Managed Detection and Response (MDR)
What You Need to Know
What Is Managed Detection and Response (MDR)?
According to Gartner, “managed detection and response (MDR) providers deliver 24/7 threat monitoring, detection, and lightweight response services to customers leveraging a combination of technologies deployed at the host and network layers, advanced analytics, threat intelligence, and human expertise in incident investigation and response.” MDR, then, is an outsourced cybersecurity service where a trusted third party manages threat monitoring, detection, and incident response for the organization.
This makes the third party responsible for monitoring the security ecosystem 24/7 in real time, detecting various threats, and investigating them. Additionally, they either respond to threats or provide the necessary information so the organization’s security team can act.
How Does MDR Work?
An MDR provider uses a combination of various technologies, best practices, and skilled analysts to deliver its services. The basic components typically include a Security Event and Information Management (SIEM) technology and endpoint detection and response (EDR) or endpoint protection platforms (EPP).
Many MDR providers look to their own or white-labeled solutions to achieve those different functionalities in a turnkey fashion. In such cases, the MDR may or may not leverage the customer’s existing security tools and technologies. The outcome, then, is largely dependent and limited to the MDR provider’s tools, approach to security monitoring, the processes they use, threat intel sources they use for context, and the data sources on which they rely to learn about threats. If an organization is keen on extending current security technologies they have invested in or needs a partner who can help them mature their security operations, a turnkey approach will fall short.
How MDR Compares to Other Options
MDR vs. MSSP
A managed security services provider (MSSP) functions similarly to an MDR service provider in that it monitors a customer’s network security. The difference is that the former merely provides alerts when it spots anomalous activity indicative of security incidents in the latter’s managed systems. It doesn’t launch an investigation, and it does not respond to any threats that it uncovers in the process. It tags alerts—including false positives—and sends them to their customer’s IT team for review. By contrast, MDR detects, investigates, correlates, and responds to security alerts. In addition, an advanced MDR provider would conduct threat hunting operations as well as manage your security investments.
MDR vs. In-house Security Operations
Many organizations might opt for in-house security operations where they build their own tech stack and manage the various tools. This initiative requires the right resources and skills to not only conduct incident response—from detection to response—but also administer and manage the various tools and keep them optimized against a dynamic threat landscape. In many cases, co-management with an MDR provider is a viable option since this allows the in-house security team to leverage outside expertise without having to hire them, ensure 24/7/365 monitoring, and focus on more strategic initiatives and high-value tasks. Here are the primary technology options while building out an in-house tech stack:
MDR vs. SIEM
In most cases, a Security Information and Event Management (SIEM) technology is the predominant technology to operationalize security operations. SIEM technologies specialize in ingesting, aggregating, and correlating data from network security devices, provide real-time monitoring and analysis of events and help with compliance by logging data. In many cases, SIEMs require analysts to write rules or scripts with specialized languages. While SIEMs have matured over the years, there could be architectural challenges with ingesting all the necessary data and requires specialized skills to manage, optimize, and operate.
MDR vs. EDR
As the threat landscape evolves, endpoint detection and response (EDR) technologies are becoming more of an imperative. They offer continuous threat monitoring and detection as well as automated response to digital threats. But EDR brings this functionality to the endpoint level only, falling short of contextual focus on threats. While they promise timely response to attacks, EDR tools are very resource-intensive and require specialized skills.
MDR vs. XDR
Extended detection and response (XDR) is a cross-platform threat detection and response strategy and is the next evolution in the answer to cut across security silos in an organization. The benefit of XDR is that it enables organizations to take a proactive approach to their security by delivering visibility across endpoints, applications, cloud workloads, and the network. In some cases, MDR providers are starting to leverage XDR technologies, given their advantages. But XDR technology requires integrations with disparate tools and can be resource-intensive for an early-stage organization that might lack the right talent.
What Are the Benefits of MDR?
Not all organizations have robust IT security teams who can manage their threat detection and response requirements internally. Amid the ongoing cybersecurity skills gap, many organizations have trouble hiring professionals to fill out their teams. Even when they hire someone, they could still struggle to retain their talent due to poaching from other companies, a lack of effective management, and the pressures of the job.
MDR can help to address these challenges by amplifying the reach of organizations’ security teams. Specifically, it helps to improve team members’ visibility of the network and reduce the number of false positives and focus on true threats. Security personnel can therefore spend less time chasing down alerts (or potentially false positives) and more time working on meaningful projects that help to augment their employer’s security posture.
The benefits of MDR don’t end there, either. Fewer alerts mean less time needed to visualize an attack chain, for instance. Hence a shorter mean time to respond (MTTR). Not only that, but MDR can end up saving customers money in the long run. Organizations don’t need to set aside the effort, budget, and time to establish their own internal Security Operations Center (SOC). All they need to do is pay a monthly operating expense for the MDR platform, and they get access to a reputable SOC that already exists in a shorter amount of time.
Best Practices for Selecting an MDR Provider
Organizations need to consider several things when selecting an MDR provider.
“M” Is for “Managed”
- Is the cost predictable and straightforward? Organizations need to know if the cost for an MDR offering enables them to scale or change their service as their business requirements change. They also need to know if 24/7/365 coverage really means continuous monitoring or whether it applies only to a limited number of security events.
- Does the service come with a dedicated customer service manager? One of the core benefits of MDR comes from someone who understands the customer’s strategy, provides recommendations, and helps mature their security program over time. This type of attention ensures that organizations are fulfilling their security requirements and can work with the MDR as a trusted partner towards that end.
- Are reporting and measurement included? It’s difficult for organizations to evaluate their security programs if they have no way of determining where they stand. That’s why it’s helpful when MDR platforms come with measurements that can help security teams demonstrate how they’re decreasing risk and facing up to the threats they care about while saving time and money. Otherwise, they’ll need to implement measurements on their own outside of the MDR platform, thus creating more work for their security personnel.
“D” Is for “Detection”
- How does the provider assess threats in a customer’s environment? MDR is helpful only if it works with organizations to address their unique security requirements. As such, the best MDR arrangements are those where the provider uses best practices based on customers’ industry, business, or department goals along with relevant frameworks to prioritize risks along with detection content.
- Can the provider work with their existing security tools? As they work with an MDR provider, organizations might see redundancies and find themselves in a position where they can optimize their security stack. They might also eventually decide to bring on new security tools. The MDR should be able to accommodate the customer’s requirements based on their maturity—either bring the tech stack necessary to deliver services or leverage the existing investments to do so.
- Who owns the detection content? Organizations need to consider the prospect of parting ways with their MDR provider. If this happens, will they keep the detection content that the provider generated from them? Or will they need to start over while they look for another provider, leaving themselves exposed in the process?
“R” Is for “Response”
- Will the provider give them a unified view of their environment? Organizations need a unified view of their data and tool inputs if they want their security teams to be able to make decisions in a timely manner. If an MDR provider can’t give this level of visibility, then it is difficult to make informed decisions on subsequent actions to take.
- Does the provider offer automation capabilities? Speed is everything when it comes to response. Hence the need for automation. Specifically, an MDR provider who comes with validated automated response playbooks and who allows for the creation of custom playbooks as new threats emerge can really make a difference.
- Is threat hunting included in the cost? The logic behind MDR is to take a proactive approach to cybersecurity. With that in mind, advanced MDRs offer threat hunting and attack simulation capabilities to their customers. Organizations need to determine whether these services are available with a potential provider and whether they cost an additional fee.
How ReliaQuest Does MDR
ReliaQuest GreyMatter uses a combination of services and technology to deliver MDR outcomes for organizations looking to improve their security posture. Organizations don’t need to replace their tools or hire more personnel because ReliaQuest force multiplies their existing teams to make the most out of their SIEM, EDR, public clouds, and other technologies, thus saving customers money and time. ReliaQuest uses detection content mapped across Kill Chain and MITRE ATT&CK frameworks as well as automated response playbooks to keep customers safe against emerging threats.