What is Managed Detection and Response (MDR)?
Managed detection and response (MDR) vendors offer incident response and threat hunting services that combine human expertise and advanced security technology. MDR customers gain access to the vendor’s security platform and a pool of security engineers and researchers, who take charge of monitoring networks, analyzing security incidents, and responding to threats.
This is part of our series of articles about MDR security.
The Origins of MDR
Threat detection and mitigation have a long history. As early as the 1980s, businesses used accounting audits to identify unauthorized network access. Internet security measures were the responsibility of in-house staff. In the 1990s, rudimentary security services emerged, allowing organizations to outsource some of their protection measures.
The first Outsourced Intrusion Detection Services
In the early 2000s, many organizations began outsourcing their intrusion detection processes, although they mostly handled the response themselves. Gradually, vendors began offering traffic monitoring services to alert security teams. Most hackers at this time were vandals and pranksters rather than serious cybercriminals, and organizations could easily repair the damage using backups.
However, the rise of online business attracted more dangerous breaches, with attackers stealing sensitive data for financial gain. This kickstarted the arms race between security teams and attackers.
The Rise of APTs
The emergence of advanced persistent threats (APTs) further raised the stakes, allowing attackers to hide in the target system for months or even years and exfiltrate data undetected. APTs often leveraged botnets to siphon power from multiple computers without arousing suspicion. With attacks growing more sophisticated and damaging, security awareness increased.
Incident response grew increasingly complicated and urgent, necessitating managed services to automate security controls and response measures. These services evolved into MDR. To enable an effective MDR solution, organizations must maintain an inventory of the entire network and attack surface, including on-premises and cloud applications. It should cover services not connected to the public Internet because they are vulnerable to infiltrators.
Evolution of the MDR Market
MDR is a growing market, with Gartner predicting that half of all businesses will be using MDR by 2025. Managed detection and response solutions have various pricing models depending on the service level required. A plan’s cost may vary based on turnaround time, scanning frequency, and scope of protection.
What Challenges Does MDR Solve?
Implementing a strong cybersecurity program presents several important challenges that can be addressed by MDR services:
Workforce shortage - the cybersecurity industry faces a serious talent shortage, with fewer qualified professionals than open positions. This makes it difficult and expensive for organizations to fill internal security roles. MDR helps organizations close the workforce gap with external security experts.
Limited access to expertise - organizations not only lack general cybersecurity expertise but also struggle to fill specialized roles such as incident response, cloud security, and malware analysis. MDR provides instant access to trained, experienced external cybersecurity expertise, instead of having to attract and retain that talent internally.
Advanced threat identification - advanced persistent threats (APTs) and other advanced cybercriminals have developed tools and techniques to keep them from being detected by many existing cybersecurity solutions. MDR enables organizations to detect and remediate these threats through proactive threat hunting.
Long time to detection - many cybersecurity incidents go undetected for long periods of time, increasing the cost and impact of breaches. MDR providers offer service level agreements (SLA) guaranteeing a timeframe for discovery and response to threats. This can prevent the devastating consequences of breaches that go unnoticed.
MDR Service Features
Here are key features of MDR services:
Incident investigation — MDR vendors investigate alerts to determine whether they indicate a false positive or a real incident. They perform investigations by utilizing data analytics, machine learning, and human expertise.
Alert triage — many factors can impact an event’s priority level. MDR vendors organize a list of security events that prioritizes the most critical incidents.
Remediation — MDR vendors offer incident remediation as a service, remotely responding to security events in a protected network.
Proactive threat hunting — MDR vendors proactively search protected networks and systems for indicators of ongoing attacks. If they detect an attack, they take steps to remediate it.
MDR Versus Other Security Solutions
Here is how MDR compares to other common managed security solutions.
Related content: Read our guide to managed security services.
MDR vs. MSSP
MDR and MSSP services help secure digital assets, each offering different protection. MSSP vendors do not investigate and validate threats. They send notifications to the IT team about potential threats, and the organization is responsible for investigating. MDR services actively investigate, triage, and respond to threats according to severity levels to proactively block and prevent attacks.
MDR vs. SIEM
Security information and event management (SIEM) tools ingest data from multiple sources and provide analysis features. They support various log data types and many other feeds and enable users to configure rules triggered by specific data. SIEM tools require extensive work to derive insights that help detect and respond to threats. MDR solutions help organizations outsource detection and response, taking charge of any tools required on behalf of the organization.
MDR vs. EDR
EDR tools offer next-generation endpoint and detection security capabilities, including threat prevention, detection, and response. Both MDR and EDR help improve visibility and security integration. However, EDR is a tool while MDR is a service. EDR tools help protect a specific endpoint. MDR services offer security monitoring and management across the entire IT environment and often include EDR tools as part of their toolkit.
MDR vs. XDR
Extended detection and response (XDR) solutions enable organizations to proactively protect against threats, offering centralized visibility across multiple attack vectors. XDR and MDR help support the efforts of security teams but offer different capabilities.
XDR tools unify visibility across the entire architecture and automate repetitive and time-consuming tasks. It helps free up time to investigate potential threats and remediate security issues. MDR supports the organization with external, around-the-clock SOC expertise and tools. MDR often incorporates XDR as part of its service.
How to Choose MDR Services
Here are key factors to consider when choosing an MDR vendor:
MDR vendors are responsible for protecting the organization’s systems and data. Ideally, they should employ a team of experts and a mature and comprehensive security plan to detect and respond to attacks. However, the term “response” often refers to different types of services. When choosing an MDR vendor, organizations should determine what response is covered.
Organizations can determine this by asking the vendor if they offer a proactive response, what type of response actions they perform manually and what response actions are automated. Ideally, organizations should also determine their responsibility during response and whether the vendor works with an approval process for response actions.
MDR vendors employ threat hunting to offer proactive protection. Threat hunting requires contextualized threat intelligence that provides a view of potential threat actors and their tactics, techniques, and procedures (TTP). It also requires a clear understanding of the organization and its IT environment and high levels of expertise.
Organizations can assess the threat hunting capabilities of an MDR vendor by asking how the vendor defines a threat hunt, how they measure hunts, and what triggers a hunt. This assessment should also consider the vendor’s performance indicators and how the vendor incorporates threat intelligence into their threat hunting program. Learning the threat hunting program’s outputs and goals is also important.
MDR vendors offer 24/7 operations, but each vendor defines this timeframe differently. Before choosing an MDR vendor, organizations should assess the vendor’s operating model and staffing levels, including the location of the analysts protecting the organization’s data. MDR vendors define these aspects using the following terms:
Staffing levels during out of hours
Out-of-hours callout processes
Organizations should also determine the vendor’s operations model. Here are key types:
Remote — the vendor employs remote analysts to serve a single customer base.
Security operation centers (SOC) — the vendor may employ multiple SOCs to serve customers in the same region.