The role of managed detection and response (MDR) in the area of ​​security

For organizations that want to maximize their security strategies, but cannot fund full-time security teams, initiatives like MDR can be a viable option. Why?

To facilitate the work of security teams, when creating an incident response team, it is necessary to set up an organizational structure with a policy that is applicable and mainly effective. (this section seems a little out of place)

Essentially, MDR is made up of security analysts and response analysts who examine an organization's records for suspicious events. For example: proactive threat detection and analysis, including vulnerability analysis, patches, firmware updates and monitoring of intrusion prevention and detection systems ( IDS / IPS ).

After registering a malicious activity, the team will do a more in-depth analysis. MDR is then responsible for researching threats and resolving incidents.

This creates a delivery process for solving the analyzed case - such as notification to the customer, threat intelligence or some other pre-defined action.

Companies that failed to update their systems to correct known gaps - and that could have been avoided - exemplify the importance of the MDR approach.

MDR contributes to a change in the mentality of companies to transform and balance prevention with innovative methods.

INTRUSION DETECTION AND PREVENTION SYSTEMS INTRODUCTION

An IDS (Intrusion detection system) is software that automates the intruder detection process.

An IPS (Intrusion prevention system) is the software that has IDS capabilities and can also try to stop possible incidents.

IDPS (Intrusion detection and prevention systems) focuses on identifying possible incidents, logging information on them, trying to stop them and reporting them to security administrators. The information it records are important events observed and then produce the reports.

There are techniques to respond to the detection of an intruder, which may be the change of security measures (eg, firewall reconfiguration) or change the content of what they are attacking.

The IDPS technology will depend on the type of event they are monitoring and the way in which they unfold.

There are many types of IDPS technologies, which differ mainly by the type of events they are able to identify and the methodologies used to identify incidents. However, all types of IDPS technology typically perform the following functions:

Record information related to the observed events: the information is usually stored locally or can be sent to separate systems as logging servers.

Notify system administrators about important events observed: these notifications, commonly known as alerts, can be made through different methods such as emails or syslog messages.
Generate reports: summaries of monitored events.

Read More:  ids security

Types of IPS

Types of IPS

Host-based intrusion prevention system (HIPS)

This system works in a similar way to HIDS. The checks are on the machine on which it is installed, however, in addition to detecting the attack, it makes decisions regarding the analyzes carried out.

It has direct access to the machine's operating system and the kernel itself, thus being able to control access to the file system, configuration and system logs.

Another differential of HIPS is that it identifies suspicious behavior in the operating system, instead of comparing signatures.

In addition, HIPS brings the possibility that encrypted network traffic is identified after the packet decryption process, enabling the detection of the previously encrypted attack, a fact that does not occur in the use of NIPS and NIDS.

Network-based intrusion prevention system (NIPS)

This type of system, on the other hand, is based on an inline device, which can be a router or a switch, as they forward packets between networks. Whenever an attack is identified, decisions are made based on predefined rules, and it is these rules that will block the suspect attack.

NIPS has the property of dropping the connection, thus preventing packets from reaching their destination, just as firewalls do.

There are several other types of IDS / IPS systems, here we mention the most common and used ones, but you can check out more others by accessing this material: