In this video, Wade Woolwine, director of managed services at Rapid7, breaks down the people, processes, and technology that make up the Managed Detection and Response (MDR) service. Highlights include:
To learn more about MDR at Rapid7, hear from one analyst on how he approaches threat hunting.
Managed Detection and Response is a managed service that we offer to Rapid7 customers that enables us to identify and validate known and unknown threats within our customer environments. I make that distinction because any MSSP out there will identify known threats. We all have access to the same threat intelligence and so on and so forth. However, those unknown threats are really what is going to land you on the front page of your local Times, that's going to cost you, financially and from a company reputation perspective. So, the threat methodologies that we employ are very specifically focused on identifying those unknown threats, keeping our customers' names out of the paper, and keeping their reputation pristine.Show more Show less
Thankfully, we were able to leverage a key piece of technology built by Rapid7 with InsightIDR to build upon, to deliver the MDR service to our customers. Being able to leverage user behavior analytics right out of the box, being able to leverage an end-point agent and SIEM-like capability, really allowed us to build on top of that, implementing attacker-behavior analytics, implementing threat hunts to provide a great solution for identifying both known and unknown threats.
What we've done is built a small engineering team here in the Managed Services to really focus on extending that capability.We have a custom interface that allows us to look across all of our managed services customers. We have the ability to orchestrate the endpoint agents. We have the ability to go in and do custom searches and custom threat intelligence matches, and we've built a system to house all of our rules and threat intelligence and apply that consistently across all of our customers.
Once you sign up with MDR, that's immediately when Rapid7 starts holding your hand through the process. We want to make sure that the technology gets deployed in a way that we have maximum visibility into your environment as well as maximum availability of the information that you're already collecting. So, we have a deployment consultant that's going to be working with you in order to configure the system, in order to get the event logs filtering in, and in order to deploy that endpoint agent.
Once we have gotten the technology deployed, we really start the base-lining phase of the monitoring service. Base-lining is not just about making sure that the technology is working and the technology is generating meaningful events. It's also about understanding your critical users and your assets in the context of your business processes.
Once we have learned about your environment, once we've learned about your business, that's when we move into the compromise assessment. This is a really critical phase, for us. We don't want to onboard a customer just to find out that they are compromised. We want to diligently go through the evidence within your environment to identify that compromise before we move you into monitoring.
Once all that is done, we're going to move you into monitoring. You're going to meet your customer advisor. You're going to meet the SOC team, and, at a bare minimum, you're going to be speaking to us on a monthly basis, when we deliver the monthly reports and the threat reports. Realistically, about 90% of our customers speak to us on a weekly basis. Ultimately, it's up to your needs and your comfort level, how often you engage with us. We're not going to cap the number of phone calls. We're not going to cap the number of emails. We're not going to cap the number of meetings. We are here to make you successful.
The advantage of having all of our analysts in a single location, at a given time, is really that they can collaborate together. We have folks of varying skills, varying backgrounds, varying specialties, who all come together to help in the event of a breach.
Our Tier I SOC analysts are really focused on validating the high-fidelity technology generated alerts, the ones with very low false-positives, the ones that are pretty straightforward to validate.
Our Tier II folks are going to be focused on the low-fidelity technology generated indicators, the ones that require some experience and some knowledge about the attackers and the customer environments, in order to go through that validation process.
Then, our Tier III folks are really going to be our specialists, our malware analysts, our deep forensics analysts, our network packet analysts.
The customer advisor also plays a critical role, not just in service delivery, but when we're in the heat of the moment, responding to a breach. They're the main point of contact for the customer. They are the main touch point. They are the person that speaks to the customer most regularly. Maintaining calm, maintaining technical accuracy in what they're reporting to customers, building that trust relationship, really is what allows us to drive these investigations to closure, quickly.
So, these teams really need to come together when there's a breach in the customer environment because those roles and responsibilities are critical. We need to be able to keep on monitoring. We need to be able to do the deep analysis. We need to be able to do with the malware analysis, all the same time, in order to stay ahead of the attackers, in order to stay ahead of the threat.
At the end of the day, the MDR service is here to help your business. We exist because your business is generating income, your business needs our help in order to keep its reputation, in order to prevent financial loss. So, understanding your business processes, understanding those critical users and assets, really allows us to tailor the service for your individual needs, and to meet your individual goals.