Transcript Here

What You’ll Learn

• What really happens before, during, and after a cyberattack
• Why alerts alone aren’t enough—and what action truly looks like
• How our “Big R” response approach drives results
• The critical role of human insight in an AI-driven world
• What it takes to stay ahead of evolving threats

Featuring

Erica Smith, Director of Security Operations (Moderator) | Stephanie Camacho, SOC Shift Lead | Ryan Bratton, SOC Auditor

The post On Demand Webinar – Tales from the SOC: When Action Speaks Louder Than Alerts appeared first on CyberMaxx.

Overview

Watch this webinar focused on how CyberMaxx leverages SentinelOne to prioritize rapid response and get you out of your worst day.

Join experts from CyberMaxx and SentinelOne as they discuss the real-world impact of “Big R Response” – a proactive approach that goes beyond alerting to drive true cybersecurity outcomes. It’s key to provide your security team with more than just tools, but real-time support that prioritizes rapid response and gets them out of their worst day quickly.

In this session, Zack Hoffman (CyberMaxx) and Jay Ryerse (SentinelOne) dive into how CyberMaxx utilizes SentinelOne’s best-in-class EDR platform as a cornerstone of its Managed Detection & Response (MDR) strategy. The conversation will share practical use cases that demonstrate how advanced response capabilities are being used to reduce dwell time, contain threats, and protect organizations in real time. Questions are more than welcome.

Key Takeaways:

• What “Big R” means in the context of modern MDR
• How CyberMaxx integrates SentinelOne EDR into its threat response workflows
• Real-life customer scenarios showcasing effective threat mitigation
• Proactive, response-centric MDR strategies

Transcript:  read the full transcript here.

The post On-Demand Webinar: The Value of R with SentinelOne appeared first on CyberMaxx.

By this reception, we are continuing with what we will call our organic series of ‘saying the quiet part out loud.’ In this article we provide you with a framework for evaluating your MDR provider, insuring they are not placing an MDR wrapper around an MSSP operating model, which occurs far too often, leaving businesses with a flood of alerts which they are obligated to assess for risk and action; while the pseudo-MDR / actual-MSSP postures with the guise of protection. Enough already, here are the tools you need to challenge your MDR provider and determine if they are nothing more than a masquerading MSSP.

Fundamental difference between an MDR and MSSP security provider

When identifying a suspicious/malicious security event, an MDR security provider will perform Response action on behalf of the client, contrasting with an MSSP which will notify and escalate to the client for evaluation and response.

! WARNING – If your security provider emphasizes Alert Response Time as a key performance indicator, they are an MSSP. It’s easy to respond quickly with an Alert & Notify service when all you are doing is passing the security alert through your hands, making the bulk of the investigation and response a client responsibility.

Evaluation Criteria – MDR providers will perform response actions on behalf of the client. MDR providers will emphasize Response Time as the truest key performance indicator.

Breadth of Response

CyberMaxx speaks of the ‘Big R’ in contrast to the little ‘r’ when presenting our modern MDR service. The difference comes in the breadth of response. MSSPs will speak of ‘r’esponse, when depending exclusively on EDR detections and auto-disruption when a malicious artifact is detected. For true, full-service MDR providers, this is just the beginning. CyberMaxx Modern MDR delivers on ‘R’esponse beyond EDR platform detections, to include:

• Zero-Latency Response, where Threat Responders are staffed 24x7x365 to conduct incident triage, isolation, and containment
• Full Scope of Compromise evaluation is where CyberMaxx brings enhanced Response services, where our Threat Responders look beyond the initial threat vector to include tangential paths among trusted relationships.

! WARNING– If your security provider equates EDR platform response with the ‘r’ in MDR services, they are offering marginal protection and operating as an MSSP with endpoint monitoring services. This doubles your efforts, as now the client must handle the bulk of the investigation and response for the endpoint in addition to the SIEM.

Evaluation Criteria – MDR Providers will respond beyond the inherent EDR platform alerts. The best will include Threat Responders within the SOC, as first-stage Incident Response, reducing latency in the case of a breach, limiting risk to full exposure

TIP: See CyberMaxx ‘Tales from the SOC’ [Tales from the SOC eBook | CyberMaxx] for case studies of Big ‘R’

Novel and Native Detections

MSSPs masquerading as MDR providers will emphasize Platform Native Detections, inherent with their maintained platforms – this in the absence of Novel Detections authored by the organization. Here’s the problem – with the absence of Novel Detections, clients are receiving a ‘me too’ service, meaning the same as every other MSSP, with equal dependency on Platform Native Detections of the SIEMs and EDRs they claim to support.

The CyberMaxx Cyber Threat Unit is a dedicated team of Threat Researchers AND Detection Engineers, for Optimization, Enrichment, and Authorship of Novel and Native Detections, delivering comprehensive protection for our clients through CyberMaxx MDR.

• CyberMaxx Threat Research for original authorship of Novel Detections, where these have an effective true positive rate of 185% than native detections alone. We protect clients when they are most vulnerable during the early days of novel malware.
• CyberMaxx Detection Engineering for optimizing Native Detections, enhancing incident fidelity, avoiding alert fatigue for our clients, who otherwise would be responding to excessive false positive alerts, inherent with in-the-box Platform Native Detections, where we boast a handling rate of 99.99%. We at CyberMaxx do the work for you.

! WARNING – If your security service provider is exclusively dependent on Platform Native Detections, they are an MSSP.

Evaluation Criteria – MDR providers will gladly showcase their investment in Threat Research and Detection Engineering. This is one of the most important areas of focus for not only differentiating between an MDR and MSSP provider but also measuring value amongst various MDR providers. Ask about custom detections for Novel events.

Federated Intelligence

MSSPs operate exclusively in reactive mode, taking telemetry from the SIEM and EDR platforms when evaluating security incidents. The fact is that most MDR providers operate in the same way, with a lower level of maturity, placing exclusive dependency on client-chosen log sources. For many clients, their selection in log sources was heavily influenced by the cost associated with the volume of telemetry consumed by the SIEM. It’s one thing to have a platform capable of unrestricted consumption; it’s another to be able to afford it. As a result, many clients find themselves having to choose among log sources that are most critical.

CyberMaxx MDR breaks the economic stranglehold:

• First, CyberMaxx MDR offers unlimited log source ingestion. Where others force you to choose, CyberMaxx respects our clients in determining which log sources matter most, without restriction
• Plus – CyberMaxx includes Continuous Threat Exposure Management (CTEM), with our Modern MDR service. No additional cost, all the while running in parallel to the client-delivered event stream.

Yes! CyberMaxx CTEM brings federated intelligence, such as data and detections, to supplement log sources provided by our clients. CTEM is for our clients, with full MDR services, 24x7x365. CyberMaxx CTEM includes detections through:

CyberMaxx MDR Federated Intelligence also includes Deception Technology for establishing decoys, presenting as business assets of our clients

• CyberMaxx Novel Detections will alert to malicious behavior, which is then reviewed by the CyberMaxx Threat Response team, determining risk, as might be associated with early indicators of ransomware
• CyberMaxx Offense Fuels Defense philosophy is on full display when applying Threat Actor Behavioral Analytics, in evaluating activity associated with Deception Technology
• CyberMaxx Vertical Expertise comes into play particularly with Deception Technology, where experience in HealthCare, Financial Services, Municipalities, and other regulated industries informs the evaluation of Threat Actor Behavior specific to the industry vertical

! WARNING – Ask your security service provider about their application for Federated Intelligence. If you receive a blank stare, you are speaking to an MSSP

Evaluation Criteria – Federated Threat Intelligence is in the domain of modern MDR providers, where CyberMaxx leads the way, with our experience in application and inclusivity with CyberMaxx MDR. We stand alone in offering this value to our clients.

Whether you currently partner with an MDR provider or are evaluating one for a future partnership, I hope you find this article useful in challenging your MDR provider to ensure you are receiving the most value for your service investment.

The post Challenge your MDR Provider appeared first on CyberMaxx.

There… I said the quiet part out loud. Something we’ve all thought about but never dared to speak about.

Consider this: In the golden age of newspaper publishing, being first with the news was everything. Competitive news agencies measured their success by how fast they could get a story from the writer’s desk to the streets. Extras hit the stands between the morning journal and the evening bulletin—all in a relentless race against time.

The Shift

Then the internet changed everything. News now moves at the speed of thought. The story doesn’t even need to be fully written before it’s published. Edits and corrections happen in real time. WordPress outpaces the printing press every single time. And we, the consumers of the Information Age, became skeptical of rapid-fire reporting, cynical opinion pieces, weary of 30-second news reels, and hungry for substance, detail, and authenticity.

Newspaper publishers adapted. Today, they deliver in-depth reporting—multi-part series on the healthcare crisis, entire editions dedicated to electoral voting insights, digital platforms where readers can comment and verify sources. As consumers, we trust but verify – a philosophy that now defines the evolution of security monitoring for MDR.

What About Industry Standards?

At CyberMaxx, we recognize that the age of Alert and Notify is over. Measuring Alert Time for a superficial notification of a security event is obsolete. We respect our clients—who have come to see that the industry-standard 15-minute Alert Time was nothing more than a gamified performance metric.

Some security providers start the clock at Alert Ingest and stop it at notification. Others start timing only when an analyst picks up the alert. Some only measure the time after the investigation is complete. And the boldest of them? They average automated and manual handling times to claim they can handle an alert in mere seconds.

Really?

Here’s the truth: We have too much respect for our clients to play into a meaningless metric that has lost all credibility.

The Modern MDR Standard

At CyberMaxx, Response Time is the modern MDR standard. We publish results within a 60-minute window for High Severity Alerts—starting from Alert Genesis, through deep Analysis, all the way to Risk Determination, Notification, and Escalation. We operate with integrity, prioritizing the alerts that truly matter, conducting in-depth investigations, and delivering prescriptive guidance that our clients can rely on.

For the most serious alerts, we notify our CyberMaxx Threat Response team at the same time as our clients, ensuring rapid and thorough assessment with full compromise evaluation.

We refuse to align with ticket-factory security providers, racing to the bottom with empty promises of rapid alerts while burdening their clients with superficial investigations. Their outdated approach leaves businesses vulnerable to the complex threats of modern adversaries.

CyberMaxx prioritizes Response Time, publishing our results on the CyberSight portal for complete transparency—because our clients should always trust but verify. Our platform is accessible by desktop and mobile, with shift leaders on duty 24/7/365 to provide insights into proactive actions taken during every response cycle.

We are here to protect our clients, holding ourselves to the highest standards of Response Time, reinforcing the Big ‘R’ of MDR.

Focus On Metrics That Matter

Beware of those who equate vanity metrics like Alert and Notify with actual protection. That’s an illusion from a bygone era.

MSSP Alert Time is obsolete. MDR Response Time is the new benchmark for security performance—where CyberMaxx sets the standard

The post Alert Time is Obsolete appeared first on CyberMaxx.

The Cybersecurity Speed Crisis: Why Minutes Matter More Than Ever

Security teams have traditionally measured response times in days, sometimes even weeks. But modern attackers don’t operate on that timeline. They infiltrate, exfiltrate, and execute attacks in hours, sometimes minutes. As a result, organizations now face a cybersecurity speed crisis. Staying ahead requires speeding up your mean time to respond (MTTR).

The Reality of Modern Cyber Attacks

The industry has traditionally considered response times in long windows: think 24-hour alert periods and weekly log reviews. Today, automation is allowing modern threat actors to deploy ransomware much more quickly.

It currently takes less than four days for hackers to deploy ransomware when they gain access to a network, according to the IBM X-Force Threat Intelligence Index 2024 report. This timeline is slowly shrinking: In 2022 and 2023, the time between initial access and deployment reduced slightly from 92.48 hours to 92.21 hours.

To make the issue even more urgent, it’s now common for attackers to exfiltrate data within a couple of hours.

Why Traditional Security Models Are Failing

Legacy security models weren’t designed for today’s fast-paced threat environment. Relying on periodic security reviews instead of proactively hunting for threats with real-time threat detection means you’re likely missing critical signs.

Attackers know this, and they know how to exploit these slow response times to maximize the damage they cause across your organization.

This is where MDR providers are becoming invaluable. By offering real-time monitoring and expert threat detection around the clock, MDR partners can help you stay ahead of attackers by ensuring your response times are always swift.

The Shift Toward Zero-Latency Response

Cybersecurity has reached a tipping point, and defenders can’t afford to wait any longer. To keep up with the increasing speed and sophistication of cybersecurity, it is necessary to adopt a zero-latency mindset.

What is Zero-Latency Cybersecurity?

Zero-latency security works in real-time. It detects threats in real-time and responds instantly, leading to significant dwell time reduction and preventing attackers from wreaking havoc across your entire system. Unlike traditional incident response models, which check for intruders on a set schedule, it offers continuous protection.

With zero-latency security, you get faster containment, less damage, and a more resilient organization overall.

The Role of Automation in Zero-Latency Security

Everyone is talking about AI-driven real-time threat detection and automated threat response for a good reason: they are effective.

Machine learning constantly analyzes data to spot anomalies and then quickly compares them to known attack patterns. It can evolve, automating threat identification before traditional methods ever could.

Tools like automated Endpoint Detection and Response (EDR) and Security Orchestration, Automation, and Response (SOAR) are key to achieving a zero-latency response. EDR provides real-time endpoint visibility to catch threats early, while SOAR enables automated threat response, from containment to remediation.

Together, they provide a fast, seamless defense, which reduces dwell time and neutralizes threats more quickly.

Building a Zero-Latency Security Strategy

A zero-latency approach doesn’t happen overnight. It requires the right mix of technology, expertise, and processes and a significant mindset shift across your organization to make it work.

Step 1: Implement Real-Time Threat Detection

Stop relying on outdated periodic log reviews. They’re too slow. What you need is continuous monitoring that alerts you to threats as they happen.

Threats can come from anywhere and spread fast, so you need telemetry data from endpoints, networks, identity & authentication, clouds and even applications, to get a clear picture of your environment. Correlating security signals helps you understand the full scope of an attack and respond faster.

Tools like Extended Detection and Response (XDR), Security Information and Event Management (SIEM) and network traffic analysis are crucial. XDR gives you a network-wide view, SIEM helps analyze logs quickly, and network traffic analysis tracks data flow. Together, they enable real-time threat detection and automated threat response.

Step 2: Scale Detection and Response

Manual security processes rely on human intervention at every step. As a result, this slows down response times and gives attackers more time to cause damage.

SOAR fixes this by automating workflows. It automates enrichment tasks, and can be configured to automatically take response actions when threats are detected. Doing so frees up your team to focus on more critical issues.

Step 3: Reduce Human Latency with AI-Assisted Decision-Making

AI is such a game-changer because it can prioritize threats and suggest actions instantly. It analyzes vast amounts of data, identifies the most critical threats, and quickly provides recommendations for how to respond.

But here’s the thing: AI isn’t here to take over your entire team. It’s here to enhance what your team already does. AI can handle the heavy lifting by finding patterns and anomalies and enabling automated threat response. Then, your team must use their expertise and judgment to make the final decision.

This is much quicker than relying on traditional antiquated log review cycles where teams would sift through large volumes of data, often resulting in delayed responses. Using AI means your team can reduce the time spent on repetitive tasks, and switch their focus to making informed decisions.

Step 4: Train Teams for Rapid Response

Automation is great, but human analysts are still essential. They make the calls that automation can’t.

For organizations with limited internal teams, MDR partners can be a game-changer. MDR offers expert guidance, real-time monitoring and 24/7 coverage that can be scaled as your organization grows. This means your team can respond to threats more quickly and effectively.

Running real-time drills (a process known as ‘cybersecurity wargaming’) lets your teams practice quickly responding to real threats. That repetition reinforces muscle memory for high-pressure situations.

To create a culture of urgency across your organization, you need to prioritize speed, empower your team with the right tools, and constantly challenge them to react quickly and effectively. Even if your organization doesn’t have a dedicated SOC, MDR partners can help make sure that your teams are ready to act at a moment’s notice.

The Future of Zero-Latency Cybersecurity

The next wave of cybersecurity innovation will prioritize cybersecurity speed over all else. That’s because time is your most valuable asset in security.

How Cyber Threats Will Evolve in 2025 and Beyond

Just as organizations use automation to defend against attacks, attackers use it to strike faster and more efficiently.

Ransomware, in particular, is moving at lightning speed. That means containment has to happen in real time. As a result, emerging cybersecurity frameworks are prioritizing zero-latency response.

What Organizations Must Do to Stay Ahead

Investing in security automation has become a competitive necessity. As threats become even more sophisticated, your organization can’t afford to be reactive. Instead, you need to shift to a proactive security model that detects and responds to threats in real time before they escalate.

That’s where partnering with Managed Detection and Response (MDR) providers comes in. An experienced MDR provider like CyberMaxx helps you fill the gaps in your security capabilities, giving you the expertise and resources you need to stay ahead of the game.

The Importance of Prioritizing Zero-Latency Response

The speed at which adversaries operate is something that’s not being talked about enough, but it’s critical to understand. Organizations that adapt to this by adopting zero-latency response security can stay one step ahead of attackers. Those that don’t will be left exposed.

The post The Rise of Zero-Latency Cybersecurity: Why Speed Is the New Security Perimeter appeared first on CyberMaxx.

This article will cover the anatomy of a real-time cyber attack and outline how CyberMaxx is uniquely designed to provide what we define as “Big R” response.

CyberMaxx takes its responsibility to defend seriously. Threat actors are working tirelessly to gain access to corporate systems and our Security Operations Center (SOC) is intervening to contain advanced threats to protect our customers regularly. This is where our “Big R” response commitment really shines which to us means response, containment, and eradication as part of SOC operations – going well beyond just escalation.

Our zero-latency response model is engaged whenever a suspected security compromise is detected. It’s designed to compress the time between initial detection and a specific containment action. As part of CyberMaxx’s “Big R” response commitment, we will thoroughly investigate every incident to ensure it is fully contained and that your environment is completely remediated.

Here’s an example of a real situation a customer experienced where our SOC sprang into action with the “Big R” response.

Threat Hunting and Detection

At 12:07:58 the CyberMaxx SOC detected enumeration activity on a host via our installed agent. This activity was flagged by a custom CyberMaxx watchlist designed to detect the use of net.exe for querying sensitive Active Directory groups, such as domain administrators and local administrators. The specific command observed was: net group “domain admins” /do

This command is highly unusual and can be exploited by threat actors to view members of the domain administrators’ group. Such enumeration can lead to privilege escalation and further compromise of the environment.

Proactive Response

The activity was executed by the “Administrator” account, which is often a default account, adding to its suspicious nature. While system administrators may legitimately use such commands for troubleshooting, CyberMaxx SOC analysts identified irregularities in its timing and execution. Recognizing this anomaly, the SOC promptly contacted the customer to verify whether an authorized administrator had executed the command. The customer quickly confirmed it was unauthorized, prompting the SOC to isolate the host and recommend immediate disabling of the “Administrator” account.

Containment

After the initial SOC response, the case was escalated to the Threat Response Team (TRT) for further investigation. The TRT identified additional unusual activity on another host, involving a legitimate internal tool. Although this activity was later deemed legitimate, contextual clues—such as timing—raised concerns. Further analysis revealed that enumeration and scripting activities were also being conducted using the “Administrator” account. Given the potential lateral movement within the network, the SOC escalated the matter to the Incident Response team to assess the full scope of the compromise.

Remediation

Following escalation, the Incident Response team engaged with the customer to present findings and recommend remediation steps. During this discussion, an unmonitored log source was identified as the point of compromise. The investigation revealed that the incident originated from a compromised VPN account, “Administrator,” which had domain administrator privileges. The threat actor either possessed or brute-forced the account credentials to access the client’s VPN via their firewall.

As the firewall logs were not initially monitored by CyberMaxx, the suspicious login activity went undetected. However, retrospective analysis of the firewall logs confirmed unauthorized access from a specific IP address. The customer swiftly blocked this IP and implemented geo-blocking for all non-business-related countries.

To mitigate further risk, CyberMaxx recommended the following actions:

1. Force sign-out of all active VPN sessions to terminate unauthorized connections.
2. Conduct an audit of all VPN accounts to identify any anomalies.
3. Integrate firewall logs into the SIEM for continuous monitoring and enhanced visibility.

These measures helped contain the compromise, prevent further lateral movement, and strengthen security posture against future threats.

Ongoing Improvement

Once the initial response was complete, we recommended the following additional remediation and recovery actions to secure their environment further and better protect from future attacks:

• Update their firewall to the latest version and reboot in case this compromise was due to a vulnerability in the firewall’s firmware.
• Reset all domain administrator passwords
• Reset all end-user passwords
• Break trust between active directory and hypervisor
• Implement MFA on the VPN going forward

These recommendations were provided to the client due to activity observed in the event logs on the primary domain controller including attempted credential manager access. This may be indicative of password viewing or exporting done by the threat actor. Out of an abundance of caution, CyberMaxx recommended these actions be done to ensure the security of the client moving forward.

Outcome

It was determined that the compromised VPN on the firewall did not have multifactor authentication (MFA) configured, so the threat actor could access the environment as an administrator by compromising the password. Due to our recommendations, the client implemented MFA on this VPN going forward.

The CyberMaxx SOC team was able to identify and remediate the threat actor before there were any notable actions or damage took place. After detection, the SOC swiftly eradicated the threat actor and contained the environment to prevent further compromise. In addition, as part of the recovery effort, we were able to provide further assistance with long-term client security solutions to prevent a compromise of this nature from happening again.

Download the Anatomy of a Real Cyber Attack infographic here 

The post Anatomy of a Real Cyber Attack: “Big R” Response in Action appeared first on CyberMaxx.