This topic provides answers to frequently asked questions about MDR.
- What is the difference between the Managed Security Service Provider (MSSP) and MDR?
-
MSSP uses outsourced monitoring and management of security devices and systems. MSSP services include managed firewall, intrusion detection, virtual private network, vulnerability scanning and anti-viral services.
- What kind of communication can I expect?
-
The MDR team analyzes Carbon Black analytics alerts from the Carbon Black Cloud Endpoint Standard product of severity level 5 alerts and higher. Severity level 8 alerts or higher have an SLO of two hours. Severity level 5-7 alerts are best effort.
You receive notifications through email for alerts you can act on, typically due to potential threats. In addition, MDR Analyst comments are available in the alert notes of the Alert ID History pane on the Alerts page in the Carbon Black Cloud console. See MDR Platform Communications.
For any actionable alert, an analyst sends an email to the identified points of contact within your organization. In cases of major incidents, your CSM and sales team are also notified to ensure timely communication about the incident.
If MDR cannot reach you by email, the MDR team reaches out to your CSM and sales team.
For MDR, emails contain a two-way communication feature between your organization and the MDR team. You can respond to the initial alert email to begin two-way communication.
- When does the MDR team contact me about a specific alert?
- MDR only notifies you about alerts that are identified as malicious or actionable. To prevent alert fatigue, MDR does not notify you about an alert if the MDR team identifies the alert as a false positive.
- What are the criteria to quarantine or not quarantine devices after a threat has been investigated?
-
The decision to quarantine is dependent on the incident details. Quarantining is used as a last resort only if modifying policy rules and hash bans are insufficient to contain the threat.
Potential reasons for quarantine are ransomware, attempted or suspect lateral movement, credential theft, or data exfil. MDR also takes the type of system into account. For example, MDR does not quarantine an Active Directory controller or other critical system that might take down the network or disrupt business operations.
If a system cannot be quarantined in any circumstance, or if you do not want MDR to quarantine certain systems, move those systems to their own policies and deselect the MDR quarantine check box in the policy. See MDR and MTH Recommended Policy Settings.
- Does MDR aid with remediation and recovery?
-
Carbon Black does not offer remediation or recovery. MDR provides identification and threat containment: hash banning, policy modification, and device quarantining.
- Can I put MDR on a subset of endpoints?
- You cannot choose what endpoints to put MDR on. MDR is automatically enrolled for all systems in your environment that have the Carbon Black Cloud sensor installed.
- Which alerts are eligible for MDR review?
- The MDR Analyst team only reviews alerts in the "Open" Workflow state. You may not receive an MDR Determination if the alert is closed by you or an auto-closure rule before it is triaged by the MDR Analyst team.
- What kind of communication can I expect?
-
The MDR team analyzes eligible alerts and provides comments on alerts determined to be actionable
Likely threats
(see Carbon Black MDR Platform Product Comparison). MDR Analyst comments are available in the alert notes of the Alert ID History pane on the Alerts page in the Carbon Black Cloud console. You an configure email notifications for when an analyst adds comments to an alert (see MDR and MTH Analyst Email Notifications). A Carbon Black MDR analyst must initiate communicaton before you can reply.For more information, see MDR Platform Communications.