Managed Detection and Response – How to stay safe in three acts
Patricia Bleiker | August 31, 2020
Open Systems designed a scalable Managed Detection and Response (MDR) service that combines a holistic overview of our customers’ threat landscape, advanced automated threat detection, and human intelligence.
MDR in three manageable steps:
- Detection and Investigation
Let’s walk through what this looks like for an Open Systems customer.
At the collection stage, log data is aggregated from various systems essential to the reliability of SOC operations.
- SASE systems: firewalls, secure web gateways, routers, remote access systems, and various cloud platforms (e.g. AWS, O365, SAP, Salesforce)
- Context log data such as user authentication logs (Active Directory), DHCP or DNS servers, etc.
- Customer-relevant log data
Any data originating from one of the deployed Open Systems devices, in over 180 countries, is pulled indirectly into the Open Systems Data Platform (OSDP*). This allows us to continuously monitor the availability of log data streams and ensures end-to-end encryption to protect your data's integrity and confidentiality. From the OSDP*, data is pulled into the customer’s Azure Sentinel instance. Data originating from a third party or cloud system is pulled directly into Azure Sentinel using one of the many readily available connectors, syslog, or an API.
Once the data is in Azure Sentinel, we move on to the Detection and Investigation stage.
*Note, mentioned as DPP in the Lightboard Lesson
Detection and Investigation
When the log data resides in Azure Sentinel, you can directly interact with that data, which remains in your ownership at all times. For detection and investigation, Open Systems brings in a proprietary automation framework that performs continuous correlation, detection, and alerting based on your Azure Sentinel instance.
Threat intelligence is one of the modules that the automation framework leverages. As part of a 2-tier operations center, Open Systems Security Analysts operate and frequently tune threat intelligence. The Security Analysts also do manual threat hunting directly on your data in Azure Sentinel. They are your main contacts for all matters around the Open Systems MDR service. They are assigned to work with contacts of your choosing and are knowledgeable about your infrastructure, topology, and processes. The Security Analysts meet regularly with you to discuss the evolution of your MDR service and work directly with you when it comes to responding to an incident on a case by case basis.
As soon as there’s an incident, the MDR framework automatically creates a ticket in the Open Systems Customer Portal. This ticket is your primary form of communication for the incident. It contains context and valuable information to help in the response to the alert. The Security Engineers in tier 1 of the SOC respond 24x7 to these tickets. They are in continuous and close contact with the Security Analysts to ensure smooth escalations of any critical incidents.
Response comes in a variety of forms. They range from automated filtering of false-positive alerts to direct Mission Control action on your environment and collaboration with your team when there are advanced threat scenarios in action. As a customer, you can choose the level of interaction with the MDR service to suit your preferences and fit your needs.
Open Systems MDR protects your organization by filtering out the noise to identify small to large threats that can potentially cripple your business.
Watch the Lightboard Lesson video and learn how Managed Detection and Response can help you to defend cyberattacks.