managed detection and response (MDR)
Managed detection and response (MDR) services are a collection of network-, host- and endpoint-based cybersecurity technologies that a third-party provider manages for a client organization. The provider typically installs technology on premises at the client organization and provides additional external and automated services through software.
MDRs improve cybersecurity by searching for threats and responding to them once detected. They also enable users to connect with the provider's security experts, who can help bolster the security skills of the client company's IT department. This makes them ideal for businesses that don't have a designated threat detection team in-house.
Managed detection and response services are growing in popularity, partially because of the growing skills gap in cybersecurity. Gartner predicted in 2018 that 15% of mid- to large-size corporations would use MDR services in 2020, compared to the 1% that used them in 2018.
What problems does MDR solve?
MDR services play an active role in improving a business's information security strategy. They handle threat detection, incident response, continuous monitoring and analysis of IT assets.
MDR services approach these tasks in a way that mitigates common problems modern IT departments usually face, such as:
- High alert volume -- MDRs can help companies manage the sheer volume of cybersecurity alerts that must be checked on an individual basis. Too many alerts can overwhelm smaller security teams and cause them to neglect other responsibilities.
- Threat analysis -- Many alerts do not immediately present themselves as a threat and require thorough analysis to determine their status. MDR services provide advanced analytics tools and access to security experts to help with this, interpreting events and providing recommendations for improvement.
- Skills shortage -- The CIA recently estimated that by 2022 there will be a security workforce gap of 1.8 million. Symantec also found that four out of every five security professionals surveyed report feeling burnt out and in a state of chronic overload. MDR services can mitigate this by providing access to their team of experts, which usually work 24/7 to monitor a network and be available for consultation.
- Endpoint detection and response (EDR) -- Businesses may lack the funds, time or skills to train employees for EDR tools. MDR services come with EDR tools and integrate them into detection, analysis and response processes, eliminating the need for extensive in-house endpoint security.
As with many X-as-a-service (XaaS) models that outsource modern IT processes, corporations trade some control for more convenience and more flexible prices. MDR services do have some downsides when compared to older managed security products and depending on the client's intended use for the services. However, their main benefit that they are uniquely tailored to current and emerging problems faced by IT companies today.
MDR vs. classic managed security
Both MDR and classic managed security products perform the same general function; externally assisting companies with cybersecurity. However, there are a few core differences between MDR services and classic managed security services, including:
- Compliance -- classic managed security services, sometimes called managed security service providers (MSSPs), are typically focused much more on compliance reporting and helping businesses meet compliance requirements. MDR services rarely focus on this.
- Log format -- MSSPs are generally able to work with a wider variety of event logs and contexts. MDRs, on the other hand, use primarily just use the logs that come with their tools.
- Human interaction -- MSSPs handle any communication with the provider through online portals and emails. MDRs have teams of experts -- sometimes referred to as a security operations center (SOC) -- that can be reached through multiple channels in real time.
- Detection methods -- Because of the human component that MDRs offer, they can apply deeper analysis to alerts and detect novel threats. MSSPs are less involved in analysis and therefore focus more on known and frequently occurring threats using a rule-based system.
- Network visibility -- MDRs can detect events and movement within a client network, whereas MSSPs focus mainly on perimeter.
Each option has its strengths and weaknesses. MSSPs are good for managing foundational security technology like firewalls and performing day-to-day security tasks. MDRs are more specialized services designed to handle complex modern networks and the new vulnerabilities they present.
Companies can use both products in tandem to maximize the benefits of each.
Common features in MDR offerings
MDRs are relatively new, and so each company differs somewhat in what they provide in their MDR offerings. Providers will typically focus on either network-, endpoint- or log-based technologies. A network-based MDR would focus on threats in a firewall, whereas an endpoint-based product would work with antimalware software.
Regardless of the network level that the service works at, it unites reports from multiple technologies at that level to perform these functions:
- Threat detection, in which the SOC continuously monitors data and prioritizes alerts for analysis.
- Threat analysis, in which SOC personnel hone in on potential threats and determine the source and scope of the threat.
- Threat response, in which the provider notifies the client of an incident and offer their analysis recommendations for resolving the problem.
The step with the most variation between providers is the response step. Each provider decides the point at which their work ends, and the customer takes on the issue. Some providers might also offer additional features for a price, like on-premises expert consultation or additional on-premises hardware.
When choosing a provider, customers should consider:
- The size of their organization.
- The skill level and size of security teams.
- The technology they already have.
- The compliance regulations they must adhere to.