🎉 Exciting news! Coalition has acquired Wirespeed to accelerate cybersecurity for all.

Read more
Cover for My MDR Doesn't... Know my Technical Users
Tim MalcomVetter avatar

Tim MalcomVetter

Co-Founder / CEO

This is part of a blog series tackling common problems in traditional MDR and outsourced/Managed SOC Service Providers (MSSPs).

My MDR Doesn’t… Know my Technical Users!

Imagine if your SOC, whether outsourced or internal, treated all users the same. How many mistakes in case verdicts would they make if they didn’t take into consideration the skillset & job responsibilities of the user involved in a detection? That’s, unfortunately, how most high-paced MDRs and MSSPs work. The pressure of alerts in the queue prevents them from spending the time on each case to properly determine who the person is and what should be expected of them.

For example, there are massive changes of perspective between a sketchy powershell command executing on the laptop of a sales representative vs. a systems engineer.

In the former (the sales rep), it is almost a guarantee that the user doesn’t know what powershell is, let alone if they intended to execute it. In those situations, the primary goal is to determine if an administrator pushed the command or script to run under the sales representative’s security context. If that cannot be determined, the best option is usually to jump straight to containment.

Now flip over to a technical user. This same indicator could be them simply doing their job, exploring their options for a project or a support scenario, which is totally benign.

#How Wirespeed is Different

Wirespeed prioritizes integrations with your user directories, such as Microsoft Entra (Azure Active Directory) and Google Workspace. In this screenshot of an example tenant, there is both an integration to Google Workspace as well as Microsoft 365 (Entra), so multiple directories are present. Wirespeed can handle multiple types and instances simultaneously for a blended experience, perfect for M&A scenarios where the infrastructure is not yet integrated, or complex organizations, such as higher education, where it is common to have multiple departments each running their own directories.

Wirespeed Integrations We integrate with your Microsoft M365 and Google Workspace directories

Second, once the integration is in place, our built-in automation rules will locate users in the following three categories:

  1. Administrators (i.e. built-in roles with known administrative access
  2. VIPs
  3. Technical Users

Discovered Technical User List We use our rules to automatically locate your VIPs & Technical Users

You can also manually identify specific users and mark them as Technical Users, or add your own automation rules to identify them. Our QA team periodically reviews our matching rules to look for improvements, because we take the approach that you’re likely too busy to keep up. That’s ok with us!

Discovered Technical User List Learning the people is super important to how Wirespeed works!

Third, our matching rules keep near real-time tabs on changes you make as your organization will be fluid over time.

Finally, we use this knowledge to drive our triage and response processes. For suspicious events where the user is technical, we will reach out via ChatOps and ask the user questions we would not ask a non-technical user. The example below is a case where our response was tailored to a non-technical user. This can be a more difficult case to verdict correctly, but with knowledge that the user is not technical, we don’t have to consider nearly as many possible explanations.

Technical User Timeline Suspicious Execution Timeline with a Non-Technical User

#Run us Head to Head

We’re ready to run head-to-head against your current MDR provider, because you deserve to have an MDR treats your Technical Users with a higher level of trust and autonomy than regular users, just like you do.

It takes just a couple minutes to start a FREE Trial, where we will sync your directories, ingest the previous 90 days of alerts and show you cases where we would have treated your technical users differently. You can instantly compare us to how your current MDR provider did handle those same cases—if they even told you about those cases at all!

You’re welcome to integrate with Slack, Teams, or just email, and we’ll watch you for the next 14 days for FREE, reaching out to your users on your behalf. We’ll even help you with a rollout communication plan to inform your workforce that they may be asked about their activity to protect your organization. Quick, Easy, Painless … and Secure.

Wirespeed

Want to know more about Wirespeed? Follow us on LinkedIn / X or start a FREE TRIAL today.