Browse Definitions :

managed detection and response (MDR)

Managed detection and response (MDR) services are a collection of network-, host- and endpoint-based cybersecurity technologies that a third-party provider manages for a client organization. The provider typically installs technology on premises at the client organization and provides additional external and automated services through software.

MDRs improve cybersecurity by searching for threats and responding to them once detected. They also enable users to connect with the provider's security experts, who can help bolster the security skills of the client company's IT department. This makes them ideal for businesses that don't have a designated threat detection team in-house.

Managed detection and response services are growing in popularity, partially because of the growing skills gap in cybersecurity. Gartner predicted in 2018 that 15% of mid- to large-size corporations would use MDR services in 2020, compared to the 1% that used them in 2018.

What problems does MDR solve?

MDR services play an active role in improving a business's information security strategy. They handle threat detection, incident response, continuous monitoring and analysis of IT assets.

MDR services approach these tasks in a way that mitigates common problems modern IT departments usually face, such as:

  • High alert volume -- MDRs can help companies manage the sheer volume of cybersecurity alerts that must be checked on an individual basis. Too many alerts can overwhelm smaller security teams and cause them to neglect other responsibilities.
  • Threat analysis -- Many alerts do not immediately present themselves as a threat and require thorough analysis to determine their status. MDR services provide advanced analytics tools and access to security experts to help with this, interpreting events and providing recommendations for improvement.
  • Skills shortage -- The CIA recently estimated that by 2022 there will be a security workforce gap of 1.8 million. Symantec also found that four out of every five security professionals surveyed report feeling burnt out and in a state of chronic overload. MDR services can mitigate this by providing access to their team of experts, which usually work 24/7 to monitor a network and be available for consultation.
  • Endpoint detection and response (EDR) -- Businesses may lack the funds, time or skills to train employees for EDR tools. MDR services come with EDR tools and integrate them into detection, analysis and response processes, eliminating the need for extensive in-house endpoint security.

As with many X-as-a-service (XaaS) models that outsource modern IT processes, corporations trade some control for more convenience and more flexible prices. MDR services do have some downsides when compared to older managed security products and depending on the client's intended use for the services. However, their main benefit that they are uniquely tailored to current and emerging problems faced by IT companies today.

MDR vs. classic managed security

Both MDR and classic managed security products perform the same general function; externally assisting companies with cybersecurity. However, there are a few core differences between MDR services and classic managed security services, including:

  • Compliance -- classic managed security services, sometimes called managed security service providers (MSSPs), are typically focused much more on compliance reporting and helping businesses meet compliance requirements. MDR services rarely focus on this.
  • Log format -- MSSPs are generally able to work with a wider variety of event logs and contexts. MDRs, on the other hand, use primarily just use the logs that come with their tools.
  • Human interaction -- MSSPs handle any communication with the provider through online portals and emails. MDRs have teams of experts -- sometimes referred to as a security operations center (SOC) -- that can be reached through multiple channels in real time.
  • Detection methods -- Because of the human component that MDRs offer, they can apply deeper analysis to alerts and detect novel threats. MSSPs are less involved in analysis and therefore focus more on known and frequently occurring threats using a rule-based system.
  • Network visibility -- MDRs can detect events and movement within a client network, whereas MSSPs focus mainly on perimeter.

Each option has its strengths and weaknesses. MSSPs are good for managing foundational security technology like firewalls and performing day-to-day security tasks. MDRs are more specialized services designed to handle complex modern networks and the new vulnerabilities they present.

Companies can use both products in tandem to maximize the benefits of each.

Common features in MDR offerings

MDRs are relatively new, and so each company differs somewhat in what they provide in their MDR offerings. Providers will typically focus on either network-, endpoint- or log-based technologies. A network-based MDR would focus on threats in a firewall, whereas an endpoint-based product would work with antimalware software.

Regardless of the network level that the service works at, it unites reports from multiple technologies at that level to perform these functions:

  • Threat detection, in which the SOC continuously monitors data and prioritizes alerts for analysis.
  • Threat analysis, in which SOC personnel hone in on potential threats and determine the source and scope of the threat.
  • Threat response, in which the provider notifies the client of an incident and offer their analysis recommendations for resolving the problem.

The step with the most variation between providers is the response step. Each provider decides the point at which their work ends, and the customer takes on the issue. Some providers might also offer additional features for a price, like on-premises expert consultation or additional on-premises hardware.

When choosing a provider, customers should consider:

  • The size of their organization.
  • The skill level and size of security teams.
  • The technology they already have.
  • The compliance regulations they must adhere to.
This was last updated in April 2020

Continue Reading About managed detection and response (MDR)

  • cloud-native network function (CNF)

    A cloud-native network function (CNF) is a service that performs network duties in software, as opposed to purpose-built hardware.

  • microsegmentation

    Microsegmentation is a security technique that splits a network into definable zones and uses policies to dictate how data and ...

  • Wi-Fi 6E

    Wi-Fi 6E is one variant of the 802.11ax standard.

  • MICR (magnetic ink character recognition)

    MICR (magnetic ink character recognition) is a technology invented in the 1950s that's used to verify the legitimacy or ...

  • What is cybersecurity?

    Cybersecurity is the protection of internet-connected systems such as hardware, software and data from cyberthreats.

  • Android System WebView

    Android System WebView is a system component for the Android operating system (OS) that allows Android apps to display web ...

  • privacy compliance

    Privacy compliance is a company's accordance with established personal information protection guidelines, specifications or ...

  • contingent workforce

    A contingent workforce is a labor pool whose members are hired by an organization on an on-demand basis.

  • product development (new product development -- NPD)

    Product development, also called new product management, is a series of steps that includes the conceptualization, design, ...

  • talent acquisition

    Talent acquisition is the strategic process employers use to analyze their long-term talent needs in the context of business ...

  • employee retention

    Employee retention is the organizational goal of keeping productive and talented workers and reducing turnover by fostering a ...

  • hybrid work model

    A hybrid work model is a workforce structure that includes employees who work remotely and those who work on site, in a company's...

  • Salesforce Trailhead

    Salesforce Trailhead is a series of online tutorials that coach beginner and intermediate developers who need to learn how to ...

  • Salesforce

    Salesforce, Inc. is a cloud computing and social enterprise software-as-a-service (SaaS) provider based in San Francisco.

  • data clean room

    A data clean room is a technology service that helps content platforms keep first person user data private when interacting with ...