This blog post is part of an ongoing series about evaluating Managed Detection and Response (MDR) providers. For more insights, check out our guide, “10 Things Your MDR Service Must Do.”
Assessing Managed Detection and Response (MDR) vendors is no easy task. However, evaluating each based on predetermined tactical prescriptions for what a provider can offer your business can help ensure you are hiring the right fit for you and your team.
One key area your MDR vendor must excel in is the deep observation of real-time endpoint data. This blog post will cover why this is such an important part of the MDR promise and break down the Rapid7 MDR team’s approach.
The importance of endpoint data
These days, few significant breaches occur without attacker activity on the endpoint, whether these are workstations, laptops, servers, or cloud assets. The best MDR services combine deep visibility at the endpoint, including real-time forensics capabilities with authentication, network, and log data. Without endpoint telemetry, it’s impossible to see start/stop processes and correlate notable events to determine whether there’s anomalous activity indicative of an attacker.
But this doesn’t mean endpoint detection and response (EDR) is always the answer. It takes a combination of User Behavior Analytics (UBA), Log Analytics, and Attacker Behavior Analytics (ABA) to correlate and detect attackers with higher fidelity.
MDR services that only place sensors on the endpoint will not only miss attacks, but they’ll lack context on who does what in the company. Unlike your internal team, third-party analysts don’t know who is regularly on the road or who requires elevated privileges to do their job.
For example, employees may need to expose themselves to interesting extensions when delivering webcasts with third-party providers. This would be a less than ideal time for their asset to be contained mid-demo.
Not only is an EDR-like tool needed for endpoint fidelity, but it also needs to provide visibility for your MDR provider to see Enhanced Endpoint Telemetry (EET) into when processes start and/or stop on each endpoint.
Typically, finding the entry point on an endpoint isn’t straightforward – maldocs may be delivered via phishing emails, browsers can be exploited using tools like BeEF, exploitable programs may have opened ports on a users laptop, etc.
Those instances are more difficult to detect and require MDR analysts to use process start/stop data to identify when a document spawns processes it’s not supposed to—like a Microsoft Word doc spawning PowerShell.
Response and reporting from your MDR provider
The job of your MDR provider is to tell you exactly what happened, including answering questions such as:
- How did the attacker get in?
- What TTPs did the attacker use?
- Where did the attacker move to?
- What credentials were used?
- What data was accessible?
- What data was exfiltrated?
- Is the attacker still in the environment?
- Did they establish any persistence mechanisms?
- What specific steps can you take to remediate?
- What can you do to prevent these types of attacks from happening in the future?
While some of these questions can be answered with network data, thoughtful endpoint data collection captures authentication, file system, process execution, and forensic artifacts that are critical across the entire incident response lifecycle.
How Rapid7 MDR services can help
Without detections on the endpoint, it’s challenging for analysts to correlate behaviors and anomalous activity to decipher an insider from a malicious actor.
To put this into perspective, Rapid7’s Threat Report identified that the end user continues to be the favorite prey for attackers: 96% of Rapid7’s MDR Findings Reports describing end user compromises, with 74% identifying compromised credentials. Fifty-one percent of the Findings Reports that did not involve credential compromises identified malware compromises.
Our Insight Agent securely streams endpoint data to our Insight cloud to run analytics detections. With close attention to running processes (especially parent-child relationships) and anomalous behavior on the asset, this produces faster and stronger detections and thorough incident investigations.
We also pair your team with an assigned Customer Advisor, who promptly notifies you of malicious findings. Rapid7’s MDR team triages any investigations so you are only alerted to the incidents that require action.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.