Insights / Blog / The Case for Managed Detection and Response (MDR)
April 25, 2019

The Case for Managed Detection and Response (MDR)

Jon Oltsik
Distinguished Analyst & ESG Fellow

Market Topics


sharing_in_businessAccording to ESG research, 82% of cybersecurity professionals agree that improving threat detection and response (i.e., mean-time to detect (MTTD), mean-time to respond (MTTR), etc.) is a high priority at their organizations. Furthermore, 77% of cybersecurity professionals surveyed say that business managers are pressuring the cybersecurity team to improve threat detection and response.

So, what’s the problem? Threat detection and response ain’t easy. In fact, 76% of those surveyed claim that threat detection and response is either much more difficult or somewhat more difficult than it was two years ago. Why? Cybersecurity professionals point to issues like an upsurge in the volume and sophistication of threats, an increasing cybersecurity workload, and a growing attack surface. Oh, and let’s not forget the impact of the cybersecurity skills shortage here. Many firms lack the right staff and skills to make a significant dent in this area.

Rather than deploy yet another point tool or muddle through, many CISOs are turning to third-party service providers for help, making managed detection and response (MDR) one of the fastest growing segments in the cybersecurity market. ESG research reveals that 27% of organizations are actively pursuing an MDR project while another 11% plan on pursuing an MDR project in the future.

When asked to provide a rationale for MDR (note: multiple responses accepted):

  • 32% of survey respondents say that their organization needed rapid threat detection and response improvements and decided that MDR provided a faster path than a homegrown approach. I saw this pattern a few years ago in the health care sector after the Anthem breach. Health care CISOs knew they needed to move quickly and sought out help wherever they could find it.
  • 29% of survey respondents claim that their organization is already working with one or several managed security service providers (MSSPs), so adding MDR seemed like a good business and technical decision. Given the rapid growth in MDR, many service providers (and product vendors) are jumping on the MDR bandwagon and offering a straightforward transition for existing customers. There’s a lot of “try before you buy” going on.
  • 28% of survey respondents believe an MDR provider can do a better job of threat detection and response than their organization can. Knowing what I know about cybersecurity, this will be true at a majority of organizations. 
  • 27% of survey respondents admit that their organization tried threat detection and response technologies but found them to be beyond their abilities, so they turned to MDR as an alternative. At ESG, we’ve run into a lot of failed threat detection and response projects, so this data comes as no surprise.

Let’s face it, threat detection and response requires advanced skills that most organizations don’t have. Additionally, the technologies used for threat detection and response (i.e., endpoint detection and response (EDR), network traffic analysis (NTA), malware sandboxes, threat intelligence, security analytics, etc.) can be expensive and complicated. 

Given this data, it’s abundantly clear to me that lots of organizations will throw in the proverbial towel and seek help from MDR players. As they do, CISOs must:

  1. Decide how far they want to go. MDR comes in many flavors. CISOs can get help with threat detection alone, get threat detection along with response advise, or outsource the whole enchilada. Do you really trust a third party to make remediation decisions? How will this play with IT operations teams and change management processes? CISOs will need to enlist the support of CIOs before going too far too fast.
  2. Consider product decisions. A lot of survey respondents say they want to choose their own threat detection and response technologies and then hire a third-party service provider to manage and support them. This strategy reflects the traditional ‘best-of-breed’ cybersecurity mindset, but it may limit choices. After all, if I pay someone to mow my lawn, I should really care about the quality of the job rather than the type of mower they use. CISOs should cast a wide net and make their decisions based upon outcomes.
  3. Develop a skill set around third-party services management. This is where my 30+ years of IT industry experience is helpful. In the 1990s, large organizations embraced outsourcing as IT was seen as a cost center. CIOs learned the hard way, however, that without careful, day-to-day, hands-on management, IT outsourcers tended to stick to the letter of contracts and did as little extra work as possible. CISOs looking at MDR solutions must carefully review and negotiate contracts, demand skin-in-the-game from MDR providers and assign staff members who become accountable for the success of the partnership. 

My esteemed colleague Christina Richmond is carefully tracking developments in MDR. Stay tuned for more soon. 

Unparalleled insights from analysts with an "insider" perspective

From strategy and product development to competitive insights and content creation, we deliver high-quality, actionable support services.