The cyberthreat landscape continues to evolve quickly, with many indicators pointing to more sophisticated and damaging attacks. A recent analysis found an increasing percentage of attacks now involve non-malware, hands-on-keyboard activity1. These kinds of attacks are harder to detect and create a real challenge for today’s security teams: keeping up with threats.

What’s needed is an approach to detection that’s just as fast and nimble as threat actors. Given the breadth of threats and the need for speed, it’s critical to focus detection efforts on the threats most relevant to the environments we’re protecting.

A focused coverage model

To address this security challenge, we’ve built up a dedicated Detection Engineering team for MDR+. The goal of our team is to systematically expand detection coverage while achieving a solid signal-to-noise ratio. To achieve this goal, we’ve developed a proprietary framework called the Holistic Coverage model. We’ll explore this robust coverage model in full detail in a future blog post. For now, here’s a high-level summary:

  1. Holistic Coverage begins by modeling what threats are most relevant to our customers, using industry frameworks such as MITRE ATT&CK to guide focus.
  2. The next challenge is how to detect these threats. Two key aspects of how detection is enabled are:
    • Data: the careful curation of relevant log sources from the environment
    • Technology: the effective deployment and use of security controls

In this way, Holistic Coverage enables us to broaden coverage in the most relevant areas, proactively. The threats we need to mitigate dictate the logs we collect and the controls we leverage in MDR+.

Introducing Rapid Cover for MDR+

As many in the industry have realized, the value of focus expands beyond detection engineering to security operations (SecOps) more generally. This is why our MDR+ service focuses on operationalizing the Microsoft Security suite. With Microsoft Security, enterprises globally are consolidating their SecOps onto a universal multi-cloud, multi-device control plane. The benefits are significant, including reduced risk from reduced complexity, as well as cost savings through product consolidation.

Even consolidated, the challenge of quickly operationalizing security technology is a significant one. Microsoft has unmatched insights into the enterprise threat landscape, analyzing more than 43 trillion security signals daily2 to drive forward their XDR solution. With this volume of insights, Microsoft innovates and pushes continual updates to detection logic at an industry-leading pace. While new detection logic helps in keeping up with the latest threats, it also needs to be baselined in customer environments, to filter out updates that prove too noisy.

Now, with Rapid Cover for MDR+, our customers can leverage new Microsoft detection updates quickly and effectively.

Customers benefit in two key ways:

  • Broader detection coverage, faster: customers experience near real-time operationalization of new detection logic from Microsoft Defender products.
  • Increased ROI on Microsoft security investments: customers can maximize their Microsoft Security licenses to more effectively leverage existing Microsoft controls and conveniently expand into new Microsoft controls they might acquire and deploy.

Through our Rapid Cover pilot phase, customer feedback has been overwhelmingly positive. It’s not every day you see the CISO and the CFO excited about the same new development!

Better, faster coverage through existing security investments is compelling. So you might wonder why don’t other MDR for Microsoft vendors deliver such a capability?

Rapid Cover: Behind the scenes

Integrating new Microsoft Security signals into live SecOps is no trivial task – it requires a technical architecture built for agility. In the spirit of transparency, one of the guiding principles of the MDR+ service, we explore below how Rapid Cover operationalizes new detections in near real time.

A key technical challenge is ensuring new, potentially noisy detections don’t disrupt operations. Rapid Cover solves for this by baselining new detections in a learning phase. This enables our Detection Engineering team to quickly validate the effectiveness of the new logic in actual customer environments, augmenting the logic with relevant filtering and suppression rules. Once the accuracy threshold for use in SecOps is achieved, Rapid Cover takes the new logic live. Our team continues to monitor performance, with additional tuning executed as necessary.

If our Detection Engineering team had to split their focus between multiple security suites, it would be impossible to move so quickly. Such speed is only possible thanks to our singular focus on the Microsoft Security stack.

The Rapid Cover process, from new Microsoft updates to use in live operations, is summarized below:


(1) Microsoft Security products deployed and configured

  • Microsoft Security products deployed and optimally configured in the customer environment
  • (Continuous) Microsoft releases new detection logic to their customers to maintain security visibility in an evolving threat landscape

(2) Rapid Cover

  • Automation rules and logic apps deployed to customer's tenant using the Mission Control deployment pipeline
  • Automation rules and logic apps extract key data from incidents and prepare alerts to be processed by MDR+ pipeline
  • Logic apps are used to exclude low-fidelity or security insignificant incidents and auto-resolve them

(3) MDR+ Pipeline

  • Incidents from the customer's tenant are processed by components of the MDR+ pipeline
  • Filter rules are applied at this stage to auto-resolve filtered incidents
  • Learning: incidents forwarded to Mission Control for baselining
  • Production: incidents begin generating tickets

(4) MDR+ Service

  • Learning: SOC Engineers continue tuning process, leveraging filtering and suppression rules, to achieve our threshold accuracy
  • Production: MDR+ handles customer incidents, working in the customer tenant to view, investigate, and respond as needed. Ongoing tuning is done as needed.

Relentless in our pursuit

Keeping up with modern threat actors and attacks demands speed and accuracy of detection. For MDR+ customers, Rapid Cover operationalizes Microsoft Security product updates in near real time, ensuring they can mitigate the latest threats while maximizing Microsoft security investments.

References:
[1] https://www.securityweek.com/ransomware-related-data-leaks-nearly-doubled-2021-report 

[2] https://www.microsoft.com/security/blog/2022/08/02/microsoft-announces-new-solutions-for-threat-intelligence-and-attack-surface-management/