Funtap -


MDR vs. MSSP: Why it's vital to know the difference

When assessing MDR vs. MSSP, the key is understanding why the two aren't interchangeable and how each handles response.

Managed detection and response is gaining traction, leading many traditional managed security service providers to update their offerings. There's nothing set in stone that says an MSSP can't provide MDR. But the MDR and MSSP acronyms aren't interchangeable, and one of the big aspects that sets the two apart is response.

Let's look at the differences between MDR and MSSP, and examine what to look for when assessing and purchasing response capabilities.


MSSPs have been around for almost as long as the internet has been in commercial use. Most MSSPs offer outsourced management of security tools and devices, among them firewalls and VPNs. MSSPs may also offer managed vulnerability scanning, security asset management, and SIEM and security operations center monitoring. While each MSSP will have its own specific set of offerings, MSSPs often focus on security management and monitoring. In other words, if a breach or intrusion is detected, the MSSP may alert the customer about the intrusion, but the response is left to the customer unless otherwise specified in the MSSP contract.

A portal usually serves as the communication link between the MSSP and its customers. Interactions are primarily automated and focused on alert activity and indicators of compromise (IOCs) from managed devices. The result is that much of the alerting is reactive -- after the fact.

MDR, on the other hand, is focused on proactive threat hunting and detection and response. The MDR provider usually manages the tools in its detection and response stack, such as endpoint protection agents, but does not manage security tools that are not used for MDR. While MSSPs can be heavily automated services, MDR is human-operated, with live threat hunters monitoring customer networks in real time for both indicators of attack (IOAs) and IOCs.

IOAs differ from IOCs because an IOA occurs before a breach or event. An IOA might be a camera monitoring the street in front of your house. If a suspicious car drives by a number of times and slows down to get a better look at your cameras and doors, that's indicative of a potential attacker and, therefore, an IOA. The car's occupants haven't broken the law, but they are exhibiting behaviors that are precursors to an actual compromise. An IOC, by contrast, is the breach itself. A burglar opens a window or door of your house, and your home safety system triggers an alarm. Your home has been compromised, and the attacker is inside.

The other main emphasis of MDR is alert validation and response. While most MSSPs don't take action or provide only limited response, response is a cornerstone of MDR.

Response is a pretty broad term. When assessing MDR services, it's important to confirm upfront with the provider about the type of response and actions it can take within your systems.

Right-sized response when considering MDR

Response is a pretty broad term. When assessing MDR services, it's important to confirm upfront with the provider about the type of response and actions it can take within an organization's systems. For example, response could be as simple as automated removal of known malware, or it could be as complex as shutting down ports on a firewall and removing workloads or VMs and containers from service.

Response falls along a continuum, ranging from the simple -- for example, an alert -- to scoped actions on a limited set of assets to, ultimately, a full-blown chain of events that includes whatever needs to happen anywhere. The more access an MDR provider has, the more it can do on its customers' behalf. Yet, that entry comes with a caveat: It means the provider can see more corporate assets -- potentially including sensitive customer data.

So, is MDR or an MSSP better? As you can imagine, there is no single right answer here. Every organization needs to balance the pros and cons of allowing more complex response actions to meet their unique goals. However, there are some considerations all organizations should evaluate:

  • Lighter response -- for example, alerts only
    • Pros: fast, leans toward automation, limited privacy impact
    • Cons: limited coverage, requires action from in-house security staff
  • Deeper response -- for example, threat hunting, validation of IOCs or alerts, lockout of compromised accounts
    • Pros: may be faster than in-house alone, proactive
    • Cons: may expose some customer data, could interfere with business operations
  • All-in response -- for example, recovery post-advanced persistent threat discovery
    • Pros: comprehensive response, may be able to reduce staffing needs for some in-house resources
    • Cons: requires extensive access, potential privacy impacts and exposure, bad decisions can result in business disruption

No matter the position taken in the MDR vs. MSSP debate, as long as you and your provider are clear on who is going to take action and how -- and how much -- action will be taken, augmenting your security program with an MSSP, MDR or a blend of the two can enhance your response time without breaking the bank or your privacy model.

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing