Views:

It is a 24/7/365 service from Trend Micro that constantly monitors and analyzes activity data from Trend Micro solutions in your environment, and alerts customers to high-risk threats and attacks towards your organization while also providing recommended actions based on the investigation by highly qualified cybersecurity experts around the world.

The following products are covered by the service:

  • Endpoint: Trend Micro Apex One™ SaaS
  • Endpoint: Apex Central + Trend Micro Apex One™ + Trend Micro™ Endpoint Sensor
  • Server/Workloads: Cloud One Workload Security & Trend Micro™ Deep Security™
  • Messaging: Trend Micro™ Cloud App Security
  • Messaging: Cloud App Security with Email Security
  • Network: Trend Micro™ Deep Discovery™ Inspector
 

Each service is available independently. ie. Customers can purchase MDR-Network, without MDR-Endpoint.

The following are available subscriptions for MDR:

  • Managed Detection and Response for Users, Servers / Workload Security including Messaging
  • Managed Detection and Response for Networks

For the MDR for Users, Servers & Workload Security, we are including Messaging, this means that you should NOT count the number of Mailboxes that customers are having, this is included. But customers still need to have the XDR licenses for Messaging.

No, this is NOT a valid option. You need to select either MDR or Service One. Service One Complete and Essentials has the MDR service already included.

The data centers for MDR customers are located in Germany, USA, Japan, India, Singapore, and Australia.

The SOCs are spread across the globe, specifically in Dallas, Cork, Manila and Singapore. All of these cater to our global MDR customers.

The MDR platform is currently ISO27001 certified, and we are in the process of obtaining SOC2 certification.

Today we are not providing a Service Level Agreement (SLA), only Service Level Objectives (SLO). This aligns with our competitors currently. MSSP's normally offer SLA's, MDR providers currently do not.

No, the MDR service does not include any IR services either onsite or remote. Investigations in scope are limited to data provided by the In-Scope/MDR licensed products.

We do not publicly disclose this information. The MDR operations team is properly staffed to meet the commitments made in the Service Descriptions. MDR Operations utilizes technology to allow analysts to be more efficient as well. Analysts are not dedicated to specific accounts but are pooled together and process alerts based on alert priority/severity as well as making sure SLO's are maintained across all customers.

On-boarding is limited to linking the licensed products to the MDR service platform and confirming configuration/functionality. It is NOT a replacement for deployment services. If a customer has not deployed the products, MDR on-boarding will not be scheduled until the product is deployed.

The MDR team follows the SANS framework, which is loosely based in NIST (800-61). The difference is that:

  • NIST framework has a wider domain of operation, whereas The SANS framework primarily focuses on security

The difference is largely negligible for business owners, but as a process it matters. The NIST framework combines "Containment, Eradication ad Recovery" and the SANS framework breaks it up into separate steps.

The MDR adopts the SANS framework as the steps for Containment, Eradication and Recovery can be executed differently depending on the use case in today's security incidents.

Yes, we are looking at adding more Trend Micro products in the future, however, nothing is confirmed yet. Rest assured, however, that any additional products will be properly documented in the service descriptions. You may also reach out to your account representative.

Yes, as it is already included in Apex One.

No, everything is executed under the context of the Trend Micro product, like Apex One Client, Deep Security Agent, or the Trend Vision One Endpoint Sensor Agent.

You may refer to this link.

Logs being ingested by MDR Operations vary per product. The list below should give more clarity.

Trend Micro Apex One

  • Process Activity events, generated by Endpoint Sensor (iES), including specific Windows Event logs (Scheduled Tasks and Windows Security Audit)
  • Behavioral Monitoring
  • Malware Detection, including both pattern/signature and Machine Learning events (TrendX)
  • Web Reputation
  • Intrusion Prevention logs, generated by iVP

Cloud App Security

  • Security Risk Events, flagged by Cloud App Security
  • Intelligent Alerts, that are specific to Cloud App Security
  • DLP Violation Events, but not including Data Discovery.
    • o Note that even though we receive DLP-related logs, MDR does not process them.

Deep Discovery Inspector

  • Security Risks, evaluated by Deep Discovery Inspector (depending on the enabled rules), including Suspicious Behavior (flagged by Network Correlation Pattern)
  • Malware Threat Detection
  • Web Threat Detection
  • Note that even though we receive the following log sets, MDR does not process them:
    • Disruptive Applications
    • User-Define Suspicious Objects

Deep Security

  • Malware Threat Detection
  • Deep Packet Inspection
  • Web Reputation
  • Behavior Monitoring
  • For the following two log sets, it is entirely dependent on the rules enabled on the product:
    • Log Inspection
    • Integrity Monitoring

The MDR operations team are all Trend Micro employees (no outsourcing), and have various levels of expertise, including but not limited to, numerous years doing threat investigation and malware reverse engineering. The team also holds a variety of Windows/Linux/VMware certifications, as well as SANS Institute certifications including, but not limited to GCIH, GPEN, GCFA, GCTI, GMON.

Keywords: frequently asked questions trend micro mdr,FAQs trend micro managed detection and response