer base. They are responsible for maintaining and managing these security tools and programs spanning areas such as network, identity, endpoint, and vulnerability. MSSPs ensure these tools and programs are delivering the technical function they are meant to perform, often focusing on prevention and alerting as outcomes.
MDR (managed detection and response) companies take a more targeted approach to your security. The primary focus of this type of offering is a team of security experts looking into data and telemetry being fed to them by a tool or group of tools to provide insight into any security threats going on within a customer鈥檚 environment. The emphasis is really placed on helping you out of a bad situation should a compromise happen. MDR will usually rely pretty heavily on artificial intelligence (AI) and machine learning (ML) to optimize the process for the human analysts looking into the threats that are presented. Is it very common for MDR offerings to be built around EDR products due to the visibility that they offer. However, providing meaningful security coverage from visibility into network or user authentication behaviors is possible.
We mentioned that EDR is the foundation of many MDR offerings, and to wrap up our conversation around 鈥渕anaged,鈥 we wanted to talk about the two different types of managed EDR that we see out in the market. First, we鈥檒l take a look at third-party managed EDR. This is where a company will take over 鈥渙wnership鈥 of another vendor鈥檚 EDR solution, offering help and advise where they can on the solution itself, as well as ingesting all information pertaining to threats the solution sees. From here, they will curate incident reports and suggestions on how to remediate any full-blown issues that are seen; however, the drawback is it鈥檚 not their EDR, so there is a limit to how much they are able to do.
Enter first-party managed EDR! This is one of those 鈥榖est of both worlds鈥 situations. With first-party managed EDR, the product is a combination of visibility from the native software vendor and monitoring from subject matter experts who know their software inside and out. This makes sure that every element of the EDR itself is looked after and maintained, and establishes a virtuous cycle where the subject matter experts have a direct influence on the capabilities of the software.
Okay, we鈥檝e set the scene and are now in a pretty solid place for understanding what each of the common acronyms means.聽
So which one does 杏吧传媒 do? In the context of this conversation, we do the first-party managed EDR one (we offer other solutions, but for this blog, we are solely focusing on our Managed EDR offering).
Now, that could be it; we could stop there and have imparted some wisdom for the day. However, I don鈥檛 think this is the place to stop. We are striving to be different after all, and of course we aren鈥檛 the only ones that offer managed EDR out there, so let's change the question slightly鈥
In the simplest terms, 杏吧传媒' 24/7 SOC (security operations center) is how we deliver Managed EDR.聽
Our SOC team is the life source of how we make sure that we are managing the EDR effectively. Our security researchers are digging into emerging threats to understand how we might detect them, while our 24/7 analysts filter out the noise and report on the true threats that arise for our partners and customers around the world.
As we spoke about above, management of an EDR versus a managed EDR (third-party vs. first-party) is a pretty big differentiation to be made; however, both are going to offer levels of detection and response of threats within a company's endpoints. It becomes more specific and definitive when it鈥檚 everything is coming from the same vendor, allowing greater understanding and visibility into the data.
And it鈥檚 not just the technology differences that define 杏吧传媒. Many MDRs send unactionable, vague, or overly complicated reports after investigating an alert, requiring more investigation as to whether or not the MDR company sent something that was malicious or just something that looked malicious but is actually expected.
杏吧传媒 does that differently.
Our reports are curated by the good ol鈥 human investigators in our SOC team, giving you a solid understanding of which system(s) are affected, a straightforward explanation of the security phenomena and threat, and then guidance and recommendations of the next steps that make contextual sense.聽
Let鈥檚 get specific on the differentiators a 杏吧传媒 report brings.
After our carefully curated detection logic highlighted suspicious activity to our team, a manual investigation was done to understand how this intrusion came to be. The information gathered was summarized in the report in the simplest of ways. This approach empowers the reader to remediate the infection, recover systems (when needed), and harden their network to prevent a recurrence. And in many intrusions, we鈥檙e even able to offer one-click assisted automated remediations鈥攆or example, eradicating a persistent cryptominer infection from your host.聽
And let's not forget our Support team. When reported recommendations or remediations are not working, we have our human support squad who are a web chat away to offer assistance, information, and resources to get the host(s) back into a healthy state.聽
Now, if all that wasn鈥檛 enough, another great point to make about using humans over the AI Overlords鈥攊t鈥檚 very hard for AI to distinguish between something that actively needs some human interaction and something that is just 鈥榥oise鈥.
Automated alerts and reports often just work by stating, 鈥淚 noticed this, looks bad, here鈥檚 an info dump, someone should look into it,鈥 or worse, an automated system will respond undesirably on flimsy evidence鈥攆or example, an automated system isolating and taking a machine offline erroneously. An overreliance on 鈥渋ntelligent鈥 technologies can increase the speed of response and decrease human cost, but this far too often means sacrificing accuracy and clarity on why an action was suggested/taken.聽聽聽
Whilst 杏吧传媒 doesn鈥檛 pretend to be perfect, we aspire to be as close to perfect as possible. From the development of our EDR technology, to the detections that are conjured, to the alerts that are investigated and reported鈥human beings at 杏吧传媒 are leveraging automations but are not beholden to them.
We鈥檙e constantly using context and refining evidence to make the best decisions to issue reports and guidance for true positive threats and never inundate our community with needless noise.聽
Sorry, normally I鈥檓 pretty good at starting with a solid tl;dr (too long; didn鈥檛 read for anyone that has waited too long and now is just afraid to ask what that means鈥攖hank you for that, internet!). However, with this blog, there was way too much great information for me to give the game away at the start, so here we are鈥β
Hopefully, this clears up some of the confusion out there, or if nothing else, illuminates our awesome SOC team even more. If you鈥檙e keen to see some of the humans hunting for the insidious and hideous threats at 杏吧传媒, give , , , Dray,听辞谤 a follow!
Get insider access to 杏吧传媒 tradecraft, killer events, and the freshest blog updates.
