Guest Contributor: Fran Howarth, Practice Leader, Security, for Bloor Research
It has long been said that security requires a three-pronged approach — people, process, and technology. This is especially true where incident response is concerned, and managed detection and response (MDR) services can help provide all of these elements. This blog discusses how the MDR market came about and how it has evolved over time. In 2022, response capabilities will be the key differentiator.
MDR Continues to Evolve
2016: MDR is born
The term MDR was coined to differentiate it from the broader, rapidly commoditizing services offered by general managed security service providers (MSSPs), which focused more on maintaining security equipment and on preventive security measures, rather than broad-based detection capabilities.
MDR services were developed to help organizations overcome of the challenges of increasingly complex and sophisticated threats and an overwhelming volume of point security products. MDR solutions enable more effective threat detection and provide guided response to security incidents through a combination of technology and human expertise.
2019: Gaining mainstream traction
MDR really began to gain mainstream traction in 2019, partly to resolve the problems caused by the increasing difficulties involved in sourcing, hiring and retaining skilled personnel, of which the shortage is recognized on a worldwide basis. Many organizations were focusing on preventing threats with the limited resources they had available, but were looking for help with advanced security needs. MDR services provided the more advanced help that they needed to tackle today’s sophisticated security problems.
2020 through today: expanding capabilities
Over the past two years, vendors have worked to expand the breadth and depth of their MDR capabilities, particularly around detection, largely due to the rapid move to the cloud to accommodate remote workers. The 451 Group estimates that 52% of workloads will be primarily executed in the cloud in 2022, and MDR providers have taken heed and expanded their services to cover cloud environments, helping to reduce detection blind-spots caused by the expanded attack surface.
Present day: the need for better response
As threats continue to grow, amplifying detection capabilities won’t be enough — response is likely the next battleground. According to EY, 77% of firms saw an increase in disruptive attacks in 2021, but only 9% of boards are extremely confident in their organization’s risk and mitigation measures, down considerably from 20% the previous year. All the while, 36% agree that underfunding means that it is only a matter of time before they suffer breaches that could have been avoided. The ability to effectively respond to incidents becomes the new imperative.
Incident response capabilities, when not built on a retained bench of experts, often fall under the acronym SOAR (security orchestration, automation, and response). SOAR is not a new capability, having been around for some years now. It aims to help organizations respond effectively to security events through telemetry that has been gathered, correlated, and analyzed from multiple sources throughout the network. SOAR has brought an element of automation to the incident response process, which has historically fully relied on human expertise. As a result, the market for SOAR has grown, but that growth has been hampered to a certain extent due to the difficulties of implementing such a complex technology. The result is that many SOAR vendors have been acquired and stand-alone SOAR has only really been viable for very large enterprises with sufficient budget and resources.
2022: The Year of Intelligent Response
As MDRs mature, and response starts becoming more relevant, the strength of a vendor’s detection capabilities will underpin its response capabilities. As part of this, automation is essential yet, while SOAR builds on automation capabilities, full automation is not always appropriate. To achieve a successful outcome, while ensuring that other problems do not creep in, human intervention in the process is often required in order to understand context so that informed, intelligent decisions can be made.
Democratizing Response
MDR service providers can help address the gaps in the automation process by bringing human expertise and guidance into the mix in one package. The intimate knowledge that they gain of an organization’s environment and IT estate will provide significant insights as to where automation is best applied.
Experts at an MDR provider can advise on where automation of the incident response process is viable versus where human guidance will be more beneficial, which they can provide for the organization. For some, full automation is a panacea that they would like to realize, but most would agree that verification of actions to take by a knowledgeable and experienced human will make for a far better outcome.
The ability to coordinate response actions using a combination of automation and human expertise to achieve desired outcomes makes MDR services suitable for the needs of organizations of all sizes, not just the largest. MDR providers are arguably in the best position to help organizations to make intelligent response a reality. For these reasons, response will become a key differentiator for MDR vendors in 2022.
