The MSS model was conceived in the late 90’s and not much has changed since then in the way MSSP’s manage and monitor customer networks. During this same time period, the way attackers work to target, compromise, and exploit organizations has changed significantly – in favor of the adversary. LMNTRIX was borne as a necessity to help close the gap left in the market from the traditional MSSP model.
Gartner’s definition of Managed Detection and Response (MDR) services best characterises the business that LMNTRIX is in:
A focus on threat detection use cases, especially advanced or targeted attacks that have bypassed existing perimeter controls (e.g., next-generation firewalls [NGFWs], secure web gateways [SWGs], network intrusion detection systems [NIDSs], endpoint security). Compliance use cases are not a focus and commonly not addressed at all.
Delivery of services usually using a vendor-provided stack of network- and host-based controls (e.g., commercial, open source or provider-developed). These tools are not only positioned at the traditional internet gateways, but are also inward-facing to detect the threats not typically discovered by traditional perimeter security technologies.
These tools, where deployed, are managed and monitored by the provider to improve an organization's ability to detect threats. The types of tools and detection methods used by the providers vary in the use of logs, network flows and traffic, and endpoint activity. For example, some vendors rely solely on network security monitoring while others only on endpoint agents to generate logs or detect threats, and others rely solely on the logs generated by a customer's existing security tools.
Security event management and analysis technology that utilizes threat intelligence and advanced data analytics is commonly, but not exclusively, at the core of these services. It is fed events from the stack of vendor-supplied controls, customer log and event sources, or some combination of the three.
24/7 monitoring, analysis and customer alerting of security events with preliminary triage performed by a person (e.g., not relying just on automation to add some context to an event).
Incident validation and remote response services, such as hunting for additional hits on indicators of compromise (IOCs), reverse malware engineering, and consulting on containment and remediation are included in the service, without the need for an incident response (IR)-specific retainer or agreement. Retainers are reserved for onsite
breach response services. Assistance with remediation actions in bringing the environment back to some form of "known good" is sometimes included or available as an additional service.
The following table provides details of the major differences between the approach an MSSP takes compared to the approach used by LMNTRIX:
Protect all information assets
Focus protection efforts on most important
assets (‘crown jewels’)
Preventive controls (AV, firewall)
Detective controls (monitoring, data analytics)
Data-centric – includes network and cloud
Goal of Logging
Piecemeal: find and neutralise malware or infected nodes
Piecemeal: find and neutralise malware or infected nodes
Collect information on malware
Develop deep understanding of attackers’ current targets and modus operandi and the organisation’s key assets and IT environment
Success Defined By
No attackers get into the network
Attackers sometimes get in, but are detected
as early as possible and impact is minimised
Relies on a single source
Relies on hundreds of sources of threat intelligence plus internal research
Uses SIEM and relies on the correlation and monitoring of logs from the client network
Does not use a SIEM nor collect any logs. Does not rely on clients existing security controls.
Uses behavior analytics and data science modelling. Uses a validated architecture and deploys it’s own technology stack
Offer basic detection and alerting services. It is the responsibility of the customer's security team to provide additional incident, analysis and associated response activities. Relies on clients security controls with limited detective tools.
Deploys its own technology stack – an extensive range of commercial, proprietary and open source tools.
Delivers remote incident response together with network and endpoint hunting
Manages client security controls (FW,IPS etc)
Does not manage any client security controls
Non or sometimes available at an additional cost
Full packet capture with attack reconstruction
Range of Services
Deliver a broad range of security device management and monitoring together with vulnerability management, product re-sale, integration, and professional services.
Exclusively focused on detecting and responding to previously undetected threats that have breached an organization's perimeter and are moving laterally through the IT environment
Non or sometimes available and offered at an additional cost
Incident validation (EDR), containment & remediation, threat hunting, malware reverse engineering, deceptions, deep and dark web monitoring, predictive intelligence, emulation, encrypted attack detection, behaviour analytics, machine learning, data science and statistical modelling are all included in the base capability
Large team of tier 1 to tier 3 analysts, Security Engineers, SOC Managers, SDMs, Reporting Analysts, etc
Small team of senior intrusion analysts, threat hunters, incident responders, intelligence analysts and forensics/malware analysts
Offers SLA’s for threat detection and device management
Does not offer any detection or alerting SLA’s. Instead offers more in-depth analysis and actionable advice specific to the threat detected rather than being tied to a response metric