MDR Questions Answered
Prompt and accurate incident response takes time and skill. Volta’s managed detection and response (MDR) service allows an organization to take advantage of a remotely-delivered, modern security operations center, in order to rapidly detect, analyze, investigate and actively respond to threats around-the-clock. Our MDR strategy allows for flexible, vendor-agnostic delivery options, but we also provide our own tech stack to most of our security customers.
About a month ago (February 2021) we hosted a virtual discussion to further summarize our approach to MDR and answer questions about our recommended threat detection tools. Led by our Chief Security and Information Officer, Mark Macumber, here are the questions he was asked by those who attended the briefing.
MDR Briefing Q&A
Q: Do you bring in data from cloud services like O365, Azure, zScaler?
A: Yes, we integrate with any cloud service that supports log export. We can also pull log data via API from any cloud service with a published API/SDK.
Q: Is there an agent installed on all clients or is it an appliance that ingest from the firewall and other servers?
A: We offer agents for servers and endpoints as well as integrate with existing endpoint protection solutions. We ingest logs natively from security controls like firewalls, IPS, etc.
Q: Do you have tools for AAD, Auth, locations, MFA?
A: Yes! We integrate with all the identity and access management systems on the market.
Q: Do you handle both prem-based and cloud-based infrastructure and applications?
A: Yes we do. Almost all of our customers have a combination of both and need visibility into both cloud and on-prem assets.
Q: How does your MDR solution scale to the needs of your customers who may need to add protection as their business model grows?
A: Every one of our customers adds to their security architecture over time. We ingest these additional points of telemetry to improve detection and visibility. There is no add-on cost as long as we have the storage.
Q: What is the response SLA time to alert a customer about an incident?
A: This varies based on the architecture and visibility available, but we are a 24x7x365 SOC and strive for instant response and immediate notification.
Q: What SIEM systems do you integrate with?
A: We’ve worked with numerous commercial SIEM’s. Splunk, LogRhythm, Exabeam and QRadar are the most common. We bring our ElasticStack SIEM to customers who may not have a SIEM or want an improved experience.
Q: Do analysts always review issues before reporting, or are all alerted on?
A: We always triage and investigate alerts before escalating. We do provide roll ups of all received alerts for clients who want that data.
Q: What is your SOC team’s role in the event of a potential adverse security event? How deep will you go into the triage process?
A: We work events and alerts to complete resolution, including assistance with incident response.
Q: What are your goal time frames in the detection/understanding/containment ratio for Volta’s SOC services?
A: Our goal is for instant response to all alerts. We can customize containment SLAs based on the client and available compensating controls.
Q: What core offerings of MDR can you present to your clients that your competitors may not be able to offer? How does your offering differ from the other cybersecurity firms and their remediation and posturing?
A: We have a customized ElasticStack analytics platform with numerous hand-written ingestion pipelines. We have developed a monitoring and alerting system in-house called MultiMeter. MulitMeter is a customizable, open-source program that we use for workflow automation, monitoring and alerting – which can be layered atop many popular security controls. MultiMeter costs less than commercial alerting systems, and even if we don’t engage as a full MDR provider, we can stand-up MultiMeter in a customer’s environment on a subscription basis. We believe customization and automation set us apart from our competitors.
Q: What is a typical startup time for the free trial?
A: This depends on the client and what their controls are, but we can be ingesting logs and telemetry within one day. If we are on-prem, hosted or in the customer’s cloud we can build the linkages very quickly. Getting data shipped out from the client’s controls is usually the longest part of setup.
Thank you for checking out the Q&A. We are currently offering 3 free months of MDR from Volta, so make sure to reach out with any further questions and to set up your trial!