When dealing with the latest and most serious threats, cyber security leaders and teams need all the help they can get. One weapon to consider adding to the arsenal of tools is managed detection and response (MDR).
MDR services provide organizations with the functionality of a managed security operations center (SOC), delivered remotely. As noted by research firm Gartner, these functions enable organizations to quickly detect, analyze, investigate and actively respond through threat mitigation and containment.
MDR service providers offer a turnkey experience, the firm said, using technologies covering areas such as endpoints, networks and cloud services, to collect relevant logs, data and contextual information. “This telemetry is analyzed within the provider’s platform using a range of techniques,” it said. “This process allows for investigation by experts skilled in threat hunting and incident management, who deliver actionable outcomes.”
MDR is a proactive approach to cybersecurity
One of the appealing aspects of MDR is that it takes a proactive approach to cyber security, something many companies are striving for today as a way to stop attacks. Also appealing, particularly for small and mid-sized businesses (SMBs) with limited security budgets, is that these services deliver capabilities that the companies themselves typically are not able to provide.
MDR services are evolving to include a larger set of technologies and coverage, beyond endpoint detection and response (EDR), Gartner said in its Market Guide for Managed Detection and Response Services released in October 2021. “However, a turnkey technology stack is still a core requirement for buyers who expect extension of service into areas such as cloud security,” it said.
The guide recommends that security and risk management leaders responsible for security operations use MDR services to obtain continuous, remotely delivered SOC capabilities when there are no existing internal capabilities, or when the organization needs to accelerate or augment existing security operations capabilities.
They should assess how an MDR provider’s containment approach can integrate with their own policies and procedures, and whenever practical accept the MDR provider’s threat containment and disruption actions on their behalf to enable quick responses to detected threats.
Gartner said companies can attain the maximum benefit from MDR services by preparing response workflow processes and integrating existing ticket management systems to ensure a business-centric response to threats. They should investigate whether the MDR provider’s technology or supported set of technologies fits with the company’s existing security controls and IT environment, including on-premises and cloud.
What are the basic capabilities when shopping for MDR services?
Here are some of the basic capabilities companies should look for when evaluating MDR services, according to the guide:
- A provider-owned and -managed technology stack that specifically enables real-time threat monitoring, detection, investigation and active mitigating response.
- Staff that engages with customer data daily and has the skills and expertise in threat monitoring, detection and hunting, threat intelligence and incident response.
- Predefined and pre-tuned processes and detection content that includes a standard playbook of workflows, procedures and analytics.
- The ability to offer remote response mitigation, investigation and containment activities beyond alerting and notification.
Newer elements of MDR are emerging in the market, the report said, but are not yet commonplace. One is an expansion into other security operations functions such as exposure management and digital forensics and incident response (DFIR).
“A typical pattern observed among organizations that are less mature in their security operations is to start with threat detection and response capabilities and then expand the services used from the provider to improve other areas of security operations,” the firm said. “Exposure management capabilities help with the prevention of attacks by reducing the exposures in the customers environment, user accounts and cloud applications.”
Other new areas include the ability to monitor cloud infrastructure and platform services, as well as popular software as a service (SaaS) applications; the use of validation-type capabilities such as breach and attack simulation (BAS) and penetration testing as a service to test and understand threat scenarios in an environment on a continuous basis; and self-service additions to the common platform such as multi-source data investigation tools that enable internal security staff to use data collected by the MDR provider for functions such as threat hunting.
MDR services are not a perfect fit for all organizations, Gartner notes. A variety of delivery styles for these services align with different types of companies. Some might benefit from a combination of MDR services and more complex or customized offerings.
“It is important to have clearly defined outcomes and goals that address defined use cases, and a solid understanding of what the future steady state looks like once engaged with an MDR provider,” the guide said. “As with any outsourcing initiative, if outcomes are not defined, regardless of what service provider is used, the chance of success will be lessened.”
But MDR does seem like an ideal fit for many SMBs. Just as it makes sense for smaller companies to use managed security services providers to help address security concerns when they don’t have the internal expertise, it makes sense to deploy MDR.
Hiring highly skilled security analysts experienced in network monitoring can be difficult when such skills are in high demand and short supply, and it can be prohibitively costly for businesses on a tight cyber security budget. An MDR that provides fully staffed endpoint protection and response services can provide the solution for these companies.
The future of MDR in cybersecurity
Demand for MDR is on the rise. Gartner noted that interest in the market continues to grow, and the firm observed a 35% growth in end users’ inquiries on the topic in the last year. It estimates that by 2025, the MDR market will reach $2.15 billion in revenue, up from $1.03 billion in 2021. That represents a compound annual growth rate of 20%.
Gartner also noted that while MDR can be a compelling offering, like all types of managed security services it is not an all-encompassing solution.
“Security and risk management leaders are advised to focus on the ‘outcomes’ of MDR services and identify the best way to integrate an MDR service provider’s outputs and coverage into their own internal incident response processes,” the firm said. “Fine-tuning the security processes is critical if you hope to improve overall outcomes. It is also important to allow internal resources to work with your providers. This will improve outcomes and help maintain good working relationships with providers.”
To learn more about Bitdefender’s MDR Service, click here.
Get to know the Bitdefender experts who work in the SOC here.