zvelo Drives Big Wins for Global Managed Detection and Response Client
Faster and more accurate threat detection, expanded global visibility, and a streamlined ecosystem of threat intelligence sources leads to significant wins for zvelo’s latest Client, a Managed Detection and Response (MDR) Provider.
“We cannot analyze and prioritize the threats that we don’t see, so greater visibility into the threat landscape from a global perspective, rather than just regionally, is highly critical to our capabilities to identify IOCs and IOAs so that our threat analysts can correlate those with other IOCs in our ecosystem of intelligence sources, and contextualize them for the rich threat intelligence data which ultimately delivers phishing and malicious threat protection to our clients and their endpoints.”
— CISO, MDR Client
Client Profile
Client is a cybersecurity cloud platform providing security operations services (also referred to as SOC-as-a-service or SOCaaS), to small and midsize businesses around the world. While the company provides an array of managed security services, this case study is focused around its Managed Detection and Response offering.
The Business Challenge
Providing network and endpoint security to mitigate cyber risk is a relentless business challenge as the threat landscape and attack tactics, techniques and procedures (TTPs) evolve faster than defenders can secure their environments. Evolving threats, escalating costs, and talent shortages are increasingly driving small to mid-sized organizations to enlist Managed Detection and Response (MDR) services to defend their networks, endpoints, and assets with comprehensive threat protection services.
With market demand increasing for MDR services, the Client was seeking to bolster its position as a key player in the SOCaaS arena by expanding its global operations, as well as its service capabilities. This global expansion, however, began to expose a number of blind spots in coverage which would put their customers, and their growing reputation at risk. After monitoring security gaps and watching the threat risk trend upward over the course of several weeks, the Client quickly engaged numerous threat intelligence platforms and began evaluating different threat intelligence feeds, focused specifically on malicious detection and phishing detection, to achieve the visibility necessary to close the gaps in coverage and reduce the threat risk.
Business Requirements
Broad Global Visibility and Coverage
The Client’s global expansion prompted an intense review and analysis of the existing coverage from within its ecosystem of threat sources which revealed where the Client had blind spots. While some blind spots carry much higher risks than others, in the world of threat detection, any blind spot is a vulnerability that must be addressed. In the Client’s case, the blind spots were prioritized as those were key to improving their position in the global marketplace.
Integration-Ready Threat Intelligence Data
As an established provider for MDR services, the Client has made deep investments in its data architecture and analytics platforms to collect, store, and further analyze threat intelligence data. Naturally, the ease of ingesting threat intelligence feeds into the existing infrastructure was a key requirement to ensure the Client would be able to augment its ecosystem of sources quickly and without friction. For the Client, integration-ready meant more than just the format of the feed, also including the quality and accuracy of the threat intelligence data.
Continuous Monitoring for Real-Time Threat Detection and Response
While continuous monitoring for real-time threat detection and response is a given when it comes to cybersecurity, the Client’s prior experience made it clear that ‘real-time’ does not mean the same thing to everyone. For some, ‘real-time’ detection is seconds. To others, it’s minutes, or even an hour or two. The Client’s position is that every second counts when it comes to identifying and detecting phishing and malicious threats in order to proactively block them before they can execute.
Evaluation Testing Criteria
The Client came to the table with a well established set of testing criteria that had been developed over years of routine evaluations. The Client had a team of analysts to evaluate and track key performance metrics which would help in the overall analysis in qualitative vs quantitative data to support an improvement in their capabilities to detect active threats, prioritize them, and respond accordingly.
The Client’s evaluation began with qualitative testing to gauge things like overlaps in coverage between threat feeds and unique detections against a ground truth list. Once the quantitative results were completed, those were analyzed from a qualitative perspective which included factors like which feeds were able to detect threats at the base domain vs subdomain vs full-path, coverage across different geographic regions as well as the Client’s target industry verticals. The Client conducted a number time series tests over a 7 day period which included measuring the most changed and least changed deltas against the ground truth list, and A:B tests to measure the Median Total Time to Detect (MTTD) phishing and malicious URLs. From there, the Client moved into validation testing to determine the false positive (FP) and false negative (FN) rates for each feed that was tested. Finally, after compiling the evaluation results between a number of different threat intelligence feed providers, the Client scored the feeds in each area of performance.
The Solution
zveloCTI™ Cyber Threat Intelligence Feeds including PhishBlockList™ and Malicious Detailed Detection Feed™.
After the Client wrapped up its thorough evaluation of threat feeds, zvelo proved to be the clear winner with the best scores across all the different evaluation criteria. zveloCTI provides meticulously curated, high veracity, actionable and real-time active threat data on phishing URLs, malicious URLs and files, and suspicious new domains that defenders and threat teams can ingest for analysis and enrichment.
- Unique detections of malicious & phishing exploits
- Metadata attributes and IOCs for contextualized intelligence data
- Real-time, continuous updates
- Global clickstream traffic from 600+ Million users and endpoints
- Curated 3rd party feeds plus zvelo proprietary data
- High veracity and low false positives
- Flexible deployment with multiple formats available
- Unmatched visibility, coverage, reach and accuracy
The Results
In the short time since the Client has completed the integration, the results have exceeded early expectations. In addition to an immediate lift in threat detection rates globally, the Client experienced detections that were faster, more accurate, and unique to the zvelo threat intelligence feeds which has quickly reduced the Client’s threat risk by minimizing gaps in coverage. Additionally, the Client was able to reduce operational expenses by streamlining its ecosystem of sources to achieve a higher overall ROI from the MDR offering. And finally, the Client was able to amplify the effectiveness of its own security and threat analyst teams due to the high quality of zvelo’s threat intelligence data. The rich metadata and IOCs enabled the Client’s teams to include greater contextual detail to assist their customers in making more informed decisions to reduce their cyber risk and improve their threat posture.
By leveraging zveloCTI threat intelligence feeds for premium data quality, veracity and low false positives, the Client has been able to focus on on what they do best and confidently defend global customer networks and endpoints by blocking attacks before they can execute.
