Managed detection and response (MDR) has been an industry segment in cybersecurity that received a lot of attention over the past 2-3 years. This blog post will explore what MDR services and companies are, how they evolved as part of the cybersecurity landscape, how they help companies protect their IT infrastructure, and how you can evaluate if they are appropriate for your business.

First, we’ll look at what the MDR market is and what core capabilities you can expect from an MDR provider. According to Armor technical alliance partner Trend Micro, “Managed detection and response (MDR) is an outsourced service that provides organizations with threat hunting services and responds to threats once they are discovered. It also involves a human element: Security providers provide their MDR customers access to their pool of security researchers and engineers, who are responsible for monitoring networks, analyzing incidents, and responding to security cases.”

Their capabilities can be distilled into 3 areas:

  1. Advanced detection through endpoint detection and response tools (usually Carbon Black or Cylance)
  2. Reactive response and active defense (threat hunting)
  3. Direct access to SOC personnel

It’s important to understand what an engagement with an MDR provider is going to look like in order to understand what you can expect from an engagement. MDR providers are often going to deploy their own curated technology stack, whether this stack is comprised of their homegrown tools or an integrated best-of-breed toolset of commercial off-the-shelf products. MDR providers will occasionally take in logs from security tools in the customer environment to provide extra context around threat intelligence or security analytics surrounding an event. Incident triage, while often assisted by automation and systems, will always be performed by a person when engaging MDR providers. MDR providers distinguish themselves by providing people during the incident management and remediation process. MDR engagements usually do not allow organizations to customize their threat detection and alerts. The provider generally customizes their own threat-detection use cases based on their best practices. Baseline incident response activities are usually provided without the need for an additional retainer. This all contributes to the engagement with your MDR provider being viewed as a relatively turnkey service.

MDR providers largely evolved out of the market’s frustration with Managed Security Service Providers (MSSPs) not putting enough focus on response and instead only offering alerts. These providers became pure-play MDR providers (eSentire, Red Canary, Paladion, etc.). After some of the initial success of the MDR market, MSSP providers decided they could add MDR capabilities to their existing portfolio of offerings (Trustwave, Secureworks, etc.). Now, MSSP and MDR providers are both experiencing pressure from the growing influence of the cloud to deliver their services in a Security-as-a-Service model that focuses on a consumption-based service delivery model and instant software-based turnup of security services. The diagram below highlights some key differences between MSSPs and MDR providers.

Armor sees MDR offerings evolving to “next-gen” over the next 2-3 years. This is what a breakdown of capabilities looks like as MDR providers pivot more to address the concerns and market pressures of the cloud.

MDR companies have positioned themselves within the cybersecurity landscape to solve the following problems for organizations:

  1. Security talent shortages – MDR providers often provide boots on the ground in terms of remediating cybersecurity incidents.
  2. Complex endpoint technology deployments – As TrendMicro says in its article on MDR, “Enterprises also face challenges when deploying complex endpoint detection and response (EDR) solutions, which are usually not being maximized, due to a lack of time, skills, and funds to train personnel to handle the EDR tools. MDR integrates EDR tools in its security implementation, making them an integral part of the detection, analysis, and response roles.”
  3. Alert fatigue – MDR companies focus on explaining the importance of alerts, how they correlate to other alerts within your environment, and prioritizing which alerts need remediation first. They help solve talent shortages and IRF investigation issues in this context.

Yet, how do you evaluate whether an engagement with a managed detection and response provider is right for your business? Armor feels it is important to evaluate how well any provider delivers on the core “table stakes” capabilities of their area of expertise, where they are innovating and evolving against others in the market, and where they may be weak or have gaps that you have to supplement with other tools and services. To help you with this process, Armor has developed some questions for you to ask your prospective vendor across each of these areas:

Core Capabilities:

  1. How turnkey is your solution? What does deployment and initial configuration of the service look like?
  2. What EDR solution do you use? What features does that endpoint detection tool provide?
  3. How many IR hours are included with the offering and/or how far do you go in providing incident response for my environment?
  4. What threat-detection use cases do you use to detect threats to my environment?
  5. Is your stack your own products or do you integrate best-of-breed tools?

Innovation and Competitive Differentiation:

  1. How are you addressing the cloud and cloud endpoints?
  2. What native integrations do you offer with the cloud providers we use?
  3. To what extent do you ingest and correlate logs from the security tools that I already have in my environment?
  4. What forms of automation does your offering use to reduce key metrics such as dwell time?

Probing Weaknesses and Gaps:

  1. What forms of reporting are offered via the service?
  2. Can I create custom threat-detection use cases for my environment?
  3. What compliance attestation or support do you provide for my environment.

Ultimately, these questions will help you determine how an MDR provider will or will not meet the needs of your business and how they rank against other competitors in the market. Here at Armor, we believe that MDR will continue to grow as a market segment within the cybersecurity landscape, but providers will eventually feel consolidation pressure to deliver these features and capabilities as part of a broader cloud workload protection platform delivered via a Security-as-a-Service model. We ultimately believe that platforms, such as Armor Anywhere, will be able to deliver the advanced threat detection and remediation offered by MDR services, as well as address the concerns of the cloud with cloud security and posture management capabilities and workload security, which evolves with containers, serverless, and traditional VM computing. These combined capabilities will help companies solve problems with talent shortage, alert fatigue and advanced EDR implementations while addressing the unique ways in which the cloud is changing how companies are building applications in the cloud.