MDR Threat Reviews
The Managed Detection and Response (MDR) service will detect, respond and report relevant threats that pose a risk to a client, but it is the client’s responsibility to bring the risk to closure. To help the client with this, a program of quarterly threat reviews is included with the MDR service.
For clients that require a dedicated resource and monthly threat reviews, the Samurai Cybersecurity Advisor add-on subscription is available for an additional fee.
The key focus of threat reviews is to help MDR clients get the most value from the service, reduce business risk based on security incidents reported, and ensure security incidents are handled appropriately.
Through regular threat reviews, a client will:
- be trained and educated to understand threats and risks reported by the MDR service,
- be provided recommendations to improve detection and response, and
- receive follow-up to ensure that reported threats and risks are handled and mitigated.
The threat review program is initiated at the time of onboarding. During the orientation call the quarterly meetings will be scheduled for the remainder of the contract period. Please review Onboarding Managed Detection and Response (MDR) for further details.
The threat review meetings are scheduled during business hours within central European time (CET) and conducted by an MDR analyst who is or has been part of 24/7 MDR service delivery. This resource is not a dedicated resource per client but is a shared responsibility for analysts within our Security Operations Center (SOC). With access to the SOC workbench and a client’s Samurai tenant our analysts have detailed knowledge of potential threats and risks, and skills to perform searches and hunts.
The MDR service will detect and respond to relevant threats that pose a risk. These threats are reported via Security Incident Reports. It is the client’s responsibility to handle and bring the risk to closure. All actions related to the handling of the security incident will be performed through the 24/7 MDR service and not during threat reviews. We understand that threats and risks can often be difficult to understand, our recommendations can often mitigate risk, however our aim during threat reviews is to enable clients to fully understand the risk so they can stay proactive, mitigate root cause, and avoid future security incidents. Hence during a threat review meeting we will present reported security incidents to a client and their stakeholders outlining the threats reported and risks posed.
We will also maintain and update a detection and response improvement list through the entire lifecycle of the MDR service. The improvement list focuses on suggestions that will improve detection of threats e.g. new systems that should be onboarded into the MDR service, or could also include actions that either the client, the SOC or NTT Security Holdings need to take in relation to improving threat detection and response. The ultimate benefit of this process to the client is an improved security posture.
Threat reviews will also follow up on any actions performed by a client after a Security Incident was reported. This will help to confirm that the client was able to take suitable actions based on the threat identified. Depending on the client’s security posture and risk profile, the client may either take mitigation actions that remove the threat or decide to accept risk. Clients should provide feedback on the reported Security Incident and the actions taken as it enables the 24/7 MDR service to verify if the threat was removed or if still present after any actions. During Threat Review meetings we will work through these actions with the client so that the client handling time for any subsequent Security Incident will decrease, reducing risk exposure time.
If a client has any general questions or requests related to the MDR service and/or how to detect and respond to threats not related to a reported Security Incident, a ticket can be raised via the Samurai MDR portal, and be handled by the Threat Review team.