TeamViewer Endpoint Protection offers continuous protection for your endpoints against all types of threats; Managed Detection and Response takes this protection further by providing high-precision responses to threats. By reducing the dwell time of critical threats and providing a faster Mean-Time-To-Resolution (MTTR), TeamViewer Endpoint Protection continues to provide businesses with measures to save costs, reduce downtime, and increase the overall effectiveness of threat hunting.
This article applies to TeamViewer Endpoint Protection customers with the MDR add-on.
Features of Managed Detection and Response
- 24x7x365 Security Monitoring uses Endpoint Detection and Response (EDR) technology and human expertise to monitor endpoint activity for suspicious events.
- Advanced threat detection utilizing sophisticated tools and techniques like threat intelligence and behavioral analysis to identify and stop even the most novel threats
- Threat detection and analysis by trained security professionals to determine any detected threat's severity and potential impact.
- Threat hunting, where security analysts actively search for hidden threats within the network.
- Flexible remediation options ensure that the MDR team can actively remediate threats as they are discovered or provide highly actionable guidance for IT teams to follow in their remediation efforts.
First steps
TeamViewer will confirm via a pop-up once the service is activated in your account. Select the Setup MDR button to proceed to the initial setup.
Set up the primary, backup, and alternate contacts on the next screen. Select the primary contact drop-down menu and select the desired member of your company profile. If not automatically entered, insert this contact's primary phone number.
In the Remediation authorization section, select whether you prefer ThreatDown managed or Guided remediation for any threats encountered:
- If ThreatDown managed is selected, the threats will be remediated automatically without reboots, re-imaging, or other tasks.
- If Guided remediation is selected, you will be guided through steps to remediate potential threats, including the need for other potential tasks such as reboots.
In the final section, Isolation authorization, choose whether or not you authorize endpoints to be isolated on your behalf when a security response is required. This authorizes both workstations and servers.
Once completed, click Save in the upper right corner of the screen. A pop-up notification indicates that Managed Detection and Response has been activated successfully.
How to access the MDR Portal
The Managed Detection and Response (MDR) Portal manages all aspects of the service. It can be accessed by selecting the Nebula button, which can be found in settings or the detections tab. Once in Nebula, select MDR Portal in the upper right corner.
Discover the MDR Portal
The MDR Portal is where all threats detected by MDR can be seen. This includes threats that require no user action and those that do (indicated with a TR to the right of the threat).
If you are required to perform an additional action—for example, reboot the device—you can access the case wall. The filters below allow you to see only messages, find out what needs to be done, and reply.
To navigate to the other sections of the MDR Portal, use the menu in the upper left corner.
Dashboard
The dashboard contains a quick overview of all devices and threats, including an overview of reports ranging from one month to more. This also provides a status of all cases, alerts, and incidents in the Environment Summary
Your workbook
Your workbook is a simple overview of all cases where your assistance is required for additional actions. Additionally, the reports provided previously regarding all threats are shown here.
Requests
Requests allow users to speak directly with the MDR team assessing their devices. This can be used to ask general questions or inquire about cases that have already been closed.
How to set up Managed Detection and Response to optimize the protection of your endpoints
Managed Detection and Response require specific settings from EDR to operate successfully. These settings are found in the Endpoint Protection policy settings. To access this, navigate to the Admin Settings and select Policies under Device Management. If you already have a policy created, you can edit this one; otherwise, you can create a new policy by selecting Endpoint Protection from the policy drop-down. Please ensure the following settings are active under the appropriate OS:
- Windows
- macOS
- Suspicious activity monitoring
- Server operating system monitoring
- Lock endpoint when isolated
- Ransomware rollback
5. Suspicious activity monitoring
6. Lock endpoint when isolated
How to optimize threat scans
Scans of endpoints for potential threats are an integral aspect of the security setup. We recommend at least two kinds of scans:
- Daily Scan
- Weekly Scan
Select Daily from the Schedule drop-down in General. Under Windows, select Threat Scan from the Method drop-down.
Select Weekly from the Schedule drop-down. Set the Method to Custom Scan, and turn on Scan for rootkits.
How to ensure efficient notifications
Setting up all necessary notifications is important to ensure you and your team stay alert of potential threats. The following information pertains to notifications specifically for Managed Detection and Response.
When creating a new notification, select Managed services activity.
It is recommended that some conditions be added regarding when notifications are sent. This ensures that your admins don't become overburdened with messages that don't require their attention.
Select each field option below to see its available values:
- Event type
- Priority
- Action required
is equal to
- All
- Case created
- Case updated
- Case closed
is equal to
- All
- Critical
- High
- Medium
- Low
is equal to
- True
- False
In the next section, select how the notifications should be sent. In addition to email, you can select to be notified via Slack/Microsoft Teams, Webhook, or the ThreatDown Admin app.
In the final step, aggregation can be activated, reducing the notifications received and allowing for more focus. This consolidates multiple alerts into single notifications based on the interval and grouping option you select, along with previously chosen activity types, conditions, and delivery methods.
Select Complete in the bottom right corner to save the new notification.