LMNTRIX vs MSSP
The MSS model was conceived in the late 90’s and not much has changed since then in the way MSSP’s manage and monitor customer networks. During this same time period, the way attackers work to target, compromise, and exploit organizations has changed significantly – in favor of the adversary. LMNTRIX was borne as a necessity to help close the gap left in the market from the traditional MSSP model.
Gartner’s definition of Managed Detection and Response (MDR) services best characterises the business that LMNTRIX is in:
A focus on threat detection use cases, especially advanced or targeted attacks that have bypassed existing perimeter controls (e.g., next-generation firewalls [NGFWs], secure web gateways [SWGs], network intrusion detection systems [NIDSs], endpoint security). Compliance use cases are not a focus and commonly not addressed at all.
Delivery of services usually using a vendor-provided stack of network- and host-based controls (e.g., commercial, open source or provider-developed). These tools are not only positioned at the traditional internet gateways, but are also inward-facing to detect the threats not typically discovered by traditional perimeter security technologies.
These tools, where deployed, are managed and monitored by the provider to improve an organization's ability to detect threats. The types of tools and detection methods used by the providers vary in the use of logs, network flows and traffic, and endpoint activity. For example, some vendors rely solely on network security monitoring while others only on endpoint agents to generate logs or detect threats, and others rely solely on the logs generated by a customer's existing security tools.
Security event management and analysis technology that utilizes threat intelligence and advanced data analytics is commonly, but not exclusively, at the core of these services. It is fed events from the stack of vendor-supplied controls, customer log and event sources, or some combination of the three.
24/7 monitoring, analysis and customer alerting of security events with preliminary triage performed by a person (e.g., not relying just on automation to add some context to an event).
Incident validation and remote response services, such as hunting for additional hits on indicators of compromise (IOCs), reverse malware engineering, and consulting on containment and remediation are included in the service, without the need for an incident response (IR)-specific retainer or agreement. Retainers are reserved for onsite breach response services. Assistance with remediation actions in bringing the environment back to some form of "known good" is sometimes included or available as an additional service.
The following table provides details of the major differences between the approach an MSSP takes compared to the approach used by LMNTRIX:
|MSSP Approach||LMNTRIX Approach|
|Controls Coverage||Protect all information assets||Focus protection efforts on most important assets (‘crown jewels’)|
|Controls Focus||Preventive controls (AV, firewall)||Detective controls (monitoring, data analytics)|
|Perspective||Perimeter-based||Data-centric – includes network and cloud|
|Goal of Logging||Compliance reporting||Threat detection|
|Incident Handling||Piecemeal: find and neutralise malware or infected nodes||Big picture: find and dissect attack patterns using the kill chain|
|Threat Intelligence||Collect information on malware||Develop deep understanding of attackers’ current targets and modus operandi and the organisation’s key assets and IT environment|
|Success Defined By||No attackers get into the network||Attackers sometimes get in, but are detected as early as possible and impact is minimised|
|Global Intelligence||Relies on a single source||Relies on hundreds of sources of threat intelligence plus internal research|
|Detection Strategy||Uses SIEM and relies on the correlation and monitoring of logs from the client network||Does not use a SIEM nor collect any logs. Does not rely on clients existing security controls. Uses behavior analytics and data science modelling. Uses a validated architecture and deploys it’s own technology stack|
|Detection Capability||Offer basic detection and alerting services. It is the responsibility of the customer's security team to provide additional incident, analysis and associated response activities. Relies on clients security controls with limited detective tools.||Deploys its own technology stack – an extensive range of commercial, proprietary and open source tools. Delivers remote incident response together with network and endpoint hunting|
|Device Management||Manages client security controls (FW,IPS etc)||Does not manage any client security controls|
|Forensics Capability||Non or sometimes available at an additional cost||Full packet capture with attack reconstruction|
|Range of Services||Deliver a broad range of security device management and monitoring together with vulnerability management, product re-sale, integration, and professional services.||Exclusively focused on detecting and responding to previously undetected threats that have breached an organization's perimeter and are moving laterally through the IT environment|
|Advanced Capability||Non or sometimes available and offered at an additional cost||Incident validation (EDR), containment & remediation, threat hunting, malware reverse engineering, deceptions, deep and dark web monitoring, predictive intelligence, emulation, encrypted attack detection, behaviour analytics, machine learning, data science and statistical modelling are all included in the base capability|
|Team||Large team of tier 1 to tier 3 analysts, Security Engineers, SOC Managers, SDMs, Reporting Analysts, etc||Small team of senior intrusion analysts, threat hunters, incident responders, intelligence analysts and forensics/malware analysts|
|SLA||Offers SLA’s for threat detection and device management||Does not offer any detection or alerting SLA’s. Instead offers more in-depth analysis and actionable advice specific to the threat detected rather than being tied to a response metric|