With cybersecurity a top priority for lawmakers, one industry has decided to start pushing for change today. Insurance companies, tired of paying out costly cyber insurance claims, are requiring businesses to have Managed Detection and Response (MDR). This blog will examine the differences between MDR and traditional antivirus software and why MDR is a more effective solution for your business.
Key Differences Between Managed Detection & Response (MDR) and Traditional Antivirus
- Detection: Signature based antivirus needs updates to identify malware. But 35% of malware is unknown, so this solution has huge detection gaps. MDR is software installed on computers that analyzes behavior, giving it greater capabilities to identify malware not detectable by antivirus.
- Response: MDR has human threat hunters monitoring your IT systems 24×7. They act on your behalf to eliminate threats and provide a root cause analysis. Antivirus on the other hand sends email alerts to your IT team.
- Remediation: Attacks outside of business hours go un-noticed until IT reviews the alerts, giving hackers time inside your systems. This is why targeted attacks start Friday after hours while everyone is away.
- Capabilities: Antivirus has a narrow focus and is only concerned about the computer. MDR does the same, but also looks at the logs from your firewall, internal network, email service, and third-party applications.
- Investigation: MDR goes far beyond malware detection and can monitor things like impossible travel logins, connections passed through your firewall to malicious domains and IPs, and suspicious lateral movement on your network like ransomware.
- Ransomware: Antivirus might block ransomware if it knows the signature, but a great MDR can detect a process encrypting files, take a backup of that data, remove the ransomware from the system, and then restore the files from the backup.
Standard Features Your Managed Detection & Response (MDR) Should Include
- Complete Solution: All systems monitored 24x7x365. Malware removed until threats fully eliminated with a root-cause analysis. MDR is compatible with all versions of Microsoft Windows, Server, Mac, Linux, and mobile device operating systems.
- Breach Warranty Protection: $1,000,000+ breach warranty included to cover any out of pocket expenses caused by a data breach.
- Advanced Detection: Proven to block known threats, stop unknown threats based on behavior, has technology to eliminate ransomware, and ability to block fileless attacks such as malicious PowerShell scripts.
- Sandboxing: Unknown executables launch in an isolated sandbox to analyze processes before executing on computer.
- Server Lockdown: Identify running processes and applications on server, and nothing new can run on that server unless removed from lockdown mode. Very powerful to protect web servers from malicious attacks.
- Web Filtering: Computers have web traffic and downloads filtered to only allow work related information.
Advanced Features Your Managed Detection & Response (MDR) Should Include
- Phishing Protection: Monthly/quarterly phishing simulation against employees to train your team how to better spot phishing attacks.
- Email Security: Inbound and outbound email is scanned for malicious links and attachments. Attachments are detonated in isolated sandbox prior to opening on computer.
- Security Awareness Training: Quarterly/Annual security awareness training for all employees.
- Email Log Analysis: IP addresses accessing company email, impossible travel logins, and sent/received emails with malicious attachments or links are sent to the MDR provider for analysis.
- Firewall Logging: Websites and domains passing through your firewall are monitored by the MDR team.
- Network Detection & Response: Network traffic moving laterally between devices (on your network) is monitored for suspicious behavior.
- Zero-Trust Posture Checking: Devices cannot access company resources unless a minimum security baseline is established with the MDR provider. This powerful feature ensures devices have 100% compliance before it can access company data.
- Cloud Security: Microsoft Azure, Amazon AWS, and online code repositories are scanned 24×7 for top attack vectors including over privileged accounts and unsecure open ports.
- Device Control: Block external hard drives, prevent applications from being installed, and control physical hardware components like CD drives and Bluetooth adapters.
- Endpoint Encryption: Full disk encryption deployed to computers to prevent data theft from lost or stolen device.
- Third Party Logging: Ability to ingest logs from 3rd party providers like Duo, Okta, and Mimecast.
Real-World Examples of Enhancing Security by Standardizing with a Single MDR Security Vendor
By consolidating IT security vendors, the follow enhancements were unlocked which we can share the following stories:
- Impossible Travel Login: Mary in Accounting starts work at 8am PST and logged into her email, but 45 minutes later her email was logged in from Florida. This is an “impossible travel login” which an investigation proved was a malicious attack that bypassed MFA.
- Malicious Outbound Email: An email containing a link to a malicious website is sent from the CEO’s email to the accounting department. The MDR vendor detects the malicious link, pin-pointed the computer it came from, opened an investigation, and resolved the security threat on that device.
- Duo Password Spraying Attack: The MDR team receives from a password spray attack from Duo. An investigation is started, and it is discovered an IT team member opened an RDP port on a server on the internet which was resulting in the attack. The MDR vendor reports the incident, and the RDP port is closed, fully eliminating the threat.
- Outbound P2P Traffic: MDR team detected a connection from a file server doing encrypted outbound P2P traffic to an IP not known to be malicious. But outbound P2P traffic was out of character for this server, so an investigation was opened. It was determined an internal IT admin was utilizing the file server for personal purposes and syncing data from this system through a P2P application.
- The 2023 3CX Breach: You turn on your TV and learn of hackers gaining access to business computer systems through a 3CX vulnerability. Because you have an MDR, you can prove that your 3CX system was not breached. If you only had antivirus, you would not have the capabilities to determine if you were breached.
In conclusion, it is essential to protect your business from cyber threats. But where most companies go wrong is they hire multiple IT security vendors, delivering a clunky solution that doesn’t scale and creates IT headaches and inefficiencies. If you want to win in the game of cybersecurity, start by consolidating your IT security vendors and take baby steps to implement a great MDR solution for your business.