Today, businesses worldwide are experiencing a digital transformation. IT infrastructures are growing and becoming more complex. As business continuity depends on their resilience, organizations are deploying more and more defenses in the efforts to build sophisticated cybersecurity systems. However, there are no means of protection that can guarantee absolute security. Cybercriminals know how to bypass any mechanism and remain undetected in the victim’s infrastructure for weeks or even months. Standard preventive defenses are no longer sufficient to avoid financial and reputational losses. Therefore, continuous monitoring is essential—it ensures quick threat detection and response. However, this is where organizations are faced with a choice: either to create their own Security Operations Center (SOC), investing large amounts of resources in a long and complex project amid a severe staff shortage or to outsource to an external provider.
Traditionally, around the world, security incident monitoring and response services have been rendered by managed security services providers (MSSP) based on their SOCs. In the process of connecting the IT infrastructure to the MSSP SOC, the client would tap into a wide range of log sources, from operating systems, databases, security tools, and network equipment to business applications. This provides a complete coverage of the IT infrastructure and allows the detection of all types of incidents. Furthermore, MSS providers support their clients’ security solutions and thereby can use them to respond to incidents detected in the course of monitoring (e.g., to block network access to the malware command center on the edge firewall, or to initiate unscheduled antivirus scanning of the hosts).
In recent years, a new breed of incident monitoring and response firms, known as managed detection and response (MDR) providers, has been emerging in the market—as an alternative to the MSSP SOC. In essence, they solve the same problem, however, with a different approach. The sources of events for MDR are either EDR agents deployed on IT infrastructure endpoints or network sensors based on NTA/NDR solutions. Hence, compared to the MSSP SOC, the scope of infrastructure coverage is significantly lower, but the depth of data collected is a lot higher, allowing a much quicker detection of advanced attacks.
From a marketing perspective, MSSP SOC and MDR providers are actively opposed to each other. In our opinion, this is inappropriate since the simultaneous implementation of these approaches delivers the best result—both in terms of the scope and depth of threat detection, and response time. Given this, BI.ZONE is launching a new service—BI.ZONE Threat Detection and Response (TDR)—which incorporates the advantages of MSSP SOC and MDR. BI.ZONE TDR is based on in-house technologies as well as threat intelligence (TI) obtained by dedicated internal research units. This makes it possible to adapt the service to the fluctuating market demands and to be independent from external tool and TI vendors.
In addition to solving the standard tasks of monitoring and responding to security incidents offered by regular MSSP and MDR providers, BI.ZONE TDR also prevents future incidents by continuously identifying vulnerabilities and weaknesses in the IT infrastructure configuration, based on the analysis of collected EDR inventory data. This ensures the coverage of the entire attack life cycle: before, during and immediately after the incident.
BI.ZONE TDR is available in four modifications shown in the table below.
| Vision | Horizon | Focus | Panorama |
---|
Collection of events from a fixed set of log sources | | | | |
Collection of events from any log source | | | | |
Collection of extended endpoint and network telemetry (via EDR/NTA) | | | | |
Monitoring of cloud infrastructures: AWS, GCP, Microsoft Azure, SaaS (Office 365, etc.) | | | | |
Vision
Collection of events from a fixed set of log sources
Collection of events from any log source
Collection of extended endpoint and network telemetry (via EDR/NTA)
Monitoring of cloud infrastructures: AWS, GCP, Microsoft Azure, SaaS (Office 365, etc.)
Horizon
Collection of events from a fixed set of log sources
Collection of events from any log source
Collection of extended endpoint and network telemetry (via EDR/NTA)
Monitoring of cloud infrastructures: AWS, GCP, Microsoft Azure, SaaS (Office 365, etc.)
Focus
Collection of events from a fixed set of log sources
Collection of events from any log source
Collection of extended endpoint and network telemetry (via EDR/NTA)
Monitoring of cloud infrastructures: AWS, GCP, Microsoft Azure, SaaS (Office 365, etc.)
Panorama
Collection of events from a fixed set of log sources
Collection of events from any log source
Collection of extended endpoint and network telemetry (via EDR/NTA)
Monitoring of cloud infrastructures: AWS, GCP, Microsoft Azure, SaaS (Office 365, etc.)
Threat Detection—discovery of active attacks
| Vision | Horizon | Focus | Panorama |
---|
Automated incident detection based on correlation rules and Threat Intelligence data | | | | |
24/7 monitoring of correlation rule triggers by our experts | | | | |
Fixed set of correlation rules | | | | |
Constantly updated set of correlation rules | | | | |
Development of custom correlation rules according to client requirements | | | | |
Correlation rules for detecting advanced attacks | | | | |
Usage of YARA rules for detection | | | | |
Manual proactive search for incidents by our experts (threat hunting) | | | | |
Vision
Automated incident detection based on correlation rules and Threat Intelligence data
24/7 monitoring of correlation rule triggers by our experts
Fixed set of correlation rules
Constantly updated set of correlation rules
Development of custom correlation rules according to client requirements
Correlation rules for detecting advanced attacks
Usage of YARA rules for detection
Manual proactive search for incidents by our experts (threat hunting)
Horizon
Automated incident detection based on correlation rules and Threat Intelligence data
24/7 monitoring of correlation rule triggers by our experts
Fixed set of correlation rules
Constantly updated set of correlation rules
Development of custom correlation rules according to client requirements
Correlation rules for detecting advanced attacks
Usage of YARA rules for detection
Manual proactive search for incidents by our experts (threat hunting)
Focus
Automated incident detection based on correlation rules and Threat Intelligence data
24/7 monitoring of correlation rule triggers by our experts
Fixed set of correlation rules
Constantly updated set of correlation rules
Development of custom correlation rules according to client requirements
Correlation rules for detecting advanced attacks
Usage of YARA rules for detection
Manual proactive search for incidents by our experts (threat hunting)
Panorama
Automated incident detection based on correlation rules and Threat Intelligence data
24/7 monitoring of correlation rule triggers by our experts
Fixed set of correlation rules
Constantly updated set of correlation rules
Development of custom correlation rules according to client requirements
Correlation rules for detecting advanced attacks
Usage of YARA rules for detection
Manual proactive search for incidents by our experts (threat hunting)
Threat Response—incident response and mitigation
| Vision | Horizon | Focus | Panorama |
---|
Automated notifications and recommendations on detected incidents (direct alerts) | | | | |
Notifications and recommendations regarding detected incidents, prepared by our experts | | | | |
Active response to detected incidents using EDR provided by our experts | | | | |
Vision
Automated notifications and recommendations on detected incidents (direct alerts)
Notifications and recommendations regarding detected incidents, prepared by our experts
Critical incidents only
Active response to detected incidents using EDR provided by our experts
Horizon
Automated notifications and recommendations on detected incidents (direct alerts)
Notifications and recommendations regarding detected incidents, prepared by our experts
Active response to detected incidents using EDR provided by our experts
Focus
Automated notifications and recommendations on detected incidents (direct alerts)
Notifications and recommendations regarding detected incidents, prepared by our experts
Active response to detected incidents using EDR provided by our experts
Panorama
Automated notifications and recommendations on detected incidents (direct alerts)
Notifications and recommendations regarding detected incidents, prepared by our experts
Active response to detected incidents using EDR provided by our experts
Threat Prevention—automatic prevention of known threats based on EDR rules
| Vision | Horizon | Focus | Panorama |
---|
Our experts develop customized rules for automatic threat prevention based on the incident response results | | | | |
Automatic prevention of known threats based on rules provided by our experts | | | | |
Vision
Our experts develop customized rules for automatic threat prevention based on the incident response results
Automatic prevention of known threats based on rules provided by our experts
Horizon
Our experts develop customized rules for automatic threat prevention based on the incident response results
Automatic prevention of known threats based on rules provided by our experts
Focus
Our experts develop customized rules for automatic threat prevention based on the incident response results
Automatic prevention of known threats based on rules provided by our experts
Panorama
Our experts develop customized rules for automatic threat prevention based on the incident response results
Automatic prevention of known threats based on rules provided by our experts
Threat Archeology—detection of past attacks that are currently inactive
| Vision | Horizon | Focus | Panorama |
---|
Identification of past attacks not currently active through the analysis of historical events and forensic artifacts collected by EDR | | | | |
Vision
Identification of past attacks not currently active through the analysis of historical events and forensic artifacts collected by EDR
Horizon
Identification of past attacks not currently active through the analysis of historical events and forensic artifacts collected by EDR
Focus
Identification of past attacks not currently active through the analysis of historical events and forensic artifacts collected by EDR
Panorama
Identification of past attacks not currently active through the analysis of historical events and forensic artifacts collected by EDR
Threat Prediction—prevention of future incidents
| Vision | Horizon | Focus | Panorama |
---|
Continuous detection of infrastructure vulnerabilities and weaknesses | | | | |
Verification of detected weaknesses and vulnerabilities by our experts | | | | |
Vision
Continuous detection of infrastructure vulnerabilities and weaknesses
Verification of detected weaknesses and vulnerabilities by our experts
Horizon
Continuous detection of infrastructure vulnerabilities and weaknesses
Verification of detected weaknesses and vulnerabilities by our experts
Focus
Continuous detection of infrastructure vulnerabilities and weaknesses
Verification of detected weaknesses and vulnerabilities by our experts
Panorama
Continuous detection of infrastructure vulnerabilities and weaknesses
Verification of detected weaknesses and vulnerabilities by our experts
Different service modifications allow organizations to choose the most appropriate level of monitoring and response, depending on the size of infrastructure, the cybersecurity maturity in the company and current tasks. With a growing IT infrastructure, it is always possible to move to another level without any additional complex steps, such as migration to other solutions and systems. Regardless of whether you have your own SOC or not—BI.ZONE TDR can provide comprehensive protection of your corporate IT assets as well as enhance your cyber maturity.