Why should organizations care about TDIR?

TDIR (Threat Detection Investigation Response) is a new approach to enhancing the analysis and action capabilities of SOC Managers.
4 min

This approach has emerged in response to the growing need for organizations to understand the threats to which they are exposed, and which are mutating ever more rapidly.   

Let’s take a look at the TDIR approach, its benefits, and the strategic and operational implications. Review of a webinar hosted by Anouck Teiller, CSO at HarfangLab, and François Khourbiga, CEO of Defants.  

What is the TDIR approach: definition 

At the heart of the TDIR approach is the key concept of addressing threats through the risk they represent for organizations. This approach has three components:  

  • Data, and the possibilities of aggregating it – a component well mastered by SOC Managers, and from which the other two flow;  
  • Detection, notably with the help of EDRs, in order to carry out detailed analyses as close as possible to endpoints and IS users;  
  • Investigation, to provide an appropriate response and continuously readjust the cybersecurity posture.  

Of course, an organization must be able to react to incidents, but it must also be able to prevent them by proactively leveraging its data and expert resources.   

In this sense, the TDIR approach can both anticipate threats based on knowledge of the data, and call on this data to adapt the response in the event of an attack.   

TDIR thus aims to optimize resource management by prioritizing threats according to the organization’s context. It promotes better, more effective remediation, at the right time, by building a coherent response capability across the entire threat processing chain 

What are the concrete benefits of the TDIR approach? 

The TDIR approach is of real interest to organizations, and to cybersecurity service providers (MSSP). More than just an acronym, it is above all a methodology underpinned by the quest for efficiency and operational performance in the handling of all security events on an IT estate.  

First and foremost, it creates a bridge between the teams responsible for detection and supervision (SOC), and those responsible for incident response and remediation (CERT).  

Thanks to the decompartmentalization and pooling of investigations, the qualification of alerts is more pertinent, enabling them to be prioritized more effectively.   

Secondly, knowledge and prioritization of threats adds intelligence to the management of resources and tools to be deployed. In this way, the TDIR approach enables resources to be systematically adapted to the threat in question.  

Last but not least, by complementing risk documentation – which is generally carried out at fixed intervals, often several months or even years apart – the TDIR approach contributes to the continuous improvement of Information System security in the face of a threat that is also constantly evolving. 

This approach makes it possible to adapt a cyber strategy in real time, based in particular on the analysis of data provided by an EDR, with a view to understanding and prioritizing the threats facing the organization on a day-to-day basis.   

In short, this continuous improvement induced by data knowledge and aggregation has an impact on:  

  • ability to react appropriately in the event of a security incident,  
  • ability to focus resources and means on the organization’s priority threats.  

To conclude, let’s see how HarfangLab and Defants apply the TDIR approach in the field. 

How do HarfangLab and Defants implement a TDIR approach? 

TDIR - Cyberséc

For a supervisory team, coupling an EDR with a Threat Investigation platform can be the first step in implementing the TDIR approach by: 

  • finely defining the granularity of security events and desired data in relation to the threat to the organization;  
  • prioritizing the response to individual security events on the basis of targeted investigations;   
  • reacting proportionately to alerts.  

Subsequently, using the data provided by the EDR, analysts are able to carry out in-depth investigations based on enriched, exhaustive and contextualized information. They can also save time thanks to the automation provided by the EDR, using its native functionalities or those offered by a third-party solution.  

Case in point: as part of a TDIR approach, by collecting and aggregating data, analyzing it and automating remediation actions, MSSPs equipped with HarfangLab and Defants can identify common threats for their various customers, anticipate reaction needs and thus provide common responses. 

In short, knowledge of the data, and therefore of the threat, is essential if we are to be proactive and provide the best response in the event of an incident. These are crucial issues for SOCs, which the TDIR approach, with EDR and Threat Investigation as its cornerstones, helps to address. 

Want to know more about TDIR approach?
Watch our webinar with Defants (in French):