What is managed detection and response?

This article was written by an independent guest author.

The last 12 months have seen massive upticks in the frequency, sophistication, and intensity of cyberattacks. This comes at a time when business operations have changed drastically with shifts to more cloud resource use in order to increase access, availability, productivity, and profits.  The challenge for IT has become how to monitor the state of security of this complex mix of systems, platforms, applications, and environments while being able to quickly and effectively respond to detected potential or active threats.

Organizations like yours have long realized their limitations around staffing and expertise to properly address this growing need within a security strategy, causing security service providers to fill the void with managed detection and response services.

What is managed detection and response (MDR)? 

Managed Detection and Response (MDR) is a managed cybersecurity service that provides organizations with 24x7 active monitoring and intelligence-based detection of threats, helping to quickly respond and remediate detected threats. Outsourced teams of experienced security analysts augment your internal team and enhance your security solutions with threat intelligence that is designed to detect advanced threats on endpoints and the network. The analyts also work with your team to define processes and workflows to aid in investigation and remediation activities. In short, MDR provides your organization with a security operations center (SOC) and dedicated analysts working to ensure the security of your environment. Some MDR offerings also include threat hunting as part of the service.

Where does the term MDR come from?

MDR has evolved from Managed Security Service Providers (MSSPs), who historically have offered managing and monitoring of network security, but left the investigation and remediation activity to internal IT teams. This put the burden of identifying real threats and performing incident response actions back on the already overtaxed IT staff. One common challenge for internal IT teams is that no one is a cybersecurity expert; your team is made up of primarily generalists with some degree of specialty. When we’re talking about identifying and responding to a potential cyberattack, your organization needs an expert.

Thus, MDR was born.

MSSPs are more focused on security monitoring and alerting, so MDR takes this much farther by including detection, response, and threat hunting. While both typically utilize vulnerability scanning and Security Incident and Event Management (SIEM) functionality, MDR services use additional solutions that provide visibility all the way down to the endpoint to ensure a complete picture of any potentially malicious activity, as well as response orchestration to automate remediation.

The MDR’s monitoring includes:

• 24x7 alarm monitoring by a SOC team
• The reliance upon state-of-the-art threat intelligence
• Security analyst review and validation of alarms to eliminate false positives and non-actionable alarms, as well as escalation of actionable alarms to a Tier 2 analyst
• Incident investigation and notification to internal IT teams
• Execution of response plans tasked to the SOC team

The key benefits of MDR

MDR provides organizations seeking to have continual security monitoring and response in place with a number of benefits over taking this on internally:

1. SOC complexity is eliminated – it’s going to take a tremendous effort and budget to establish an internal SOC; in many cases quarters to get up and running.  MDR services include the use of a world-class SOC that already exists, meeting the organizations SOC need.
2. Rapid deployment – With a SOC already in place, deploying MDR services takes weeks instead of quarters.
3. Access to security experts – It’s likely your staff is lacking expertise and experience with monitoring, analyzing, identifying, and responding to threats. MDR service providers already have seasoned analysts on staff, augmenting your internal IT team with an instant security team.
4. Better threat detection and response - More accurate and rapid handling of potential threats due to industry-tested security monitoring tools, automated response orchestration, and up-to-date threat intelligence.
5. Far more cost-effective – The building of a SOC, hiring of seasoned analysts, implementing of security solutions, establishing response protocols, etc. all would cost your organization a small fortune. An MDR service becomes little more than a monthly operating expense that alleviates the burden of deploying and maintaining solutions.  There’s no way any organization can put the same caliber of threat detection and response in place more cost-effectively than with an MDR service.

MDR vs SIEM

I’m hoping by now you can already see how MDR is much more than a set of security solutions. But many organizations hold onto their existing use of a SIEM solution that provides similar types of visibility.  Sure, SIEM solutions are incredibly powerful in both providing visibility and performing task automation, but there are a few differences here that should be pointed out:

• SIEM doesn’t come with multiple tiers of security experts who can review, analyze, and respond to alarms; MDR is founded in this staffing model.
• SIEM doesn’t rely on constantly updated threat intelligence like MDR does; it’s usually based on rule sets that indicate a potential threat.
• SIEM is based on event and log data; MDR uses multiple sources of threat detection including endpoint activity to identify threats.
• SIEM is a solution; MDR is a service.

Tips for choosing an MDR solution

When looking for an MDR solution, there will be a lot of feature overlap between the different providers, and understanding what exactly is offered as part of the service is important. When you look to choose the MDR service that’s right for your organization, consider the following:

1. Your Staffing – do you have anyone internal that will assist with response, or do you need an MDR service that handles everything?
2. SOC Staffing – Some MDR offerings included dedicated Tier 1 analysts. Be sure to understand what kind of staffing comes with your MDR choice.
3. The MDR’s visibility – A SIEM or other monitoring tool alone doesn’t provide complete visibility into threat actions.  Ask about the solutions the offering is based on and review the threat visibility provided by the offereing .
4. Detection Capabilities – You must (MUST) hear your MDR choice tell you they use continually update threat intelligence as the bases for their detection.  The bad guys are changing their stripes literally every minute. Your MDR provider’s detection capabilities need to be based on consistently current threat detail.
5. Response Capabilities – Similarly, if you’re not hearing about the MDR service’s automated response orchestration, walk away.  There are far too many threats hitting individual organizations on even a daily basis for any individual to handle them manually.

The path to using an MDR service is an obvious choice for those organizations so serious about monitoring and responding to threats that they are considering an internal SOC. Hopefully the details provided above give you enough context to better understand what you should be getting out of MDR and how to select the right service provider.