What is Managed Detection and Response (MDR)?
Managed Detection and Response (MDR) is a security service that prioritizes the handling of detection and response capabilities on behalf of a customer. MDR enables organizations to operationalize a turnkey Security Operations Center (SOC) at a small percentage of the cost of building an in-house program.
The person in charge of procurement for a company’s security organization might start by asking the question, “What is MDR?” They already know about detection and response (D&R), sure. And because they’re asking that question, they know their organization is having trouble keeping up with D&R responsibilities. This could be due to a lack of security headcount, expertise, resources, and processes to properly stand up a D&R program.
A capable Managed Security Services Provider (MSSP) can contract with a company to act as their SOC-as-a-Service (SOCaaS) partner, providing almost all cybersecurity services for the company. An MSSP can also quickly extend the headcount of a SOC in a specific area like D&R.
According to Gartner, MDR providers should be able to deliver actionable outcomes by analyzing telemetry – logs, data, and other contextual information – as well as engaging in threat hunting and incident management. This enables MDR customers to strengthen their security posture and better focus on business priorities.
What Challenges Does MDR Address?
Besides the general benefits of alleviating stress and giving more time back to overworked analysts, MDR:
- Reduces alert fatigue: Analysts might be chasing too many false alerts or could eventually become desensitized to meaningful ones. If headcount is low, a team may no longer be able to investigate alerts in a meaningful way. MDR becomes a force multiplier by investigating and curating alerts on which their client needs to take real action.
- Detects threats faster: An overloaded SOC simply might not be able to see or respond to threats in anything close to real time. In contrast, an MDR provider’s sole function is to detect and respond to threats on behalf of a customer. Engaging an MDR provider can quickly decrease a SOC’s threat response time, particularly with curated alerts as mentioned above. When combined with integrated threat intelligence, a team should be able to more proactively identify threats thanks to real-time analysis.
- Expands security capabilities: It all begins with a lack of budget, but paired with a lack of know-how and talent, the security situation in any given company could quickly become catastrophic. Teams must be able to do it all: threat detection, alert triage, malware analysis, incident investigation, and response – and must be able to achieve it at scale.
MDR can help a security team with limited resources extend their capabilities across this spectrum of critical responsibilities. With access to a provider’s specialized D&R expertise and headcount, an MDR customer could find a solution at a fraction of the budget and time it would take to successfully build out an internal representation of critical resources.
- Enhances security maturity: Whether a company is a startup or sits in an industry that historically wasn’t a big attacker target, they may possess skills that would be considered immature by security leaders. And an immature security program simply cannot exist in today’s hyperactive attacker environment. Every SOC will eventually be faced with a dire threat – or many dire threats. Having a budget to address the immaturity is great, but if there is no strategic talent acquisition plan, then there can be no success.
An MDR provider can rapidly take on tasks as well as advise a SOC on refining and scaling their program. This frees up in-house staff to focus on more strategic projects that help push security maturity to the next level.
How Does MDR Work?
Managed detection and response works by enabling a customer’s ability to leverage the provider’s SOC team for 24x7x365 security operations coverage. MDR quickly extends a SOC’s headcount so the team can better:
- Detect threats
- Analyze threats
- Investigate threats
- Actively respond to threats
- Focus on priorities other than threats
By providing complete coverage across a customer’s entire environment, MDR can impart security practitioners with the visibility to see when and where malicious-looking activity may be taking place. The provider should further be able to help a customer:
- Identify a targeted threat to their specific environment
- Repair any affected systems
- Focus efforts into taking down a threat
- Supply recommendations for better securing an affected system for the future
- Weed out benign events and only report on truly positive threats
The ultimate goal of an MDR provider should be to help a customer’s SOC achieve a turnkey D&R program without the significant financial investment and stress – as well as the time it would take to interview talent while keeping the SOC running – to build a ground-up, in-house program.
What are the Benefits of MDR?
The benefits of MDR are plentiful, with a particular emphasis on creating a less stressful SOC environment. Other key benefits that come from engaging a true MDR partner are:
- Improved security posture: By engaging a team of experts to extend D&R capabilities, a SOC can uncover risks earlier, shrink its attack surface, and be ready to investigate with digital forensics and incident response (DFIR) techniques.
- ROI: An MDR partner should be able to provide meaningful ROI in a reasonable amount of time (3-5 years). For example, Rapid7 MDR services were able to provide customers with an average of almost 5.5x ROI over three years. By creating efficiencies in alert detection, investigation, and response, security organizations create cost savings to reinvest elsewhere.
- Access to detection and response tools: An MDR customer typically will have access to the provider’s D&R technology so they can become educated on the underlying platform. They can also leverage that platform to perform their own alert investigations. Customers should also be able to access network traffic analysis, user-behavior analytics (UBA), and more.
- Faster threat or breach remediation: From hours and hours spent on remediation each week to minutes spent each week, a trusted MDR partner should be able to transform a SOC’s ability to perform remediation. The average time to remediate will significantly decrease with the provider’s ability to create a plan of action specifically tailored to a customer’s environment.
- Faster investigations with network analytics: A good MDR provider should also be able to rapidly ingest network device data so they can put it to work for a customer. Network data is lightweight, easily searchable, and can quickly pinpoint the exact location of an attacker in the network to identify the scope of the breach. Leveraging this data allows analysts to take action and understand what’s going on across the network layer, while correlating events to endpoints. This process is helpful for early threat detection, as well as adding context to investigations to better understand attacker behavior.
MDR Use Cases
MDR can be an advantageous solution for many reasons, but let’s look at some of the specific use cases a managed services partner should be able to address in order to add value to your security organization:
- Detect compromised users and lateral movement.
- Give critical time back to analysts by automating tedious, manual tasks.
- Address host and endpoint containment to limit the amount of damage malware propagation – or other attacks – can cause.
- Detect attackers with higher fidelity by glean insights from user behavior analytics, log analysis, and attacker behavior analytics.
- Validate threats with greater visibility by ingesting data from disparate technology environments.
- Stay in compliance with regulatory frameworks by implementing specific security controls.
MDR vs. Other Managed Security Solutions
How does MDR differ from MSSP or EDR (endpoint detection and response)? It’s all about the capabilities a SOC is looking to acquire or accentuate and the budget earmarked for those specific services.
MDR vs MSSP
An MSSP supplies a broad array of services, of which MDR might be just one. So, if a customer is only seeking a D&R solution, a general MSSP providing SOC-as-a-Service solutions could be more than they need and unnecessarily stretch the security budget.
MDR vs EDR
EDR is a solution that should be incorporated into a larger network- and cloud-spanning D&R solution. It is typically an add-on service that focuses specifically on endpoint threats and containment. Any potential MDR partner should offer EDR as part of their managed services offering.
The larger solution should feature threat detection, hunting, and containment; incident validation and response; behavior analytics; automation; and a deeper dive into attack details than a standalone EDR solution or managed service can offer.
How to Choose an MDR Service
Researching and subsequently engaging the services of an MDR provider is no small task – but it also doesn’t have to be a drawn-out process similar to that of standing up an in-house D&R program. Only the customer searching for an MDR solution knows the core challenges and needs of their SOC.
The following can act as a handy guide for evaluating a potential MDR provider against eight core capabilities, according to the specific and unique needs of a SOC:
- MDR analyst experience
- Extended detection and response technology
- Partnership that extends your SOC
- Threat hunting
- Clear service expectations and results
- Extended MDR expertise
- Security orchestration, automation, and response (SOAR)
- Competitive MDR pricing
Read More About Managed Detection & Response
Gartner® Report: Questions to Ask When Selecting an MDR Provider
MDR, MEDR, SOCaaS: Which Is Right for You?
Managed Detection & Response: Latest News from the Blog