Sophos Managed Detection and Response (MDR) is a fully managed, 24/7 service delivered by security experts who detect and respond to cyberattacks targeting computers, servers, networks, cloud workloads, email accounts, and more.
Get a behind-the-scenes look at a typical day for Sophos MDR Analyst and Team Lead, Anthony Bradshaw. He’ll share the daily activities of a security analyst, highlight a recent example of threat detection and remediation for an MDR customer, and more.
Sophos: Before we begin, how would you define MDR?
Bradshaw: MDR is the industry acronym for “managed detection and response,” but it’s so much more than that. It’s threat intelligence, threat hunting, threat research, detection engineering, incident response, and so on. It’s a complete package for protecting critical systems with the ability to have highly technical analysts responding to adversaries at the drop of a hat.
At a high level, organizations realize it’s challenging and expensive to staff up an entire cybersecurity unit on top of all the other things that come with managing technology assets, so working with a team like ours reduces the complexity of managing cybersecurity infrastructure, not to mention the costs for all the internal tools needed to provide security across an organization.
Sophos: What are the responsibilities of an MDR analyst, and what skills and qualities do you typically look for when staffing up?
Bradshaw: Our MDR analysts typically have three primary responsibilities: investigating incidents, responding to incidents, and providing customer service. Investigating and responding are obvious ones, but customer service is one I’d like to touch on.
Our analysts interact with our customers all the time. Whether it’s a quick phone call to confirm suspicious activity or a full-blown Zoom session to handle an incident, it’s uber important that our analysts understand the value of providing excellent customer service.
For skills and qualities, we obviously love the tech side. If you have some baseline certifications or education in Security+ or Network+, that’s an excellent start because it shows you’re interested in the field and are a bit analytical. But soft skills are a must: communicating and articulating what needs to be said at a critical time is beyond valuable.
We also look for experience from all backgrounds. We have former teachers, military veterans, and more that make up our really diverse teams. At the end of the day, we look for people who are genuinely passionate about cybersecurity. We can always train you on the hard and soft skills needed to be successful.
Sophos: What tools and technologies does an MDR analyst rely on to get the job done?
Bradshaw: Sophos analysts rely on a variety of proprietary and open-source tools to conduct investigations and handle threat hunting.
We have a proprietary platform where our analysts spend most of their time, and we also use Sophos Central – our cloud-based product management console – for a good bulk of our investigative analysis.
We can ingest data from our own products and from third-party products, which is automatically consolidated, correlated, and prioritized to accelerate threat detection, investigation, and response so we can deliver better cybersecurity results.
The MDR team monitors that enhanced data and responds when we get alerts about anything unusual, like an odd email identity, firewall penetration, or detecting a Microsoft event with MS Graph API. We pair those two platforms with standard open-source tools for investigating IPs, domains, files, and the like.
Sophos: What does a typical day look like for someone on your team?
Bradshaw: Generally, the first 30 minutes of our analysts’ shifts are spent getting up to speed with what happened during the previous shift and logging into their battle stations so they’re ready for the day. After that, they begin to work on investigations, detection tuning, threat hunting, live incidents, and things like that.
We had a recent case involving a relatively new third-party firewall vendor where a threat actor had gained access to our customer’s firewall interface and was able to make changes to their policy and create new admin accounts. These were used to pivot to the customer’s infrastructure, where the threat actors started to enumerate the domain and move laterally.
We detected the lateral movement and domain enumeration, and immediately contacted the customer, who confirmed the activity was unexpected. We then began our incident response procedures.
Working together, we contained the threat, allowing the customer to deploy a firewall patch very quickly. We also reviewed their firewall logs to confirm initial access and determined IOCs (indicators of compromise) for the customer to block at their network edge to prevent similar attacks in the future.
So that’s what a typical day might look like. We also give our analysts frequent development and growth days, which allow them to work on projects, research, and even the next certification they want to obtain. Sophos offers a wide range of certification programs — not just for our team, but for customers and partners as well.