MDR analysts are highly trained cybersecurity professionals that perform ‘managed detection and response’ duties on behalf of a customer. If that description sounds somewhat vague, you’re not alone in thinking so.
“MDR is so much more than [managed detection and response],” says Anthony Bradshaw, MDR Analyst and Team Lead at Sophos. “It’s threat intelligence, threat hunting, threat research, detection engineering, incident response, and so on. It’s a complete package for protecting critical systems with the ability to have highly technical analysts responding to adversaries at the drop of a hat.”
But even though market researchers predict a massive spike in the MDR market between now and 2030, there is still much that is unknown about the day-to-day goings-on of this profession. For example, how do analysts conduct investigations? What skills are highly sought after? What technologies do they use? And how often do MDR teams share their findings or processes with the customer?
“I think there’s a real lack of transparency out there, which frankly demonstrates itself in terms of the language we use,” says Greg Rosenberg, Director of Sales Engineering at Sophos. “We need to be as transparent as possible with how we find malicious activity.
He says it’s natural that customers may feel closed out if they work with a provider that doesn’t value that working relationship. “If one of the reasons you're buying a service is because you've acknowledged you don't necessarily have the maturity or knowledge, then it becomes a really tricky scenario for buyers out there.”
MDR Analyst: A day in the life (what do they do?)
Entering the battle station:
It’s a scene you could find in just about any war movie. One guard finishes their sentry shift, and another one ‘clocks in’ to take their place. Keeping an eye out for enemy forces is a 24/7 job, after all.
That’s the same mindset MDR analysts have when they enter the office. They’re effectively stepping into a war room and need the latest intelligence.
“Generally, the first 30 minutes of our analysts’ shifts are spent getting up to speed with what happened during the previous shift and logging into their battle stations so they’re ready for the day,” says Bradshaw.
Working around the clock
Since Sophos staffs its MDR service to run 24/7/365 days a year, there’s significantly less room for an attacker to capitalize on vulnerable time windows — such as 3am on a weekend, or during a federal holiday. Most companies don’t have that privilege: IT teams clock out for the night, take vacations, and attend to personal matters that take them away from the office.
But MDR can’t afford to take breaks. Reviewing activity from the previous shift helps analysts understand context and prioritize what to tackle first.
Threat hunting investigations
Once the analyst is caught up on the situation, the real investigative work begins.
In this stage, says Bradshaw, you’ll see “investigations, detection tuning, threat hunting, live incidents, and things like that” begin to take shape.
MDR analysts are trained in threat hunting, which involves hypothesizing about potential attack methods and then proactively investigating whether an organization is susceptible to such methods. Hunters are looking for any evidence of adversary tactics, techniques, procedures, or other indicators of compromise that could indicate infiltration from bad actors.
But this process takes time, expertise, and serious planning to pull off successfully. Even lacking one of these elements can cripple an organization’s ability to make sense of their threat environment.
“The challenge here is the volume of alerts that need to be prioritized and investigated -- this is where having robust procedures in place around how security alerts should be triaged and investigated pays dividends,” says Mat Gangwer, VP of Managed Threat Response at Sophos. “The procedures and guidelines also help alleviate decision fatigue when an analyst is trying to decide in real-time what the severity of an alert is and whether they need to initiate response, as we always have time against us.”
Incident response
Indeed, as well as being trained in threat hunting to identify future threats, MDR analysts are also concerned with the here-and-now demands of live incident response.
“In the event an investigation is severe enough, such as identification of a hands-on adversary, or we have enough threat intelligence to indicate the activity could be leading to a larger attack, this is when our team steps into action and performs incident response, collaborating with our customers to ensure the identified threat is fully remediated,” says Gangwer.
This response process is fully mapped out, says Bradshaw, which removes any ambiguity about who is doing what and when they’re supposed to do it. He recalls a recent event his own team encountered that showcased rapid response.
“We had a recent case involving a relatively new third-party firewall vendor where a threat actor had gained access to our customer’s firewall interface and was able to make changes to their policy and create new admin accounts. These were used to pivot to the customer’s infrastructure, where the threat actors started to enumerate the domain and move laterally.
“We detected the lateral movement and domain enumeration, and immediately contacted the customer, who confirmed the activity was unexpected. We then began our incident response procedures. Working together, we contained the threat, allowing the customer to deploy a firewall patch very quickly. We also reviewed their firewall logs to confirm initial access and determined IOCs (indicators of compromise) for the customer to block at their network edge to prevent similar attacks in the future.”
Informing the customer
Beyond investigating and responding to incidents, an average day might see the MDR analyst sharing findings with customers.
“Our analysts interact with our customers all the time,” says Bradshaw. “Whether it’s a quick phone call to confirm suspicious activity or a full-blown Zoom session to handle an incident, it’s uber important that our analysts understand the value of providing excellent customer service.”
For that reason, his team keeps an eye out for recruits who can demonstrate excellent interpersonal skills and the ability to translate technical findings to what could sometimes be a non-technical audience.
“For skills and qualities, we obviously love the tech side. If you have some baseline certifications or education in Security+ or Network+, that’s an excellent start because it shows you’re interested in the field and are a bit analytical. But soft skills are a must: communicating and articulating what needs to be said at a critical time is beyond valuable.
“At the end of the day, we look for people who are genuinely passionate about cybersecurity. We can always train you on the hard and soft skills needed to be successful.”
To read more about MDR, check out these recent SC Media publications: