In TRUE’s 25 years of providing advanced Cybersecurity and Managed IT Services, we’ve seen a lot of networks. Our experts have engineered, managed, analyzed, assessed, pen tested, and remediated countless systems–both cloud and on-premise. During that time, the number of security incidents we have stopped and remediated to protect those networks, and the ways our pen testers have found to get around security controls, would blow your mind. (That’s why our Pen Testing Lessons Learned webinars are always so popular. Who doesn’t love a good war story?) Thing is, the one thing we have learned across all of these experiences is that you really can’t afford to not monitor your environment. Period. No matter how many layers of security you implement, some bad actor out there will find a way in, and you need to have the ability to identify and respond to those incidents right away. Enter TrueMDR, a highly advanced Managed Detection and Response (MDR) solution. We are excited to announce this addition to our comprehensive suite of unified Security , Compliance, and IT managed services as an offering unto itself, or as part of a larger cybersecurity stack. In this week’s blog, Scott Williamson, TRUE’s Vice President of Information Services, explains what’s unique about our new proprietary service offering and why TrueMDR may be a game changer in your overall security strategy.
From the Desk of Scott Wiliamson, TrueMDR–
What’s the Difference Between MDR, EDR, and SIEM?
First off, let’s define MDR– Managed Detection and Response. There is a lot of confusion on the market as to what MDR is, and how it differs from EDR (Endpoint Detection and Response) or SIEM (Security Information and Event Management). At its core, MDR is just EDR that’s managed by someone who knows what they’re doing, and is backed by a Security Operations Center (SOC) that can continuously monitor potential threats, 24x7x365. So, someone has a handle on your endpoints at all times. In contrast, SIEM meets the need for organizations to know everything that’s happening on their networks at all times. Meaning, SIEM operates at the network level.
With TrueMDR, we’re basically pushing that centralized SIEM down to the endpoints where the action is beginning, catching incidents before they hit the network. This is a proactive way that we can neutralize, mitigate and fight off bad actors, and because TrueMDR includes trained analysts in the process, our solution stays one step ahead of any malicious activity that has been designed to wreak havoc on your network. To illustrate, I’ll dive into the genesis of MDR, the difference between signature and behavior-based threat detection, the “response” portion of our service, and the different steps we take to remediate an infected device.
The Evolution of Managed Detection and Response
Roughly 5 years ago, a new offering came out on the market that was called EPP (Endpoint Protection Platform). Up until that point, people were getting absolutely owned by attackers. Malware had evolved to maneuver around anti-virus solutions, and security researchers were working to figure out how and why that happened. EPP was, in essence, a black box for your computer– much like in an aircraft, or a boat-that black box is recording everything a machine is doing. This way if there was a security incident, we would have something to look at to help us figure out how it happened and what they did on that machine. Then, roughly 2 to 3 years ago, EDR (Endpoint Detection and Response) was introduced onto the market. EDR has all the same functions of EPP, but with actual abilities to stop what’s happening based on what the machine is doing. Still, EDR is typically just an automated process and lacks the intelligence of a human analyst who can access and correlate threat feeds, or additional usage data to really understand what’s happening and respond appropriately.
Signature-based versus Behavior-based Solutions
The nice thing about EDR platforms is the fact that they aren’t signature based. It’s looking at how malware actually works, what it tries to do to get around the security built into Windows or Mac and it flags a potential harmful program. This information gives us the opportunity to look at the DNA and figure out if its good or bad. Unfortunately, because it does so much and isn’t as simple as matching a signature, there’s a lot of analysis that needs to go into alerts as they come up. You can set them in auto-protect mode, which is a great feature if that’s all you have available. If your EDR solution sees something that even thinks is suspicious, it’s going to stop it right there. The problem that routinely pops up with most EDR platforms is that most companies have some kind of custom software that they’ve developed. Often, those custom software programs aren’t written very well, and they try to execute privilege escalation and things of that nature. Of course, that kind of activity is going to set off an alert, so EDR is going to detect that it's suspicious and stop it.
The Human Element is a Game Changer
When we deploy TrueMDR, we work to understand a client’s environment and any custom software that would necessitate a large amount of exclusions, because most custom software just isn’t going to follow the proper guidelines, and you can’t have your EDR solution shutting down your operations every five minutes for activity that isn’t actually malicious. Your MDR solution has to be able to understand the differences of a nuanced environment versus an attack. In fact, when we do Incident Response, the first thing we do is deploy TrueMDR to every single endpoint in scope. This gives us that black box capability in the context of the organization’s environment, that will allow us to figure out what’s going on and see what their network’s footholds are.
Management is Key
For any way that MDR is being used, management of all the information gathering, analysis, and remediation processes (in other words, having an understanding of all the data it’s giving you) is a must. When we deploy TrueMDR, we get you set up with a 24/7/365 SOC that understands the tool, data, and threat landscape. That gives us the ability to draw from a wide variety of additional tools to inform our analysis, and that’s just a benefit of having a fully operational SOC. These tools validate what the automated part of the solution is trying to tell us, and sometimes it changes your perspective on what you’re seeing. So, we can utilize all of the information together, effectively, and take the right corrective actions. When you just set everything to automate and let it run on its own, you don’t get that benefit. Sometimes you’ll get it right, and sometimes you’ll get it wrong.
The other part of the management aspect is doing agent upgrades. You aren’t going to get that with most solutions. Our management process includes connecting to an organization remotely whenever upgrades are available, upgrading the agents for you, and building in your exclusions. You have enough to worry about in your systems with regards to upgrades and patching. This is just something you can always rely on, and those processes are always going to happen on-time. Of course, for our Guaranteed Networks, managed IT clients, that’s a given they can always depend on.
The “R” Part of MDR – Response
In terms of “Managed Detection Response”, the “R” part is key. How can your organization respond to this incident? What can you do to fix it? TrueMDR has the ability to take a machine off the network. I can build policies that tell the MDR, “If you notice something bad on this machine and you don’t know if it’s good or bad, or you can confirm it’s bad, take it off the network.” It will send a command to the agent and shut down the TCP IP stack on that machine. It won’t shut it down completely which is crucial on our end. There’s valuable information sitting in the RAM where we can open up a power-shell into that machine and start remediating. It’s worth noting here that when we shut it off the network, it blocks everything except its reporting into the control panel. If we feel it’s good enough to go back on the network, we can reactive it, remove the shun, and the device will go right back to work.
Restore Capabilities With VSS Shadow Broker
The next major advantage of our TrueMDR solution is its ability to help you restore an infected machine back to a known good state. Your typical solution isn’t going to do that for you. When you have a device that has been infected, your first thought is that you are going to have to wipe the whole machine and lose everything that was on it. With a restore capability, that just isn’t the case, so you’re not going to lose all of your productivity for some unknown amount of time and have major gaps in daily operations due to the incident.
Is the device permanently damaged due to the initial malware infection? The answer is no. When you install TrueMDR, it becomes the VSS Shadow Broker of that machine. Here’s where that concept originates. If I enable shadow copies on my windows machine, when I make changes to files, Windows will keep a copy of the original in a hidden spot and use a shadow broker to create those shadow-copies. What the bad guys have learned is that when they were infecting machines, if they didn’t hit the shadow-copies too and delete those, as well, it didn’t do them much good. Companies would simply restore their shadow copies and ignore any ransom demands. Now, the first thing that modern malware will do is to wipe out all of the shadow-copies in your network. The newer stuff also goes to your backup servers and starts encrypting it. To help you mitigate this risk of losing everything and being held hostage by your attackers, TrueMDR has its own, separate shadow-broker for windows machines. When you install TrueMDR, it becomes a registered shadow-broker. Anything that wants to touch the shadow-copies has to go through TrueMDR, even an approved user who is allowed to take certain actions. In most cases, entry to the shadow-copies will be denied, and they will have to seek additional/special access. What that means is extra protection for your organization to keep your assets secured, with a backup plan in place that lets you sleep at night.
Summary of TrueMDR Capabilities
With each security incident, TrueMDR will execute the remediation by following these steps.
- Kill the Program: Whatever has been unleashed on your endpoint will be immediately stopped, including the program running it.
- Quarantine: Take the affected file, encrypt it, and move it to a different location, so that it can’t be executed.
- Sandbox: In the case of a quarantine, we have access to download and sandbox that file, drop it into a test environment, and see what happens when we execute it. Our analysts can then make a decision as to whether or not it is malicious– another key differentiator..
- Remediate: Delete the quarantined file, and any files that it has touched will also be removed.
- Rollback: A machine that has been infected and compromised will be rolled back through shadow copies to its pre-infected state.
It’s also worth noting that all of our TrueMDR deployments are backed by a $1m guarantee. We know it works, and we’re willing to back it up. Trust me, your board will thank you for utilizing a guaranteed service.
What Organizations Benefit from a Good MDR Solution?
TrueMDR is a great fit for any organization with hopes of fighting off the bad guys. That isn’t relative to the size of your company, just your desire to protect your organization’s systems. Every size and type of organization that has endpoints and is serious about having a robust security program needs to be effectively monitoring their endpoints.
As attacks continue to become increasingly complex, we want to provide you with the tools to keep your network secure. We hope you will learn more about what it means to have trained experts monitoring your network 24/7/365 with behavior-based threat detection, that is delivered through our own Security Operations Center–located in and following the strictest data residency guidelines here, in the United States, and run by our own trained security professionals.