MDR use cases: Speeding up the time from intrusion to detection and response


Companies today are frequently playing defense when the enemy is already in their backyard. According to data provided by cybersecurity vendor Sophos, the median average dwell time for an attacker — the time between intrusion and detection — increased from 11 days in 2020 to 15 days in 2021. Some intrusions went undetected for as long as 34 days, providing adversaries ample time and access to achieve their objectives.

Many organizations have had enough, and are now adopting the mindset that the best defense is a good offense. They’re investing in managed detection and response (or MDR), a service agreement in which a cybersecurity provider assumes responsibility for investigating threats and vulnerabilities in a customer’s attack surface. The MDR provider employs professional threat hunters who can proactively eliminate threats and contain suspicious activity before damage is done to the customer.

How MDR speeds up intrusion to detection

Here’s just a few of the ways that MDR is helping organizations shorten the critical window between intrusion and detection.

MDR puts human eyes on the target to speed up intrusion to detection

Intrusion detection and intrusion prevention systems can alert organizations when suspicious activity is detected, but they lack the intuition and nuanced understanding of adversary TTP that set professional threat hunters apart in a league of their own. Without the human element, organizations are putting all their faith in software that can only generate alerts based on what they have already been fine-tuned to detect, nothing more. These alerts might even be inaccurate, the product of mixed signals and false positives, and ultimately distract analysts from true threats that should take precedence. 

Many organizations simply lack the sufficient number of personnel to make sense of every alert that comes through. With MDR, however, skilled analysts are never up for debate; they’re simply part of the package. And as a result of this deep talent bench, MDR customers don’t have to let their guard down after working hours or on weekends and holidays. 

“While we don’t have control over what the customer’s staffing levels are for their SOC analysts, for ourselves we absolutely do,” says Andrew Mundell, Principal Solutions Engineer at Sophos. “And what that means is we can control exactly what that signal to noise ratio is for our own analysts. We are not just reactive. We’re constantly performing proactive threat hunts on behalf of our customers.”

MDR provides coordinated response to speed up intrusion to detection

In just the last couple years, the ransomware industry has ballooned into a sprawling criminal enterprise made up of different players with varying responsibilities — ransomware gangs deploying the payload, initial access brokers (or IABs) who specialize in gaining access to the network and resellers of this access to criminals looking to get into "the game". 

“Ransomware is often the ultimate payload that gets deployed,” says John Shier, Senior Security Advisor at Sophos. “That means there was a network breach at some point, but that network breach does not necessarily have to be the same set of threat actors that are deploying the ransomware.” 

We’ve already seen the consequences of this speed and disciplined coordination. For example, on the very same day that proofs of concept were publicly disclosed for ProxyShell and ProxyLogon vulnerabilities back in 2021, cybercriminals wasted no time in jumping on the opportunity. 

“We saw seven victims fall that same day, the very day of the public disclosure,” says Shier. “It was very reflective of how a vulnerability that is easily exploitable and quite ubiquitous got jumped on really quickly by what we think were initial access brokers.”

But even as ransomware-as-a-service continues to grow, so too does the MDR market. That’s in large part due to the many benefits that working closely with a MDR vendor provides. Improved visibility of the attack surface gives MDR specialists the context needed to respond immediately to suspicious activity. A global clientele and operating presence in multiple countries means that if any one customer is attacked, the MDR provider can additionally alert all other customers that they may be in danger. And because they have access to a massive amount of threat data, the MDR provider can help customers prioritize the vulnerabilities or attack signatures that pose the greatest danger to the business. 

MDR ingests multiple telemetries to speed up intrusion to detection

The millions of endpoints, devices, applications, and other data sources comprising the modern IT environment leave cybercriminals spoiled for choice. As much as these assets enable greater business efficiency, they also create potential entry points and blind spots for attackers to exploit. 

Many organizations aren’t outfitted with the right mix of tools and expertise to discover and make sense of these blind spots on their own. And when they do, it’s often more a case of whack-a-mole than the strategic, targeted clampdown the situation truly merits.

But that’s another instance where MDR offers a superior alternative to the status quo. The Sophos MDR service, for example, uses proprietary techniques to pull together a tapestry of data fed by multiple telemetries — endpoint, firewall, email, identity, cloud, network — and relays that intelligence to skilled specialists who know how to make sense of it all. 

On a typical day, Sophos says it processes around 31 billion security events and 358 million detections, resulting in an average of 367 cases that are then investigated by the team — which typically include 47 escalations and one active threat.

According to the company, “leveraging cross-environment telemetry in this way helps Sophos MDR to detect and neutralize threats faster than anyone else. Our average threat response time is just 38 minutes, which is considerably faster than other security vendors and more than five times quicker than even the speediest in-house team.”

That speed of response is increasingly essential given that attackers have diversified their toolkits and started leveraging organizations’ own legitimate tools to escape detection.  

“The fact is that these ransomware criminals are moving quickly,” says Shier. “From our data, what we see is that the median dwell time for a ransomware attacker is a little over a week. As we [at Sophos] are getting better at detection with things like MDR and XDR, it's causing criminals to move more quickly.” 

Not just quickly, but deceptively. As Shier puts it, most organizations aren’t actively looking at how their own tools are being abused, but are directing all their focus on more flagrant offenders like Cobalt Strike or Mimikatz.

“The flipside of all this is that they’re often using legitimate tools, Microsoft binaries and those kinds of things. They blend in the background, and there's just too many tools [for customers] to key in on just one or two of them. Case in point: Sophos found 322 different tools in last year's investigations that were used by criminals.”

But with the ability to scan across many telemetries, and a back bench of skilled specialists trained in reading between the lines, MDR providers do have that capacity to sniff out attacks long before they’d ordinarily be noticed. 

Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.