MDR works by integrating a security platform with analytics and expert-led services to provide threat detection and response recommendations across cloud, hybrid and on-premises environments and different endpoints. It identifies all assets, profiles their risks, and then collects activity information from logs, events, networks, endpoints and user behaviour.
Threats and vulnerabilities are researched in the wild and codified to be quickly recognised when seen by the MDR provider. After that, MDR analysts can take over to validate incidents 24/7, escalating critical events and providing recommended response actions to remediate threats.
In contrast, many enterprises deploy Security Information and Event Management (SIEM) solutions that collect logs and event data produced from applications, devices, networks, infrastructure, and systems to draw analysis and security alerts while providing a holistic view of the organisation's IT infrastructure. SIEM solutions can reside in any cloud environment.
“SIEM solutions attempt to analyse threats on a rules-based engine and therefore focus on known threats,” says Kho. “MDR expands on this to ingest additional data from different network endpoints on top of the network logs. So SIEM solutions are another security application sitting beside the telemetry data being monitored for their security operations.”
According to Kho, MDR introduces a much broader, big data architecture to harvest information from endpoints leaving SIEM solutions to monitor more events and process alerts.
Kho emphasises that MDR will not displace SIEM solutions in the enterprise. “In a typical security monitoring platform, SIEM will coexist with MDR but evolve to incorporate machine learning analytics in its arsenal. So, it will go beyond the use case rules engine that currently predominates enterprise security monitoring processes.”