Endpoint Detection and Response (EDR) has been the foundational technology of effective detection and response programs for many years, providing security teams with unparalleled visibility and response capabilities across end user systems, cloud workloads, and servers. While this remains true today, security operation centers (SOC) and incident response (IR) teams need additional capabilities ‘beyond the endpoint’ to protect modern enterprise environments.
In this blog post, learn how SentinelOne is extending the scope of our MDR service to provide 24×7 detection and response coverage across endpoint, cloud, identity, email, network, and beyond.
The Evolution of Endpoint Detection
In the early days of security monitoring and incident response, security teams relied primarily on network telemetry to identify and investigate cyber attacks. Direct visibility into activity on endpoints and servers was extremely limited, requiring SOC analysts and incident responders to infer what was happening within their environment based on network traffic to and from these systems.
This network-focused approach was reasonably effective – primarily because most network traffic was unencrypted, adding to the amount of alert ‘noise’ and making real threats hard to miss. However, as threats continued to evolve and encrypted network traffic became the norm, defenders struggled to maintain visibility into the infrastructure they were responsible for protecting.
Effective endpoint protection and endpoint detection and response (EPP/EDR) changed everything. Defenders gained full visibility into endpoint activity, such as detection of malware and other malicious activity, process execution, file system access, and network telemetry. Once a threat was identified, defenders could pivot quickly to incident response, collecting additional forensic artifacts, terminating malicious processes, and isolating compromised systems from the network thus limiting further incident scope and impact.
While EPP/EDR provided much needed visibility, it didn’t solve another problem – the shortage of skilled experts to operate and monitor these new technologies around-the-clock.Then came Managed Detection and Response (MDR). These services assumed the responsibility of detecting, investigating and responding to threats on behalf of customers. Most of these services were built on a foundation of endpoint detection and response technology.
SentinelOne’s MDR service is no exception. Our MDR analysts identify and respond to suspicious activity harnessing the full power of our endpoint and cloud workload technology. We triage and investigate all suspicious activity across workstations, servers and cloud workloads, taking immediate containment and remediation actions to limit the scope and impact of confirmed threats, even before the customer is contacted with an incident summary and recommended next steps. Our process is so effective that 99.6% of threats are fully resolved without requiring escalation to our customers. Read all about how our MDR experts are able to protect our customers with more signal and less noise in the recent MITRE Managed Services Evaluation.
A Case for Detection and Response Beyond the Endpoint
Endpoint detection and response remains indispensable. In fact, organizations without a modern endpoint solution and a 24×7 team of experts to investigate and respond to endpoint threats are ill prepared to detect and respond to breaches before the damage is already done.
As the threat landscape has evolved, defenders are building on this foundation with further detection and response capabilities ‘beyond the endpoint’. For example:
- Consider identity as the new perimeter. More than one third of all breaches began with the use of compromised credentials to gain initial access, according to the Verizon 2024 Data Breach Investigation Report.
- Attackers are targeting cloud infrastructure including serverless cloud resources and Cloud Service Provider (CSP) control planes.
- While full endpoint coverage is the goal, it simply isn’t feasible to deploy EPP/EDR agents to every system in large complex environments, especially those with legacy systems or Operational Technology (OT) infrastructure.
Why MDR? | The Technology Platform Matters
An MDR service is only as good as the technology it is built on. Many managed services are delivered using legacy SIEM and endpoint security technologies. Worse yet, some providers take a ‘technology neutral’ approach, claiming to deliver effective threat detection and response using any technology platform that happens to be available in their customers’ environments. Their SOC analysts struggle to make sense of a flood of disparate alerting and telemetry with no core technology foundation on which to develop expertise and focus their limited time and attention.
This approach has been tried and it has been unsuccessful. That’s why our MDR service is built on an open and extensible foundation – the SentinelOne Singularity Platform. This platform provides our MDR analysts with:
- Market leading endpoint and cloud workload prevention, detection and response.
- Detection and disruption of identity attacks
- A security data lake providing end-to-end visibility across a wide range of security telemetry
- Hyper automation to accelerate investigation and response, leveraging native and third party containment and remediation actions to limit incident scope and impact
- Supercharged by PurpleAI to empower our analysts and our customers to respond more effectively and efficiently to threats
Our analysts work alongside our customers in the Singularity Operations Center, providing full transparency into analyst notes and findings. Additionally, powerful automations and native EDR and threat intelligence help optimize our analysts to perform faster, more informed investigations resulting in fewer escalations and more impactful recommendations for remediation.
Building On This Foundation
Our MDR service is not ‘technology neutral’. Rather, our MDR analysts are expert users of the Singularity Platform, and this focus is what results in a more effective outcome for our customers.
Complementing our existing Singularity Complete and Singularity Cloud Workload protection to detect and respond to threats, we are expanding the scope of our MDR service ‘beyond the endpoint’ with:
- Additional Detection Coverage – Our MDR analysts will triage and investigate alerts ‘beyond the endpoint’, beginning with alerts from Singularity Identity and later expanding to select third party security technologies.
- Enriched Investigations – Our analysts will leverage additional telemetry in the Singularity Data Lake from select network, email, and identity integrations. This additional context will help our analysts make even more informed decisions about suspicious or malicious activity detected in our customers’ environment.
- Expanded Response Capabilities – When an incident is identified, our analysts will take additional response actions ‘beyond the endpoint’ to protect our customers.
Expanding Our Scope, But Remaining Focused
Earlier we described the limitations of ‘technology neutral’ managed service providers, namely, how the time and attention of their analysts are spread thin across too many low value, high volume signals.
To address these limitations, SentinelOne’s MDR team is expanding the scope of its service. While remaining focused on delivering results, the MDR team will carefully evaluate additional data sources and integrations ‘beyond the endpoint’, providing additional support only if these integrations improve our ability to detect and respond to threats on behalf of our customers.
Further, each integration is evaluated based on its ability to deliver value for detection, investigation, and response. Additionally, we will always be transparent with our customers about whether and how each third party integration to the Singularity Platform is leveraged by our MDR analysts.
Learn More | Singularity MDR Is Coming Soon
Our MDR team is currently evaluating and incorporating new detection, investigation, and response capabilities ‘beyond the endpoint’. In August 2024, we will introduce our new Singularity MDR service built on the existing powerful capabilities of Vigilance MDR with expanded support for Singularity Identity, along with select third-party network, email, and identity integrations for enhanced investigation and response coverage. Stay connected to learn more about the innovations and features we’re working on to deliver an elevated service delivering undisputed peace of mind.
Learn more about how SentinelOne is leveraging our security expertise to continuously advance our AI capabilities at our upcoming webinar hosted by Warwick Webb and Ely Kahn on June 25th as we discuss “MDR in an AI World”.