Managed Detection and Response (MDR)

Trend Micro’s Managed Detection and Response (MDR) service monitors network and endpoint data, and prioritizes alerts according to severity using big data Artificial Intelligence (AI) techniques, and can help detect threats that may previously have been “grey alerts” by themselves. Trend Micro threat researchers investigate further to determine the extent and spread of the attack through a detailed Root Cause Analysis, and work with customers to provide a detailed response plan.

Endpoint-resident event recording

The MDR service uses alight weight agent that combines TrendMicro’s award winning endpoint protection solution with EDR to provide detailed recording of system behaviors and events at the kernel and user levels. It tracks these events in context across time, providing an in-depth history that can be accessed in real time.

Network meta data recording from Deep Discovery

Trend MicroTM DeepDiscoveryTM Inspector is a network appliance that monitors all ports and over 100 different network protocols to discover advanced threats and targeted attacks moving in and out of the network and laterally across it. The appliance detects and analyzes malware, command-and-control (C&C) communications, and evasive attacker activities that are invisible to standard security defenses. Alerts are sent directly to the MDR service, while recorded meta data is collected and queried by the MDR service as needed.

Event Monitoring and Alerting

Trend Micro Managed Services will monitor the customer’s MDR deployment 24/7/365, and will remotely investigate all critical security events using data available in the monitored products. Real-time events from endpoint and network security will be continuously sent to Trend Micro’s SOC via event logs and alerts. If a critical event is detected and validated it will be escalated to the customer for action.

Advanced Correlation

By correlating threat data from multiple sources such as endpoints, networks and servers, a clearer picture is available to determine the source and spread of advanced attacks. Trend Micro’s MDR service can even spot Internet of Things (IoT) devices, such as printers, that may have been compromised, and makes use of advanced AI to analyze and prioritize threat data.

Reports

For investigated customer threat alerts, Trend Micro reports information through incident cases, which contain details of the threat including affected hosts, IOC’s, and recommended mitigation options wherever possible. Trend Micro also provides monthly reports to summarize case activity from the preceding month. All cases and reports are published to the Trend Micro Customer Success portal, as well as emailed to desired recipients through the standard case support system.

Service Reviews

Trend Micro provides an opportunity for a formal service performance review atleast once per month. This review examines service performance, significant events and incidents, faults and cases, change requests and execution and recommendations.

DETECTION

Within an organization, endpoint sensors record system activities and behaviors and send metadata about these recordings, as well as endpoint alerts and detections to the MDR service. Deep Discovery records the network data and sends metadata to the MDR service, as well as network security alerts and detections. Using advanced AI, these alerts are correlated and analyzed through the Trend MicroTM Smart Protection NetworkTM. The resulting correlated alerts are prioritized, and notifications are sent to the Trend Micro SOC.

ANALYSIS

Incident response staff investigate the specific threats by gathering additional information (with customer approval though their management console), determining vulnerabilities, understanding what else may have been downloaded, or if the original threat has mutated and spread. The analyst investigates to determine the full root cause analysis and potential impact to the affected customer.

RESPONSE

A report is provided to customers about the incident, including recommendations on how to respond and remediate from the attack where appropriate. In some cases, tools may be provided to assist with the remediation.

If you are interested in learning more, contact us by filling the form here. We would be glad to go into further detail with your team by having one of our team members reach out!