LMNTRIX® VS MSSP

The MSS model was conceived in the late 90’s and not much has changed since then in the way MSSP’s manage and monitor customer networks. During this same time period, the way attackers work to target, compromise, and exploit organizations has changed significantly – in favor of the adversary. LMNTRIX was borne as a necessity to help close the gap left in the market from the traditional MSSP model.

Gartner’s definition of Managed Detection and Response (MDR) services best characterises the business that LMNTRIX is in:

A focus on threat detection use cases, especially advanced or targeted attacks that have bypassed existing perimeter controls (e.g., next-generation firewalls [NGFWs], secure web gateways [SWGs], network intrusion detection systems [NIDSs], endpoint security). Compliance use cases are not a focus and commonly not addressed at all.

Delivery of services usually using a vendor-provided stack of network- and host-based controls (e.g., commercial, open source or provider-developed). These tools are not only positioned at the traditional internet gateways, but are also inward-facing to detect the threats not typically discovered by traditional perimeter security technologies.

These tools, where deployed, are managed and monitored by the provider to improve an organization’s ability to detect threats. The types of tools and detection methods used by the providers vary in the use of logs, network flows and traffic, and endpoint activity. For example, some vendors rely solely on network security monitoring while others only on endpoint agents to generate logs or detect threats, and others rely solely on the logs generated by a customer’s existing security tools.

Security event management and analysis technology that utilizes threat intelligence and advanced data analytics is commonly, but not exclusively, at the core of these services. It is fed events from the stack of vendor-supplied controls, customer log and event sources, or some combination of the three.

24/7 monitoring, analysis and customer alerting of security events with preliminary triage performed by a person (e.g., not relying just on automation to add some context to an event).

Incident validation and remote response services, such as hunting for additional hits on indicators of compromise (IOCs), reverse malware engineering, and consulting on containment and remediation are included in the service, without the need for an incident response (IR)-specific retainer or agreement. Retainers are reserved for onsite breach response services. Assistance with remediation actions in bringing the environment back to some form of “known good” is sometimes included or available as an additional service.

The following table provides details of the major differences between the approach an MSSP takes compared to the approach used by LMNTRIX:

MSSP Approach

LMNTRIX Approach

Controls Coverage

Protect all information assets

Focus protection efforts on most important assets (‘crown jewels’)

Controls Focus

Preventive controls (AV, firewall)

Detective controls (monitoring, data analytics)

Perspective

Perimeter-based

Data-centric – includes network and cloud

Goal of Logging

Compliance reporting

Threat detection

Incident Handling

Piecemeal: find and neutralise malware or infected nodes

Big picture: find and dissect attack patterns using the kill chain

Threat Intelligence

Collect information on malware

Develop deep understanding of attackers’ current targets and modus operandi and the organisation’s key assets and IT environment

Incident Response

Reactive

Proactive

Success Defined By

No attackers get into the network

Attackers sometimes get in, but are detected as early as possible and impact is minimised

Global Intelligence

Relies on a single source

Relies on hundreds of sources of threat intelligence plus internal research

Detection Strategy

Uses SIEM and relies on the correlation and monitoring of logs from the client network

Does not use a SIEM nor collect any logs. Does not rely on clients existing security controls. Uses behavior analytics and data science modelling. Uses a validated architecture and deploys it’s own technology stack

Detection Capability

Offer basic detection and alerting services. It is the responsibility of the customer's security team to provide additional incident, analysis and associated response activities. Relies on clients security controls with limited detective tools.

Deploys its own technology stack – an extensive range of commercial, proprietary and open source tools. Delivers remote incident response together with network and endpoint hunting

Device Management

Manages client security controls (FW,IPS etc)

Does not manage any client security controls

Forensics Capability

Non or sometimes available at an additional cost

Full packet capture with attack reconstruction

Range of Services

Deliver a broad range of security device management and monitoring together with vulnerability management, product re-sale, integration, and professional services.

Exclusively focused on detecting and responding to previously undetected threats that have breached an organization's perimeter and are moving laterally through the IT environment

Advanced Capability

Non or sometimes available and offered at an additional cost

Incident validation (EDR), containment & remediation, threat hunting, malware reverse engineering, deceptions, deep and dark web monitoring, predictive intelligence, emulation, encrypted attack detection, behaviour analytics, machine learning, data science and statistical modelling are all included in the base capability

Team

Large team of tier 1 to tier 3 analysts, Security Engineers, SOC Managers, SDMs, Reporting Analysts, etc

Small team of senior intrusion analysts, threat hunters, incident responders, intelligence analysts and forensics/malware analysts

SLA

Offers SLA’s for threat detection and device management

Does not offer any detection or alerting SLA’s. Instead offers more in-depth analysis and actionable advice specific to the threat detected rather than being tied to a response metric

Download our datasheet

download now