Last updated at Tue, 25 Jul 2023 23:14:15 GMT
This blog post is part of an ongoing series about evaluating Managed Detection and Response (MDR) providers. For more insights, check out our guide, “10 Things Your MDR Service Must Do.”
This is possibly the most overlooked aspect of selecting an MDR partner. But when you get to a hair-on-fire, all-hands-on-deck moment, you’ll be glad you don’t have to live out this meme.
In the Gartner article, “How and When to Change Your Managed Security Service Provider,有人大声说:“你可以把安全方面的战术工作外包出去。, but not the responsibility, liability, and accountability.”
Having the best threat detection methodologies, a streamlined and efficient process for validating threats, 一个坚如磐石的报告标准可能仍然会让你面临意想不到的成本.
For example, what happens when attackers breach your environment, 尽管所有的安全控制,如下一代AV和现代防火墙是你的电脑的一部分 defense-in-depth approach?
这远远超出了典型的警报调查和您的MDR提供商提供的指导,他们会调查并撰写事件发现报告. And, in this case, any use of managed response capabilities would essentially be playing hacker whack-a-mole.
We’re talking something like:
- Evidence of previously unknown attacker activity
- Evidence of attacker activity expanding to affect multiple endpoints
- Evidence of lateral movement, data exfiltration, or staging
此时,您需要的帮助比大多数24x7安全操作MDR服务所能提供的更多. 而且,每过一秒,攻击者就可以直接访问您的环境.
Now, some MDR providers will say they can help, 但这不仅仅是提供支持(许多供应商会声称他们提供帮助)。. It really comes down to how they’ll support you, 他们在他们可以做什么和何时需要从可能不熟悉您的环境的供应商那里获得外部帮助之间划清界限, people, or processes.
The last thing you expect to hear from your MDR provider after, “You have been breached,” is, “So, 你必须付钱给我们或其他人,让我们继续调查,把攻击者抓出来.”
The most obvious option would be to purchase an Incident Response (IR) Retainer from a vendor with extensive consulting experience handling breaches. 由于公司的网络保险政策,这可能是必需的. 其他原因可能包括第三方法律顾问或内部合规检查.
这些固位器通常按每小时400至500美元的时间和材料成本定价. The costs can add up, as most IR engagements can take 60–80 hours!
获得MDR提供商可能有助于减少您需要使用IR保留器的事件, but it’s not a replacement for one. Many times, MDR提供商将要求您从另一家专门从事违规响应的第三方供应商那里寻求这些保留服务, since IR is not a core capability within MDR, specifically.
这种方法的挑战在于,处理IR的团队需要跟上您的环境的速度. 让另一个第三方跟上进度是令人沮丧的,并导致宝贵时间的损失. And since it’s based on T&M, as the scope grows, it’s not predictable.
We’d recommend asking your prospective or current MDR provider, “如果我被入侵了,你的员工是否有IR漏洞响应的专业知识来帮助我??” Some will. Others may quote an additional cost, yet outsource it behind-the-scenes to an external third-party partner. Again, 让第三方参与进来可能会导致您浪费宝贵的时间,并且随着违规行为继续包括启动电话,可能会增加成本, knowledge transfer, and access to logs/environment.
但是,这不仅仅是团队了解您的环境有助于加快响应的问题,而是团队快速收集和分析证据的能力. If they have to obtain access to your tools, 然后,您将依靠他们在利用特定堆栈方面的专业知识,并且该堆栈具有处理手头事件所需的相关信息/响应能力. 另一种情况是第三方IR团队让您部署他们的工具(例如 Velociraptor) in your environment. 这取决于你的堆栈和IT团队的带宽,这是一个额外的提升和更多的痛苦/延迟.
So what should you look for?
The best MDR partners will bundle IR hours (some are even unlimited!) to assist you with breach response 100% in-house, 聘请的专家水平与你购买聘用金后获得的IR顾问水平相当. This type of provider is more aligned to a partner than a transactional, service-oriented relationship. 在您的MDR提供商中拥有一个内部IR专家团队可以加快流程, 因为监视您的环境的同一个团队可以迅速转向IR模式. No time is lost when minutes are critical.
Additionally, 对环境的了解通常也不包括对人员/流程的了解,这也许不足为奇. 与您的内部安全和IT团队建立关系的MDR团队能够利用这些“部落”知识进一步加快遏制和根除威胁的速度, 而是提出量身定制的战略/战术建议,以协助缓解, recovery, and ongoing monitoring efforts.
How Rapid7 MDR can help
At Rapid7, 我们认为我们的托管服务客户不仅仅是客户:你们是我们的合作伙伴. 这是我们的承诺,帮助您保护您的业务免受攻击者和破坏.
这就是为什么我们在每个MDR合同中包含不受限制的“按需远程事件响应”(RIR)小时数, just in case something happens. 这些IR通常可以延长时间,甚至比我们典型的IR接合时间更长!
远程事件响应(RIR)是一个远程技术过程,由托管服务SOC处理,在被入侵时触发. Rapid7 will fully investigate the scope, impact, and root cause of an incident, 同时与客户携手合作,遏制和根除威胁.
In fact, we combined our MDR team 与我们的IR团队合作,确保所有客户在攻击者突破当前安全控制的情况下,都能获得最深入的事件响应专业知识, including our MDR service.
Luckily, 我们制作的任何调查结果报告(发现的实际威胁)中只有3%最终成为RIR交战. To put it in perspective, only 0.在我们的团队调查的数百万个警报中,有1%值得制作一份调查报告. The rest are false positives, benign alerts, or expected behavior that still need to be investigated, but aren't cause for concern.
在一年中,只有一位客户使用了不止一个RIR. 大多数人将他们额外的rir重新用于紫色团队练习,以测试MDR,作为对其年度PenTest的安全控制.
So, even if it’s rare to use an RIR, customers love that they have the confidence that if there is a breach, we’ll be there as a trusted partner to take it from end-to-end.
了解更多Rapid7的管理检测和响应(MDR)服务和解决方案 here. And, be sure to check out other posts in this series here!
