MDR Solutions

Chris Swagler | June 20th, 2023


Today’s companies frequently play defense while threat operators are already in their midst. According to research, a threat operator’s median average dwell period (the time between infiltration and detection) went from 11 days in 2020 to 15 days in 2021. Some cyberattacks went undiscovered for up to 34 days, giving threat operators plenty of time and access to accomplish their goals. Numerous companies have had enough and have decided that the best defense is a solid offensive. They’re putting money into managed detection and response (MDR), a service agreement in which a cybersecurity provider takes responsibility for analyzing threats and vulnerabilities in clients’ attack surfaces. An MDR solutions provider employs Professional threat hunters to eliminate threats proactively and contain suspicious behavior before harm is done to the clients.

How MDR Solutions are Speeding Up Intrusion to Detection

Here are a few examples of how MDR solutions are assisting companies in reducing the critical window between intrusion and detection.

MDR solutions place human eyes on targets to accelerate intrusion detection.

Intrusion detection and prevention systems can notify companies when suspicious activities are discovered. However, they lack the intuition and deep understanding of adversary TTP that sets experienced threat hunters unique. Without the human element, companies rely on software that can only generate alerts based on what it has previously been fine-tuned to identify. The alerts can be inaccurate, resulting from mixed signals and false positives, and divert analysis attention from actual threats that must take precedence. Numerous companies don’t have enough staff to process every alert that comes in.

On the other hand, skilled analysts are never in question with MDR solutions; they’re simply part of the deal. As a result of this deep skill pool, MDR clients don’t have to relax their guard after hours, on weekends, or holidays. Even though companies don’t have control over their clients’ SOC analyst staffing levels, cybersecurity companies do. Cybersecurity companies have complete control over the signal-to-noise ratio for their analysts. Cybersecurity companies are not only reactive. They are always doing proactive threat hunts on behalf of their clients.

MDR Solutions offers a coordinated response to increasing intrusion and detection speed.

In just a few years, the ransomware industry has grown into a sprawling criminal enterprise comprised of various players with various responsibilities, including ransomware gangs deploying the payload, initial access brokers (or IABs) who specialize in gaining network access, and access resellers to criminals who want in on the action. Ransomware is often the ultimate payload that gets deployed, meaning there was a network breach at some point. However, that network breach doesn’t necessarily mean it’s the same threat actors that are deploying the ransomware. There have been consequences of speed and disciplined coordination. For example, threat operators pounced on the chance when proofs of concept for the ProxyShell and ProxyLogon vulnerabilities were publicly disclosed in 2021. There were seven victims on the same day as the public disclosure.

It reflected how an easily exploitable and widespread vulnerability was jumped on very quickly by what people believe were initial access brokers. However, as ransomware-as-a-service grows, so does the MDR market. This is mainly due to the numerous advantages of working directly with an MDR solutions vendor. The increased visibility of the attack surface provides MDR professionals with the context to respond quickly to suspicious activity. Because the MDR solutions provider has a global clientele and a presence in different countries, if one client is attacked, the MDR provider can also inform all other clients that they may be at risk. Because MDR solutions providers have access to a vast amount of threat data, they can assist clients in prioritizing the vulnerabilities or attack signatures that pose the highest risk to companies.

MDR Solutions collects several telemetries to accelerate intrusion to detection.

Cybercriminals have many options due to the modern IT environment’s millions of endpoints, devices, applications, and other data sources. While improving companies’ efficiency, the assets also provide potential entry points and blind spots for threat operators to exploit. Many companies lack the necessary tools and knowledge to identify and understand the blind spots on their own. When they do, it’s frequently more of a game of whack-a-mole than the strategic, targeted crackdown that the situation requires. However, there’s another situation where MDR provides a more excellent alternative to the status quo.

For example, one cybersecurity company’s MDR solutions service uses patented methodologies to weave together a tapestry of data fed by numerous telemetries, including endpoint, firewall, email, identity, cloud, and network. It sends that insight to qualified specialists who know how to make sense of it all. The cybersecurity company claims that on an average day, it processes about 31 billion security events and 358 million detections, resulting in an average of 367 instances that are subsequently reviewed by the team, which includes 47 escalations and one active threat. The quickness of response is becoming increasingly crucial as threat operators are diversifying their toolkits and exploiting companies’ legitimate capabilities to avoid detection. The ransomware criminals are moving quickly, and based on data, the median dwell time for ransomware threat operators is a little more than a week. Criminals are moving faster as cybersecurity companies improve detection with technologies, including MDR and XDR.

Not only rapidly, but also deceptively because most companies aren’t actively looking at how their technologies are being abused. Instead, they focus on more egregious offenders like Cobalt Strike or Mimikatz. On the other hand, they frequently use legitimate tools, including Microsoft binaries, and blend into the background. There are too many tools for clients to focus on just one or two. The cybersecurity company discovered 322 tools cybercriminals utilized in the previous year’s investigations. However, with the ability to scan over many telemetries and a back bench of skilled professionals trained in reading between the lines, MDR solutions providers can detect attacks long before they are usually detected.

SpearTip’s ShadowSpear Platform, an integrable managed detection and response tool, identifies suspicious behavior and potential threats, even if they have not been previously detected and classified and there is no known signature (zero-day threats). Additionally, it provides access to extensive forensic data on endpoint devices, allowing security teams to understand what happened on the endpoint and how to counter the threat. ShadowSpear proactively locates threats and automatically responds to them or provides security analysts with actionable information to contain the threat. ShadowSpear’s Identify module enables an organization to detect advanced and unknown threats. With day-one detections, Identify comes pre-tuned to recognize the latest attacks based on machine learning and attack tactics, techniques, and procedures. The interface provides a single pane of glass for all events with the ability to create custom dashboards, queries, and filters. Identify is supported by SpearTip’s Security Operation Center on a 24/7 basis.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.




Connect With Us

Featured Articles

Cybersecurity Health Checks
Cybersecurity Health Checks: Why Companies Need Them
22 April 2024
New Loop DoS Attack
New Loop DoS Attack Affecting Linux Systems
19 April 2024
Possible Cyberattack
Possible Cyberattack During 2024 Summer Olympics
15 April 2024
Tabletop Exercises
Tabletop Exercises: Transformative Impact on Companies
12 April 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.