ClearDATA Managed Detection & Response Overview
ClearDATA Managed Detection & Response (MDR) provides continuous monitoring and threat management for AWS, Azure, and GCP public cloud platforms. This service is designed to support healthcare organizations prepare for, detect, respond to, and recover from cyber-attacks.
To be eligible for this service, ClearDATA MDR customers must have ClearDATA Managed Services, ClearDATA Advanced or ClearDATA Premium.
Shared Responsibility Model
The ClearDATA MDR RACI defines the shared responsibilities of ClearDATA and the Customer. The RACI is here: https://cleardata.document360.io/docs/raci. Access requires a password. If you do not have one, please contact your account team.
Service Components
Service components of ClearDATA MDR are listed in the following table.
| Service Component | Element |
| Prepare | Onboarding |
| Log & Telemetry Ingestion Planning | |
| Cloud Configuration & Deployment | |
| XDR Platform Tuning | |
| Detect & Analyze | Threat Intelligence Data |
| Emerging Threat Notifications | |
| Threat Hunting | |
| Threat Detection | |
| Threat Investigation | |
| Customer Notification | |
| Respond | Analyst Initiated Threat Response |
| Recover | Root Cause Analysis |
| Requests for Intelligence | |
| Remediation Guidance | |
| Reporting | Regular Reports |
| Threat Intelligence Summaries | |
| Regular Service Reviews |
Service Levels
ClearDATA offers three levels of the MDR service to allow Customers to choose threat management services aligned with their requirements and budget. Your statement of work will list the Service Level you have purchased. If you have requirements outside the scope of this Service Description, please contact ClearDATA support to arrange for a professional services consultation.
| Service Component | Element | MDR Basics | MDR Essentials | MDR Complete |
| Prepare | Onboarding | √ | √ | √ |
| Log & Telemetry Ingestion Planning | – | √ | √ | |
| Cloud Configuration & Deployment | √ | √ | √ | |
| XDR Platform Tuning | √ | √ | √ | |
| Detect & Analyze | Threat Intelligence Data | √ | √ | √ |
| Emerging Threat Notifications | √ | √ | √ | |
| Threat Hunting | √ | √ | √ | |
| Threat Detection | √ | √ | √ | |
| Threat Investigation | √ | √ | √ | |
| Customer Notification | √ | √ | √ | |
| Respond | Analyst Initiated Threat Response | – | √ | √ |
| Recover | Root Cause Analysis | – | √ | √ |
| Requests for Intelligence | – | – | √ | |
| Remediation Guidance | – | √ | √ | |
| Reporting | Regular Reports | √ | √ | √ |
| Regular Service Reviews | Annually | Semi-Annual | Quarterly | |
| Threat Intelligence Summaries | – | – | √ |
MDR Basics Service Level
MDR Basics helps the Customer prepare the environment and detect threats targeting cloud infrastructure using a core set of Extended Detection & Response (XDR) features. It provides initial assessment and investigation of security alerts and notifies customers of any potential security incidents.
Service components are:
- Prepare: Proactive preparation and implementation of security measures.
- Detect & Analyze: Continuous monitoring, threat hunting and investigation of security alerts.
- Reporting: Key metrics and visibility into MDR service activities.
MDR Essentials Service Level
MDR Essentials includes additional XDR features for protecting cloud infrastructure and applications. The service not only investigates detected threats, but also helps contain threats and provides assistance during incident recovery.
Service components are:
- Prepare: Proactive preparation and implementation of security measures.
- Detect & Analyze: Continuous monitoring, threat hunting and investigation of security alerts.
- Respond: Immediate action and mitigation strategies implemented to work to contain and neutralize threats.
- Recover: Actionable remediation guidance accelerates incident recovery.
- Reporting: Key metrics and visibility into MDR service activities.
MDR Complete Service Level
MDR Complete includes a comprehensive set of XDR features for protecting entire cloud estates. The service not only investigates detected threats, but also helps contain threats and provides expanded assistance during incident recovery.
Service components are:
- Prepare: Proactive preparation and implementation of security measures.
- Detect & Analyze: Continuous monitoring, threat hunting and investigation of security alerts.
- Respond: Immediate action and mitigation strategies implemented to work to contain and neutralize threats.
- Recover: Actionable remediation guidance accelerates incident recovery.
- Reporting: Key metrics and visibility into MDR service activities.
Note: Additional supported integrations with additional telemetry and logs may be required to provide MDR Complete.
Supported Technology & Telemetry
ClearDATA MDR is powered by a fully managed Extended Detection & Response (XDR) platform. Each Service Level is granted a specific set of technology and telemetry features. A complete list of entitlements can be found here: https://cleardata.document360.io/docs/cleardata-managed-detection-response#service-levels. Access requires a password. If you do not have one, please contact your account team.
The MDR Complete Service Level allows for additional XDR components and integrations to be enabled that can customize and improve threat detection and response capabilities. A complete list of security integrations supported by ClearDATA MDR can be found here: https://cleardata.document360.io/docs/supported-tools-integrations. Access requires a password. If you do not have one, please contact your account team.
Detailed Service Component Description
Prepare
Onboarding
ClearDATA will schedule a kickoff discussion to plan onboarding and delivery of the Service, and to review expectations and requirements with the Customer. The parties will:
- Review and discuss Customer’s cloud environment, security configuration requirements, and other relevant context
- Provide guidance on available XDR integrations
- Establish Customer’s primary point of contact for implementation and notifications or escalations from the Service
Customer will provide:
- Network diagram
- Latest security risk assessment results
- Vulnerability reports
- System inventory
- PHI inventory
Log & Telemetry Ingestion Planning
From the kickoff discussion, the ClearDATA MDR team and the Customer will develop a draft Joint Incident Response Plan based on the specific customer needs. This will likely change over time as use cases, security trends and Customer’s environment evolve.
Cloud Configuration and Deployment
Once the initial Joint Incident Response Plan has been established, onboarding continues with cloud configuration. ClearDATA will do some or all the following to ingest the necessary telemetry:
- Add and/or modify applicable XDR agent modules.
- Configure existing cloud resources to send logs to the appropriate destination.
- Deploy an MDR collector in the Customer environment.
- Create additional cloud resources as required.
XDR Platform Tuning
As cloud resources are configured, log flow will begin, and XDR tuning commences. Tuning the XDR platform is essential to ensure it aligns with Customer’s specific security needs, to reduce noise and enhance protection of Customer’s cloud accounts and servers. ClearDATA will work with the Customer to tune the XDR platform for optimum performance throughout the lifetime of the MDR engagement.
Detect & Analyze
Threat Intelligence Data
ClearDATA MDR collects cyber threat intelligence data from diverse sources, including but not limited to OSINT outlets, commercial partnerships, US government agencies, and proprietary sources. Analysis uncovers patterns, trends and potential risks, forming the basis of ClearDATA MDR’s threat detection and mitigation strategies.
Curated threat data is consolidated into threat data feeds and integrated into the XDR platform. This real-time data stream equips ClearDATA MDR with insights about active malware, targeted vulnerabilities, indicators of attack or compromise (IoAs or IoCs), and attack methodologies, enabling detection and response to emerging threats.
Emerging Threat Notifications
ClearDATA MDR will provide the Customer with proprietary cyber threat intelligence deliverables such as software vulnerability advisories, profiles on relevant advanced persistent threats (APTs) and defensive countermeasures. These reports are shared outside regular reporting schedules and provide insight, context, and data to respond to emerging threats and support ongoing cybersecurity defensive strategies.
Threat Detection
ClearDATA MDR will leverage telemetry collected by the XDR platform integrations to enable the potential detection of vulnerabilities, attacks and intrusions. ClearDATA MDR uses detection rules to define conditions and criteria that, when met, trigger alerts in the XDR platform for potential security incidents.
Upon receiving an alert, the MDR Service first performs triage to assess the severity and relevance of the alert. Alerts requiring further analysis may result in the creation of a threat investigation at ClearDATA’s discretion (see Threat Investigation section below).
Threat Hunting
ClearDATA MDR will regularly use collected threat intelligence data in combination with the telemetry ingested by the XDR platform to proactively seek out and identify malicious activity such as anomalous user activity, advanced threat actor tactics, anomalous network communications, and anomalous application behavior. Threats detected as part of the threat hunting process may result in creation of a Threat Investigation (see next Section detailing Threat Investigations).
Threat Investigations
Once an alert or hunt-sourced detection has been triaged and prioritized, ClearDATA’s Threat Analysts begin a detailed investigation within the XDR platform to determine the nature of the threat. This may include analysis of logs, network traffic, and any other available, relevant data to reconstruct the timeline of events and work to identify the root cause. Threat Investigations are specifically limited to threat detections resulting from the ClearDATA MDR Service.
Customer Notification
ClearDATA will contact the Customer through the support portal, email, or by telephone if sufficient evidence is collected to deem a threat as malicious, or if the ClearDATA threat analyst requires input from Customer to proceed with the investigation.
Respond
Analyst Initiated Threat Response
ClearDATA can initiate remote response actions to combat a threat. This could involve system information gathering, quarantined file retrieval, suspension or termination of malicious processes, isolating affected systems, blocking malicious traffic, locking user accounts, or implementing other measures designed to prevent harm.
Analyst-initiated threat responses are guided by the Customer’s pre-approved response action preferences detailed in the Joint Incident Response Plan and are specifically limited to threat investigations identified through the ClearDATA MDR Service.
Recover
Root Cause Analysis
After executing the Customer’s pre-approved response action plan, ClearDATA MDR will perform a root cause analysis that will attempt to dissect the attack and facilitate targeted remediation and future-proofed cloud defenses. This may include in-depth log correlation, network traffic inspection, malware sample analysis, system memory and filesystem forensics.
Requests for Intelligence
Request For Intelligence (RFI) are targeted questions MDR Complete customers can submit to the ClearDATA MDR threat intelligence team, seeking specific information about a threat actor or group involved in an attack. RFIs help uncover key information about the actor(s) such as motivations, capabilities, and TTPs (tactics, techniques, and procedures); and directly contribute to an informed, intelligence driven incident response strategy.
Remediation & Recovery Guidance
ClearDATA will provide remediation guidance to assist Customer’s incident recovery. Remediation Guidance is specifically limited to threat investigations discovered through the MDR Service and may include:
- Action plans to remediate identified threats and vulnerabilities
- Security guidance for software deployments and patches
- Security guidance of misconfiguration of server, cloud, network, and storage environments
Respond & Recover Activities
Respond and Recovery activities, as defined in the previous sections, are critical steps taken to address identified threats and restore normalcy to your cloud environment. These activities are tracked on an hourly basis and counted against the allotted hours included in the chosen Service Level reflected in the Customer’s Statement of Work (SOW).
Service Reporting
Regular Reports
ClearDATA MDR will provide Customer with reports that deliver key metrics and visibility into applicable threat detections, threat hunting activities, threat investigation results, and software vulnerabilities. The reporting schedule can be found at: https://cleardata.document360.io/docs/reporting. Access requires a password. If you do not have one, please contact your account team.
Weekly Threat Intelligence Summaries
The ClearDATA MDR threat intelligence team generates a weekly intelligence summary (INTSUM) report of emergent healthcare-specific cybersecurity events and threats, as well as insight into the MDR team’s threat hunting activities and collected technical threat indicators. Data found in this summary is applicable to ClearDATA managed cloud environments, as well as customer’s on-premises and non-ClearDATA managed cloud environments.
Regular Service Reviews
ClearDATA and the Customer will conduct regular service reviews that focus on continuing improvements to the Customer’s cloud security posture. ClearDATA MDR and Customer will review trends and notable activity, as well as lessons learned from responding to threats within Customer’s cloud environment. Regular Service Review frequency is aligned with the customer’s Service Level entitlements.
The Joint Incident Response Plan will be reviewed and updated as needed.
Note: Capitalized terms not defined herein have the meaning ascribed to them in your Cloud Computing Services Agreement.