Threatdown Endpoint Detection and Response (EDR), powered by Malwarebytes, offers continuous protection for your endpoints against all types of threats; Managed Detection and Response takes this protection further by providing high-precision responses to threats. By reducing the dwell time of critical threats and providing a faster Mean-Time-To-Resolution (MTTR), EDR continues to provide businesses with measures to save costs, reduce downtime, and increase the overall effectiveness of threat hunting.

This article applies to Endpoint Detection and Response customers with the MDR add-on.

 

Features of Managed Detection and Response

  • 24x7x365 Security Monitoring uses Endpoint Detection and Response (EDR) technology and human expertise to monitor endpoint activity for suspicious events.
  • Advanced threat detection utilizing sophisticated tools and techniques like threat intelligence and behavioral analysis to identify and stop even the most novel threats
  • Threat detection and analysis by trained security professionals to determine any detected threat's severity and potential impact.
  • Threat hunting, where security analysts actively search for hidden threats within the network.
  • Flexible remediation options ensure that the MDR team can actively remediate threats as they are discovered or provide highly actionable guidance for IT teams to follow in their remediation efforts.

First steps

Once the service is activated in your account, TeamViewer will confirm via a pop-up. Select the Setup MDR button to proceed to the initial setup.

Set up the primary, backup, and alternate contacts on the next screen. Select the primary contact drop-down menu and select the desired member of your company profile. If not automatically entered, insert this contact's primary phone number.

Note: Only the primary contact is required. Backup and alternate contacts can be added if needed.

In the Remediation authorization section, select whether you prefer ThreatDown managed or Guided remediation for any threats encountered:

 

  • If ThreatDown managed is selected, the threats will be remediated automatically without reboots, re-imaging, or other tasks.
  • If Guided remediation is selected, you will be guided through steps to remediate potential threats, including the need for other potential tasks such as reboots.

In the final section, Isolation authorization, choose whether or not you authorize endpoints to be isolated on your behalf when a security response is required. This authorizes both workstations and servers.

Once completed, click Save in the upper right corner of the screen. A pop-up notification indicates that Managed Detection and Response has been activated successfully.

Note: EDR must be activated prior to attempting activation of Managed Detection and Response. If you try to activate the MDR add-on before activating Endpoint Detection & Response, an error message is displayed.

How to access the MDR Portal

The Managed Detection and Response (MDR) Portal manages all aspects of the service. It can be accessed by selecting the Nebula button, which can be found in settings or the detections tab. Once in Nebula, select MDR Portal in the upper right corner.

Discover the MDR Portal

The MDR Portal is where all threats detected by MDR can be seen. This includes threats that require no user action and those that do (indicated with a TR to the right of the threat).

If you are required to perform an additional action—for example, reboot the device—you can access the case wall. The filters below allow you to see only messages, find out what needs to be done, and reply.

 

Note: Any reply must start with @analyst.

To navigate to the other sections of the MDR Portal, use the menu in the upper left corner.

Dashboard

The dashboard contains a quick overview of all devices and threats, including an overview of reports ranging from one month to more. This also provides a status of all cases, alerts, and incidents in the Environment Summary

Your workbook

Your workbook is a simple overview of all cases where your assistance is required for additional actions. Additionally, the reports provided previously regarding all threats are shown here.

Requests

Requests allow users to speak directly with the MDR team assessing their devices. This can be used to ask general questions or inquire about cases that have already been closed.

How to set up Managed Detection and Response to optimize the protection of your endpoints

Managed Detection and Response require specific settings from EDR to operate successfully. These settings are found in the Endpoint Protection policy settings. To access this, navigate to the Admin Settings and select Policies under Device Management. If you already have a policy created, you can edit this one; otherwise, you can create a new policy by selecting Endpoint Protection from the policy drop-down. Please ensure the following settings are active under the appropriate OS:

  1. Suspicious activity monitoring
  2. Server operating system monitoring
  3. Lock endpoint when isolated
  4. Ransomware rollback

5. Suspicious activity monitoring

6. Lock endpoint when isolated

How to optimize threat scans

Scans of endpoints for potential threats are an integral aspect of the security setup. We recommend at least two kinds of scans:

Select Daily from the Schedule drop-down in General. Under Windows, select Threat Scan from the Method drop-down.

 

Select Weekly from the Schedule drop-down. Set the Method to Custom Scan, and turn on Scan for rootkits.

How to ensure efficient notifications

Setting up all necessary notifications is important to ensure you and your team stay alert of potential threats. The following information pertains to notifications specifically for Managed Detection and Response.

Note: Notifications are managed in ThreatDown's Nebula console.

When creating a new notification, select Managed services activity.  

It is recommended that some conditions be added regarding when notifications are sent. This ensures that your admins don't become overburdened with messages that don't require their attention.

Select each field option below to see its available values:

is equal to

  • All
  • Case created
  • Case updated
  • Case closed

is equal to

  • All
  • Critical
  • High
  • Medium
  • Low

is equal to

  • True
  • False

In the next section, select how the notifications should be sent. In addition to email, you can select to be notified via Slack/Microsoft Teams, Webhook, or the ThreatDown Admin app.

In the final step, aggregation can be activated, reducing the notifications received and allowing for more focus. This consolidates multiple alerts into single notifications based on the interval and grouping option you select, along with previously chosen activity types, conditions, and delivery methods.

Select Complete in the bottom right corner to save the new notification.