What is Managed Detection and Response (MDR)?

MDR is a service provided by third party vendors that uses a combination of skilled analysts, integrated tools, threat intelligence and technologies from both the vendor and Acronis to monitor for and respond to potential security threats and breaches.

When MDR is enabled for customers in the management portal, Acronis forwards incident telemetry to the MDR vendor to conduct investigation and response activities on these incidents. Note that only incidents that are not automatically mitigated are forwarded to the MDR vendor.

Key components of MDR

MDR is composed of three main components:

• Monitoring
• Isolation
• Response and remediation

Monitoring

MDR vendors monitor the detected security alerts and notifications from the customer’s endpoint. The vendor then correlates and prioritizes these alerts with common threats, threat intelligence and third-party threat intelligence using analytics, security orchestration and responses. As a result, the vendor determines whether the alerts or notifications are a breach or compromise.

Any security events that the MDR vendor believes may pose a potential security threat are escalated into a customer-facing security incident and made available in the Cyber Protect console. The vendor provides context on the severity of the threat and the recommended remediation (including any action which has already been taken).

Isolation

MDR vendor analysts leverage pre-defined playbooks to initiate responses for endpoint isolation. Any response actions by the MDR vendor are reflected in the relevant security incident. The decision to isolate an endpoint is reached by drawing on data from the endpoint, with further input from threat intelligence and threat research.

Response and remediation

Response and remediation activities occur after the initial monitoring and isolation activities are completed. After a security incident is detected, the MDR vendor initiates responses according to the security incident. Responses and remediation activities include:

• Guidance on how to mitigate, stop or prevent a security incident based on the data, intelligence and advisories provided.
• Analysis and investigation of security events to determine the root cause and extent of the compromise.
• The performing of approved workflows (as defined in the MDR vendor's response playbooks) to isolate workloads, quarantine threats, or fully remediate the threat.
• Providing the service provider with a more detailed security escalation, citing the customer-facing security incident, threat intelligence and advisories.
• Escalating incidents through various channels, including the creation of a security incident, email notifications and phone calls, all via the contact details provided by the customer.
• Maintaining a line of communication with the customer until the threat has been remediated, providing timely updates as new information arises.
• Where response actions are outside the scope of the MDR service, the MDR vendor provides recommendations on areas to focus. This may include recommendations for additional services, such as incident response.