Discover what round-the-clock security means with James Rodewald, as he explains what makes ESET MDR the security service to get.

ESET World 2025 was an event that brought together top cybersecurity experts from all walks of life, so you’d expect tangible examples of what makes a business really stay secure. That’s exactly what James Rodewald, security monitoring analyst at ESET did.

During the session titled “Staying protected with ESET MDR,” Rodewald pointed out the critical pain points of IT admins and how managed detection and response (MDR) saves them time and unlocks new efficiencies, as well as sharing a story about a VPN gone rogue.

Usually, IT admins need to split their focus between many areas, and security is just another small part of their tasks, often getting less attention than necessary.

Of the many issues surrounding a company’s cybersecurity, their budgets are a key concern — proper security operations centers (SOCs) can be pricy, as covering hundreds of seats takes time and effort. Some companies assume that having two people cover an entire SOC’s capabilities is enough though, but Rodewald strongly disagrees: “They wouldn’t be able to monitor 24/7. … If something happens while they’re asleep or possibly on vacation, that could be really bad.”

While Rodewald doesn’t want to deter IT professionals from trying, he highlights that there are certain gaps that only security experts can fill: “IT admins are smart. They’re great at what they do. They make these beautiful systems that all communicate with each other — and that’s amazing. But sometimes they don’t know how to notice when somebody else is maliciously managing their network. And that’s where the dangers come in.”

Securing added resources for IT admins to fight threats while they take care of daily tasks is what ESET MDR offers in spades. This is rather helpful for smaller businesses lacking security headcount within their IT departments, quickly leveling up their postures. “It’s like you set it and forget it. … Customers want somebody to monitor and be notified if something happened, what we did to remediate it, are there any actions they need to take,” said Rodewald about the service.

ESET MDR is a 24/7 threat management service for smaller organizations, using AI and human expertise for premium protection without in-house security specialists. Let ESET block, stop, and disrupt malicious behavior in just 20 minutes while you focus on core competencies.

While a basic MDR service can offer enterprise-grade security, with monitoring performed by earnest experts trained to stop security incidents (using top threat intelligence to empower their decisions), a lot more can be done for complex environments with a larger footprint. These environments need a specific approach, slotting in naturally to the existing security apparatus of a larger organization.

As Rodewald said, ESET MDR Ultimate (MDRU) is “for those customers that want to live with us in real time as we monitor their environment … benefits range from custom rule and alert creation, [to] optimizing the security environment … to finding unprotected devices, etc. So, across the range of these activities, we drive both operational and process maturity, help with remediation, and even flag those unprotected devices, sadly an all-too-common source of threats.”

ESET MDRU perfectly combines ESET technology and digital security expertise to effectively and proactively detect and respond to any threat. It is a tailored service, acting as a SOC-like security umbrella, with the ability to protect sophisticated environments with dedicated security teams.

Rodewald also highlighted ESET MDRU’s reports, explaining how the process is more human, connecting experts from both sides to design better protection rules and mechanisms in tandem, which adds even more value.

The ESET MDR service tier maintains a 20-minute time to detect for all customers — currently having a 1-minute time to react and around a 5-minute time to resolve an incident. This is owed to 24/7 SOC-like monitoring, with our MDR teams constantly improving their decision-making processes with every single detection.

To achieve this fast detection and response rate, Rodewald elaborated on ESET MDR’s training regime: “The way we train is to ask the question, could we have spotted this sooner? Because if we can improve, then we want to improve. Also, would you be able to identify this [threat] if you saw it in the wild?” Relevant teams also examine research so they might better identify issues they hadn’t yet encountered.

As a result, ESET’s MDR teams can actively isolate false positives from real detections, apply novel incident response playbooks as needed, and manage trainings to keep analysts up to date on threats. For in-house teams (especially IT generalists), this might be a tough nut to crack, but it’s the vicious cycle that ESET security monitoring analysts are trained for.

In a story about an ESET MDRU success, Rodewald spoke of how a VPN gone rogue led to FIN7 getting on a business’s network. The company in question, which owns a large network with multiple sites globally, was unknowingly breached prior to onboarding its ESET service (at least two to three months before). While it had an XDR solution employed, no one was monitoring it — a recipe for disaster.

In the beginning, someone had used PowerShell to create an external network connection, leading to a renamed remote monitoring and management (RMM) tool being installed (LiteManager). The PowerShell also had an interesting script called “PowerTrash,” which was over 6,000 lines long.

Next, the RMM tool, renamed to romfusclient.exe, started another execution chain to install an OpenSSH backdoor: “This backdoor would communicate with a remote C&C [command-and-control] server and allow whoever was in control to tunnel through this device to target other devices on the network,” said Rodewald.

Shortly after ESET MDRU’s onboarding, monitoring picked up on lateral movement via remotely scheduled tasks — another instance of PowerTrash was being executed: “Its goal was to dump credentials and load Spy.Sekur into memory. At this point, we knew it was FIN7 because Spy.Sekur is only used by FIN7, and PowerTrash, I believe, is also exclusive to FIN7,” commented Rodewald. The latter was 41,000 lines of code, much longer than the previous instance.

“We started to see other lateral movement as we were creating custom rules to block things. … And we started to see this via both remote tasks and WinRM. We saw that their goal this time was to execute a batch file to execute a renamed version of RClone.exe in order to back up the file shares of the network and then use a renamed copy of 7-Zip to compress that all before they would then exfiltrate it,” Rodewald continued.

The MDR team then started to kill and block these processes while creating custom rules to disable them permanently. Nevertheless, this was happening across multiple devices, with multiple forms of lateral movement.

Since the MDR team had the source IPs of each of those movements, it understood that it had to locate unprotected devices in the customer’s environment because they weren’t showing up inside ESET PROTECT or ESET Inspect as being managed. “So, we’re on the phone at this point, and I’m having them remote me directly into these devices so I can see what’s going on. We found OpenSSH backdoors on multiple different devices — we needed to either have the client cut them off the network, or I needed to manually remediate the[m],” said Rodewald.

However, the adversary wasn’t done. Likely panicking as they were losing access, they dropped a new tool: “It was a never-before-seen DLL side-load!” exclaimed Rodewald. While the .exe may have been seen in the wild before (TopoEdit) it included a malicious DLL.

“They were trying to stay on the network. … We spotted that in less than 30 seconds,” said Rodewald with a smile. Thus, the MDR team blocked the clean .exe and the DLL and remediated it from about six or seven other devices, all within the same time frame.

In parallel, the team became curious to investigate how initial access occurred: “We started pulling logs from devices, trying to find the trail of events … so we were doing digital forensic [incident] investigation.” Before they got too deep into that investigation, the threat actors showed their cards: Someone was using Remote Desktop Protocol (RDP) from private IPs to access different devices and immediately installing AteraAgent with Splashtop — two other RMM tools.

However, these IPs were on a specific subnet that was different from other devices on the network, which were quickly confirmed by the business’ admin as addresses assigned by the client’s VPN.

“Their VPN appliance was compromised. They had rogue devices owned by the threat actor joining the VPN and then RDPing to other devices,” Rodewald revealed. Hence, the MDR team had the company shut down its VPN, with no new activity since, though it is still being monitored.

This story highlights how thanks to the close-knit cooperation enabled by the ESET MDRU service, immediate action was taken, quickly developing new playbooks and security strategies for the client to prevent future incidents.

The key value of ESET’s MDR services lies in its prevention-first quality. With each of ESET’s managed services tackling different company architectures, the goal is the same — unlocking fast detection and almost immediate remediation, tackling novel threats before they can cause mischief.

Plus, as evidenced by Rodewald’s rogue VPN story, perhaps going for a managed service even while experiencing a compromise can enable businesses to snatch a security win from the creeping tentacles of a breach.