The Managed Detection and Response (MDR) service is a comprehensive cyber security event monitoring solution. It combines next-generation cloud based SIEM platform, robust detection library, and 24/7/365 event monitoring and triage by human analysts. These three pillars facilitate prompt detection and quick containment of threats. The MDR service is tiered by the level of privileged access made available to CipherTechs MDR team. Client may increase or decrease the Tier level at any time by executing a engagement Change Order.
Tier 1 – Detection and Response
Monitoring of security events with limited access to the security controls required for containment. With this option SOC analysts will have read only access to data sources and security controls allowing the ability to investigate alerts, confirm validity, gather contextual information, and notify the appropriate client personnel.
CipherTechs team will work with customer providing suggestions for tuning strategies designed to increase the fidelity of alerts. Any containment efforts are carried out by the customers internal security team.
Collect logs from client data sources including EDR, cloud, identity providers, network security devices and custom build applications.
Detect threats within the collected logs using CipherTechs proprietary high-fidelity detection library based on continuously evolving adversary TTPs.
Monitor using next-generation SIEM platform for security events using human analysts on 24/7/365 basis.
Analyze security events to determine appropriate response by gathering contextual information using public and client-specific information sources.
Notify client contacts of true positive, construct timeline and provide pertinent event information.
Tune false positives to improve detection quality and response time.
Validate on regular basis that the correct logs are being received and detections are properly configured.
Tier 2 – Detection and Response with Containment
With addition of containment, CipherTechs MDR team will take initial threat response actions based on client-defined criteria. This may include containment and isolation actions on endpoint, network, cloud or other applications with the client environment.
This Tier includes all Tier 1 services as well as:
Contain adversaries by actively isolating systems and leveraging customer tools to quickly reduce the attack surface.
Eradicate where possible the malicious logic and presence from the affected systems rather than the typical approach of complete system rebuilding.
Consult on available options regarding the recovery of confidentiality, integrity, and availability of information and services impacting users, systems, and data.
This tier will require elevated access into customer’s environment to perform the containment actions.
Reporting & Metrics
MDR case summaries, including time, category, and other KPIs.
Monthly summary of cases
Log source data consumption
Mapping of detections to MITRE framework
Time to respond and remediate
Advanced and executive-level reports as requested
Managed Phish Response
Threat Hunting Service - Proactively conduct threat hunting to potentially discover compromises undetected by existing security tools. Provide possible means to automate future detection of discoveries.
Mobile, Endpoint, Server and Cloud Forensics.
Monitoring Service Level Agreement (“SLA”)
The following describes the SLA objectives CipherTechs monitoring team strives for in reviewing, analyzing, and notifying client of security incidents. This should act as the default SLA for all security events, unless otherwise agreed to and documented by CipherTechs and Client.
CipherTechs will provide 24x7 SIEM monitoring coverage to Client . CipherTechs will respond to any correlated security or availability event within the following timeframes:
HIGH – within one (1) hour of validation (typically, this will happen in near real-time)
LOW – within twenty four (24) hours of validation (typically, this will happen in near real-time)
Validation is defined as a human analyst receiving an alert/event and checking the accuracy of the respective event within the appropriate tools and applications. (i.e. availability alert for the site to site VPN ;, the CipherTechs analyst will login to the health monitoring system and check the tunnel status before contacting the Client or escalating internally).
False positives will be noted and tuning adjustments will be made to enhance monitoring capabilities and true positives will be acted upon by following case handling procedures identified in CipherTechs use cases. This approach ensures that only actionable events are brought to the Client for response, eliminating unnecessary Client communication. With this approach, alert fatigue is dramatically reduced while actionable events are still remediated.