MDR vs. MSSP: Comparing Managed Cybersecurity Services
There are all kinds of managed services out there trying to help all kinds of businesses tackle their security, from small to enterprise. Unless you’re one of the few who has miraculously found their perfect match, most of your experience with a provider or vendor has been dissatisfying to say the very least. And unfortunately, outsourcing or a hybrid approach is a must in order to try and cover the labor and expertise needed for a successful security operations.
To help, we’ve defined managed services between MDR and MSSP. Terms don’t mean a lot these days, but we still need to know which security solution will best meet our outcomes.
Here are some general questions that you’ve either already asked or need to ask as you start your search:
- What security outcomes am I looking to achieve?
- What is the size of my team?
- What do I need to protect? Do you have specialized needs?
- What do I need help with? What am I looking for a managed service to cover? What level of response and involvement within my SecOps do I need from an outsourced team?
- How quickly am I growing?
What is the difference between MSSP and MDR?
Managed Security Service Provider (MSSP)
With an MSSP, the keywords here are “services provider”. It focuses on providing a great breadth of security services for your network, endpoints, web, cloud email, and even software. Monitoring and aggregating alerts is involved, but it doesn’t specialize in the investigative analysis of threats or responding to them like a managed detection and response service (MDR).
This level of managed security services is best for small to medium and even most large sized companies who need help with many different services, products and tools at lower cost. You could be a company that needs to initially build out your environment with tools. Or you could be looking for a low level SOC-as-service.
With MSSP you can find help building out security tools and systems to compliance standards like a SIEM or cloud infrastructure. It will alert you, but remediation will be handled by your team. However, most MSSPs today do sell outsourced services like a SOC that will help with response, but it’s usually a cut rate option compared to most MDRs.
You will see most companies trying this hybrid approach with MSSPs, but as mentioned, it has many shortcomings. More often than we’d like to admit, it’s a disastrous situation because of a lack of internal knowledge of the customer’s business as well as their security ecosystem. The value of an MSSP is going to be in the breadth of services they can provide and cover. This usually isn’t a good option for an extension of your security team despite the “managed” title.
Be aware of intellectual property policies of an MSSP. You could lose the content and rules built within a tool like a SIEM because they own the product. Leaving an MSSP could result in starting close to where you were at the beginning of your security posture.
Level of Risk
Another factor is your level of risk. Perhaps you don’t handle much customer data, have few regulatory requirements, and few users within your organization. An MSSP would be a good fit for you to augment some security items. Companies in financial, health care, or critical infrastructure industries for example would be more in need of protection. These businesses most likely have a SOC and partner with a managed detection and response provider for specialized threat detection and response.
- Log Monitoring and Alerting
- Firewall Management
- Device and cloud management
- Intrusion detection
- Virtual Private Network
- Vulnerability Scanning
- Anti-Viral Services
- and more
MSSP Doesn’t Provide:
- Threat Detection
- Incident Investigation
- Alert Triage
- Threat Hunting
- Incident Response
Managed Detection and Response (MDR)
What sets MDR apart from MSSP is the focus on threat detection and response. A managed detection and response solution is both a provider of threat detection technology and a provider of a service from a SOC who performs threat response and remediation efforts on behalf of customers. The technology traditionally targets endpoint activity. MDR came about when customers of an EDR provider needed help to take quick action against threats.
Outsourcing Services and Level of Response
Now, managed detection and response is an even bigger case of a term that doesn’t mean much because their services can vary greatly. On one end, you have MDRs that look something like a traditional endpoint detection and response (EDR) that is built to forward events to a SIEM and onto your security team or look like a rebranded MSSP that will still only throw you alerts. On the other end, other MDR services can offer threat hunting and simulation even outside of EDR. They can bring in data from the likes of the network, cloud/SaaS, email and endpoints. It could offer working with all your security tools and conducting a plethora of security operations. The need that MDRs try to meet within the market is to be an extension of your team so your organization can act and respond to threats quickly. You will have to define what you are looking for in response and find the right level.
Transparency, Visibility, Integrations, Unification of Workflow
One main factor to consider while choosing an MDR is transparency into the security processes. Most MDRs try to sell a partnership with your security team, but you will not have full access to people, process and technology. Detection logic may not be built directly in your technology. Full investigation workflow, notes and logs aren’t available in an interface. You won’t find a list of automation plays and hunt campaigns. The integration capabilities from provider to provider are different. All these barriers to transparency don’t allow what security experts look for in a partnership with a managed service.
For these reasons along with a lack of understanding of your environment, the partnership with an MDR can still be a major hurdle to success.
- Threat Detection
- Incident Investigation
- Threat Hunting
- Incident Response
- Threat Intelligence
- Partnership/Outsourced Service
- Data Analytics & Reporting
- High customization – MDRs often deliver out-of-the-box solutions leaving unique needs unmet.
- Transparency – most MDRs work as a “black box,” meaning your team has no transparency into what is being done in your own environment.
- Integration compatibility – typically won’t support your tool stack, leaving you to use black-box approach or make more expensive purchases.
- Visibility into entire security environment – MDRs aren’t able to translate data from your other security systems.
- Unification of and communication among technology and tools – MDR tech doesn’t have the ability to pivot into other tools and tech.
- Maintaining intellectual property and security posture – provider owns security structures built.
- Significant Incident Response – IR isn’t always robust, leaving you to take on most of the legwork.
- Continuously Updated Detection and Response Playbooks – outdated and minimal content could be your best line of defense.
- Advanced Detection Capabilities – rudimentary often relying on out-of-the-box content that only focuses on known threats.
- Poor Investigation Proficiencies – poor implementation of best practices to reduce noise levels.
Go Beyond MDR with ReliaQuest
Here are some outcomes you’ll want to consider for the success of your security operations, and the things ReliaQuest is answering for today’s cybersecurity solutions:
- Transparency – do I have full access to the tech and processes and workflows? Do I have access to provider’s resources, knowledge and training?
- Visibility – do I have a view of de-centralized data from all my security ecosystem? Am I able to normalize data across tools, systems and languages? Can I leverage all the tools I already have?
- Reporting – am I able to measure visibility, tool efficacy, and team performance? Am I able to prove the value of our security, benchmark it to industry standards and show it to business decision makers?
- Growth – can I maintain the security that’s built out in my environment even if I switch providers? Can a provider meet me where I’m at or let me add tools to my stack?
- Unification – Can I complete the entire alert/threat investigation lifecycle in one platform, no matter where the security data resides that I need? Can I automate across the life cycle out of the same platform?
- Tech + Services – will the provider be able to continuously update my tools and environments and their tech? Will I be able to focus on true threats and even business initiatives?
- Customer Success – can we track the providers’ deliverables and time lines?
How ReliaQuest Does It Better
- Transparency – Unlike a lot of MDRs, transparency is at the top of our list. You have a right to know what we’re doing with your security stack, so we give you the same view as our analysts through our GreyMatter platform. We’re also big on actionable reporting, so you know where you stand and what you need to do to improve. You not only see what we see—but you can also participate in detection, analysis, hunting, and response alongside our analysts. You can decide where, when, and how much you want to participate.
- Consistency – Over a decade of experience managing global customers has helped us codify best practices in our cloud-native technology platform to ensure consistent service delivery. We can reduce your noise level by 90% with automated, contextual threat enrichment. We focus on going beyond out-of-the-box detection content. Our view into our global customer base affords us the ability to deliver detection and hunt content packages that are field-validated, consistently helping you be aware and ready against a dynamic threat landscape.
- Speed – Taking a technology-first approach, we automate across the security lifecycle, including data collection, threat detection and hunting, contextual enrichment for investigations, and response. Because we prioritize speed and efficiency, we can help you reduce false positives and drive faster time-to-insights and quicker remediations.
- ReliaQuest: A trusted partner – Our clients say it best: “ReliaQuest gives us hours back in our day, every single day. Since the beginning of our partnership, they’ve been right by our side, walking with us every step of the way.”