Putting the R in MDR

How We Put the 'R' in MDR

November 28, 2022

Quadrant has had the ability to stop attacks at the network level for many years. For example, when configured as such, Quadrant can send block-requests to your perimeter’s network equipment; a feature that has been part of our normal Intrusion Prevention System (IPS) offering for a long time.     

Over the past year, we’ve also been hard at work developing the capabilities to ‘reach’ into an “endpoint” (EDR) to stop an attack. As of today, we can integrate with both Microsoft Defender and SentinelOne – with more integrations on the horizon. 

What does this mean and why is it important? 

This means that our Security Operations Center (SOC) can block or quarantine endpoints, halting an active attack by removing an Endpoint that has been infected or compromised. Realistically, most Endpoint Detection and Response systems can do this automatically! We see EDR tools like Microsoft Defender and SentinelOne as an extension of our core abilities.  

At Quadrant, we collect data from many different data sources, with EDR simply serving as another pool of inputs. While it’s an important data source, the best security practice is to layer security, with endpoints residing at one layer.  

While we’ve long been able to collect valuable data from most EDR tools, it’s having the ability to leverage the EDRs “R” (Response) capability that has us most excited. 

Let’s take a look at an example...

By default, if an EDR tool sees malicious software – it’s going to attempt to contain it. It may mitigate malicious software in several ways, such as killing the malicious processes ID or quarantining the entire machine.  

But, what if the attack is more subtle? For example, an FTP process attempts to exfiltrate sensitive data. This is a common tactic used by ransomware groups like “Black Basta” as part of a double extortion scheme and ransomware campaign. One that we’ve personally seen in the wild and stopped. 

The use of FTP isn’t necessarily a malicious act, but this is something that can be alerted to via our Packet Inspection Engines (PIE) sensors and can be seen by our SOC 24/7.   

In the example, let’s say the FTP traffic is determined by a Quadrant SOC analysis to be malicious. Using the EDR tool, the SOC Analyst can pivot to the Endpoint and put a stop to the attack.   

The basic premise is that we leverage data from many different sources (logs, packets, EDR) to make informed decisions. We can then use your EDR tool as part of the Quadrant response to stop attacks. We aren’t leveraging just one technology to determine threats; we are using multiple sources. Your EDR allows us to have access to valuable data, while also acting on threats. Today, we can take action on malicious activity via our integrations with Microsoft Defender and SentinelOne. If you currently leverage one of these platforms, we would love to show you our response capabilities.  

Not a Microsoft Defender or SentinelOne user?  We are looking to expand our capabilities to Crowdstrike and CarbonBlack by early 2023. If you’re a user of one of these platforms, please let us know.  

Quadrant is Looking Ahead...

Endpoint is so important to the Quadrant strategy, that over a year and a half ago we started building our own. Why? Because we see “Endpoint as a Service” (EaaS) as a game-changer to our customer’s security posture. Imagine an EDR solution that integrates so tightly with the SOC process that it allows not only “Response” but “Remediation.”  Imagine having an EDR you no longer must manage and is under one cybersecurity umbrella. This tool will be available soon and we would love the opportunity to speak to you about it! 

In the meantime, check out our MDR Overview to see how Quadrant is helping shape an exciting new market direction.

Image
Tablet with stylus