Is Managed Detection and Response (MDR) the latest buzzword in the managed information security services marketplace? Or is it something truly revolutionary?
Called “the next generation of managed security services,” by International Data Corporation (IDC) and identified as the fastest-growing area within IT security services by Gartner, MDR has attracted a great deal of analyst attention in recent years. Many of today’s Managed Security Service Providers (MSSPs) are eager to jump on the MDR bandwagon in the hopes of expanding their services portfolios and increasing their revenues as a result.
But does MDR really live up to the hype? Can this all-in-one security service offering—which augments the complement of traditional security monitoring services that old-fashioned MSSPs provided with expert alert analysis and automated and manual incident response capabilities—deliver more value for your investment?
“Now more than ever, companies are experiencing shortages,” says Matthew Wilson, Chief Information Security Advisor at BTB Security. “Their budgets are limited, experienced security personnel are as scarce as ever, and there’s a lack of time to resolve all the issues. Managed detection and response services make high-quality security monitoring more accessible than ever before, at a price point that’s within reach of organizations that could never afford to build their own data centers, let alone an in-house security operations center (SOC).”
In short, the answer is yes.
MDR = security monitoring services + incident response
“Here at BTB, we were doing MDR long before MDR was the latest thing,” says Wilson. “We define it as the ingestion and analysis of meaningful security data from across the environment, coupled with all the people, processes and technology we provide to facilitate that.”
What sets MDR apart from traditional managed security services in practice is that the latter is primarily an alerting engine. The MSSP takes responsibility for monitoring the infrastructure, but when signs of potentially malicious activity are detected, those alerts are escalated back to the client for further investigation and remediation. With MDR, the provider maintains ownership of the platform that gathers alerts from across the client’s environment, detects when things stray from the client’s typical baseline, analyzes and engages their own experts to investigate the alerts and responds to threats and incidents. It’s a far more comprehensive approach.
“With the traditional approach, it’s up to you—the client—to figure out what’s going on in your environment when an alert is generated,” explains Wilson. “With MDR, it’s always on us.”
Making the shift from traditional managed security services to MDR means that a client’s internal security team will no longer be subject to a barrage of false positive alerts that they’ll then be tasked with investigating. Instead, the MDR provider takes responsibility for determining whether or not the incidents are truly malicious. “We deal with all the false positives, and we do all the legwork,” says Wilson.
Why a comprehensive approach is essential today
In the wake of the unprecedented shift to large-scale remote work for companies across industries in the past six months, many IT and security teams have found themselves scrambling to keep up with rapid changes in their environments. “Recent events really greased the wheels on the cloud migration train,” says Wilson. “All the trends that were already in motion have been accelerated.”
Though attacks may have increased (it’s difficult to say for sure, since the best resources for understanding cybersecurity trends haven’t finished compiling the data on this year’s events yet), organizations certainly don’t have enhanced capabilities or more resources for dealing with them. Many have re-engineered their infrastructures on the fly and are now toiling to clean up security after the fact. And many are facing new budget constraints.
“When finances are limited, it’s a good time to consolidate,” says Wilson. “MDR represents an efficient use of your cybersecurity dollars, because a single provider can take responsibility for a broad range of functions.”
What to look for in an MDR provider
Ongoing security monitoring is one of the key controls that’s necessary for strengthening your company’s security posture. It’s a must-have if you want to reduce attacker dwell times and lessen your chances of experiencing a devastating breach. But building an in-house security operations program is only possible for large enterprises and those with deep pockets. And supplementing an MSSP’s monitoring services with your own incident response team isn’t much easier or less expensive.
Outsourcing to an MDR provider allows you to take advantage of that provider’s most valuable asset: the highly skilled and experienced security analysts that it employs. “Providing top quality services involves relying on technologies like automation and machine learning, but it also requires the creativity and ingenuity of a talented security team,” says Wilson. “For instance, if an alert indicates that an account was logged into from China, an analyst can check the employee’s email and even calendar to see if they’d planned any international trips. Automation can do some of that, but it doesn’t have the intuition of a human.”
Seek out an MDR provider whose analyst team boasts extensive experience in adjacent areas of cybersecurity, such as penetration testing or threat hunting. “Just having the certifications is not enough,” says Wilson. “You want someone who has had lots of practice in the real world.” And look for a vendor-agnostic approach: working with the technology stack that you already have in place and already generating meaningful security data can save you money. “You don’t always have to invest in costly new infrastructure to get effective monitoring, use what you have today,” he adds.
Want to learn more about how MDR can boost your organization’s cyber resilience and prepare you to face tomorrow’s most pressing threats? Contact us to learn about our Rapid Advanced Detection and Response (RADAR) service today.