Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Effective Cybersecurity Incident Response: What to Expect from Your MDR Provider

Companies engage with a managed detection and response (MDR) provider to help ensure they detect cyber threats before they do any damage. The "response" part of the MDR moniker is key to that effort, making it vital to determine up front exactly what your chosen provider will do when it detects a threat in your environment.

Poll a few MDR providers, and you will quickly find their definitions of response vary. The response may mean isolating a user whose machine is infected and restricting or blocking certain networks or IP addresses. Depending on the severity of the threat, a response could mean launching a forensic investigation or engaging a Digital Forensics and Incident Response (DFIR) team to investigate and contain the threat. You may also be surprised to find that some MDR providers do not take any responses at all.

It all depends on the MDR provider’s capabilities, including any related services the provider offers. Gaining a full understanding of those capabilities is essential to avoid a situation where your MDR provider identifies a serious threat but leaves it up to you to eradicate it or scrambles to patch together a solution.


Little r vs. big R in Cybersecurity Response

When it comes to response, there's a notion in cybersecurity of little "r" vs. big "R." Understanding the difference and asking the right questions can help determine what kind of response to expect from a given MDR provider.

Little r refers to the steps a provider can take to contain a threat immediately. That could mean changing the configuration of a firewall to block a specific port or writing a rule on an intrusion prevention system. It could also mean using an endpoint detection and response (EDR) tool to isolate a device that’s under attack to prevent the threat from spreading.

The exact response an MDR provider can take will depend on policies set up beforehand that dictate the provider’s level of access to the environment. Trustwave, for example, uses a risk-based response protocol that uses traffic light colors for every asset it manages. Clients agree that Trustwave can immediately act on devices the client deems low-risk (green), alert the client before acting on medium-risk devices (orange), and alert with recommendations but take no action on high-risk devices (red).


Big R: Digital Forensics and Response

The big R response involves services that are typically outside the realm of MDR but that you may require in response to a confirmed breach.

If a threat results in a security breach, you may need a formal incident response or forensic investigation. Such a response typically involves a digital forensics and incident response (DFIR) team staffed with specialists.

As the name implies, a DFIR team conducts forensic investigations to determine the source and extent of the breach so you can eradicate it.

A DFIR engagement may also include collecting evidence and maintaining chain of custody documentation. Such documentation can be crucial if the incident eventually involves litigation or a criminal case.

Some MDR providers, like Trustwave, have in-house DFIR teams. In such cases, they can be deployed immediately upon learning of a breach—typically within 15 minutes in Trustwave's case. Depending on your business, it may also be important to ask about the geographic reach of a DFIR team. While DFIR teams can conduct many engagements remotely, some require boots on the ground, meaning your provider needs to have a presence in any region where you have offices.

MDR providers that do not have DFIR in-house may partner with a third-party provider. In such cases, ask the provider what kind of response time to expect. Anything more than an hour is probably not palatable. Ask, too, about how the DFIR provider will be onboarded in an emergency situation and provided with access to data about your environment and its configuration. If the provider starts from ground zero, investigators will need to spend valuable time getting up to speed.


Trustwave Complements MDR with DFIR

For Trustwave MDR clients with Trustwave’s in-house DFIR services, the Trustwave DFIR team will have immediate, real-time access to the latest information on an active investigation of a confirmed breach. Upon suspicion of a breach, Trustwave DFIR immediately engages with the MDR team to begin the forensic investigation process. No valuable time is lost before starting remediation actions.

Such complementary services help set Trustwave MDR apart from the competition and ensure you get a proper response when needed, whether it's little r, big R, or both. To learn more, visit the Trustwave MDR webpage, download the 2023 Gartner Market Guide for Managed Detection and Response Services, or read about Trustwave’s inclusion in the 2023 Gartner Market Guide for Digital Forensics and Incident Response Services.

Latest Trustwave Blogs

Using Trustwave DbProtect and Offensive Security Solutions to Protect Against Nation-State Cyber Threats

The US Director of National Intelligence (DNI) earlier this month gave a stark warning to the Senate Armed Services Committee detailing the cyberthreats arrayed against the US and the world from...

Read More

Defending the Energy Sector Against Cyber Threats: Insights from Trustwave SpiderLabs

It has always been clear, even before the Colonial Pipeline attack, that the energy sector is a prime target for not only criminal threat groups, but also nation-state actors. After all, halting fuel...

Read More

Trustwave SpiderLabs Unveils the 2024 Public Sector Threat Landscape Report

Trustwave SpiderLabs’ latest report, the 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies details the security issues facing public sector...

Read More