On-Premises MDR – Managed Detection & Response

What is On-Premises Managed Detection & Response (MDR)?

On-Premises Managed Detection & Response (MDR) is a security service that is operated specifically on the premises of a company, as opposed to cloud-based MDR solutions. The focus is on detecting and responding to threats in real time. The solution uses technologies such as SIEM (Security Information and Event Management) and EDR (Endpoint Detection and Response) and is monitored and operated by a team of security experts who respond immediately to potential security incidents. Control and data storage remain entirely with the company, which can be a decisive factor, especially in highly regulated industries.

What advantages does on-prem MDR offer over cloud-based solutions?

On-prem MDR offers several advantages over cloud-based solutions:

  • Full control over data: Companies retain full control over their sensitive data as it remains on site and is not transferred to external cloud environments.
  • Better adaptation to compliance requirements: In regulated industries (e.g. healthcare, finance), it is often easier to meet compliance requirements because data is stored in your own data centers.
  • Latency and performance: As all systems are operated locally, latency times can be reduced, which is particularly advantageous in time-critical environments.
  • Individualization: The solution can be adapted more closely to the specific requirements of the company, both in terms of hardware and software.

Which technologies and tools are used for on-premises MDR?

The following technologies and tools are typically used for on-prem MDR:

How does on-prem MDR differ from traditional security solutions?

Compared to traditional security solutions such as firewalls or antivirus software, on-prem MDR is more proactive and comprehensive. While firewalls and antivirus programs focus primarily on blocking known threats, MDR focuses on detecting and responding to advanced threats that could bypass traditional security systems. MDR also provides continuous monitoring and a human element through expert teams that analyze threats and intervene when incidents occur.

How do you scale an on-prem MDR solution as your company grows?

The scalability of an on-prem MDR solution depends heavily on the IT infrastructure. In principle, the solution can be expanded by adding additional servers, storage and network resources. Furthermore, additional security tools such as EDR and SIEM need to be adapted according to the growing number of endpoints and network devices. It is also important to ensure that the SOC (Security Operations Center) has sufficient staff and resources to deal with the increased number of security events. Regular reviews and audits of the existing architecture are crucial to ensure that the solution effectively keeps pace with business growth.

What does an on-premises MDR solution cost?

The cost of an on-premises MDR solution is usually higher than a cloud-based solution as it includes the following:

  • Hardware costs: server, network equipment and storage.
  • Software licenses: SIEM, EDR, IDS/IPS and other security solutions.
  • Personnel: Experts for operating and maintaining the solution and responding to incidents.
  • Maintenance and updates: Regular hardware and software maintenance and security updates.
  • Training: Training the internal IT team to be able to manage the solutions effectively.

The costs can vary greatly depending on the size of the company, but medium-sized companies often have to reckon with a six-figure sum per year.

How quickly can on-prem MDR be implemented?

The implementation time depends on the complexity of the IT infrastructure, but comprises several phases:

  • Planning phase: Here the requirements are analyzed and the solution is specified (2-4 weeks).
  • Procurement of hardware and software: Depending on the delivery times of the required components (1-3 months).
  • Installation and configuration: The physical installation and configuration of the MDR components on site (1-2 months).
  • Testing and optimization: Conduct tests to ensure that the solution works effectively (2-4 weeks).

Overall, implementation typically takes 3-6 months.

What does the integration of on-prem MDR with existing IT systems look like?

Integrating on-prem MDR typically requires working with existing IT infrastructure, including firewalls, routers, endpoint devices and other security solutions. This requires:

  • Compatibility tests: Ensure that all components of the existing IT infrastructure are compatible with the new MDR tools.
  • Data aggregation: Establish connections between the existing systems and the SIEM/EDR tools to collect relevant data.
  • Security policies: Adapt existing security policies to ensure that the new solution handles threats in accordance with the organization’s requirements.

How are alarms and incidents handled in an on-prem MDR system?

In an on-prem MDR system, alerts are triggered by various technologies such as SIEM or EDR that detect suspicious activity. As soon as an alarm is triggered:

  1. Alarm prioritization: The system classifies the incident according to severity (e.g. low, medium, high).
  2. Investigation: Security experts analyze the details of the incident to determine if it is a real threat.
  3. Response: Depending on the threat, an automated response or manual intervention by the security team (e.g. blocking an attack, isolating an affected device) takes place.
  4. Reporting: All incidents are documented to facilitate future analysis and continuously improve the security situation.

How is data protection guaranteed with on-premises MDR?

As all data is stored locally in the company’s data center, the company has full control over how this data is processed and protected. Sensitive data never leaves the company. It is important that the MDR tools used comply with the requirements of the General Data Protection Regulation (GDPR), especially with regard to the processing of personal data. Data encryption, access controls and regular audits are essential to ensure data security.

What qualifications does the internal IT team need to manage an on-prem MDR solution?

The internal IT team must have advanced knowledge in the following areas:

  • Security architecture: Understanding the overall architecture of SIEM, EDR and other security tools.
  • Incident Response: Ability to respond quickly and effectively to incidents and perform forensic analysis.
  • Security protocols: In-depth knowledge of security protocols, data encryption and access management.
  • Network management: Strong knowledge of network topologies, firewall configurations and network segmentation.
  • Regular training: Security professionals need regular training to keep up with evolving threats.

Can an on-prem MDR solution guarantee 24/7 security monitoring?

Yes, an on-prem MDR solution can provide round-the-clock security monitoring. However, this requires that either an internal Security Operations Center (SOC) is set up and staffed 24/7 or that an external service provider is hired for off-hours monitoring. Without such continuous monitoring, critical threats could go undetected.

How do you continuously update an on-prem MDR solution?

Regular updates are necessary in order to detect new threats. These updates affect both the security databases and the software of the tools used. The IT team must ensure that:

  • patches and updates are installed promptly on all systems.
  • Threat databases are regularly updated to detect new malware and attack patterns.
  • Regular audits and tests are carried out to ensure that the systems function optimally.

What happens when a threat is detected?

As soon as a threat is detected:

  1. Notification: The IT security team is notified immediately.
  2. Isolation: The affected system or network segment is isolated to prevent the spread.
  3. Analysis: An in-depth analysis is carried out to assess the extent of the attack.
  4. Containment and elimination: Measures are taken to eliminate the threat, e.g. by removing malware or fixing security vulnerabilities.
  5. Recovery: Systems are restored and normal operation continues.
  6. Reporting: The incident is documented and recommendations are made to avoid similar incidents in the future.

Cookie Consent with Real Cookie Banner