What is MDR?
MDR – Managed detection and response solutions identify active threats across an organization and then respond to eliminate, investigate, or contain them. MDR has increased in visibility and importance as organizations realize that no level of investment will provide 100% protection against threats and as the scale and complexity of the security challenge becomes intractable for individual organizations, regardless of size.
What Problems Does Managed Detection and Response (MDR) Solve?
Today, organizations are under constant threat of data loss and disruption from security breaches. These threats are increasing with more sophisticated attacks, the expansion of remote working, and employee susceptibility to nuanced social engineering tactics.
Unfortunately, security is complex, and the threats are unrelenting. Few organizations have the experts and resources required to protect themselves. According to (ISC)2 3, businesses face a global IT security skills shortage that has now surpassed four million unfilled positions.
Facing budget constraints that restrict the purchase of more security technology, and lacking sufficient security staff, businesses are turning to service providers for Managed Detection and Response solutions, which is now one of the fastest-growing segments in the cybersecurity market.
MDR addresses the challenge of an expanding threat surface and constantly evolving attacks by providing a platform and experts capable of minimizing the likelihood or impact of successful attacks on organizations.
In this early phase of the MDR market, vendor capabilities and value vary. As with much of the security industry, there are different approaches to managed detection and response. Gartner says customers should be careful about pretenders that have incomplete MDR offerings, and according to Forrester, providers without a strong background in threat response are launching MDR services which could result in disaster if a high-profile incident occurs.
How Does MDR Work?
MDR works by integrating a security platform with analytics and expert-led services to provide threat detection and response recommendations across cloud, hybrid and on-premises environments and endpoints. It does this by identifying all assets, profiling their risks, and then collecting activity information from logs, events, networks, endpoints and user behavior. Threats and vulnerabilities are researched in the wild and are codified so as to be quickly recognized when seen by the MDR provider, so that MDR analysts can take over to validate incidents, 24/7, escalating critical events and providing recommended response actions so that threats can be remediated.
MDR integrates technology and analytics with experts to provide services across an entire attack surface
Benefits of Managed Detection and Response
New vulnerabilities are discovered, and some attacks will succeed. MDR providers minimize the likelihood that those vulnerabilities will be discovered and exploited, and minimize the time in which a successful attack can survive in a protected environment.
As such, MDR providers offer organizations a way to improve their security posture, acting as an extension of their security or IT team. To ensure effectiveness, MDR providers must offer a service level agreement (SLA) that highlights their committed response time in cases where they detect an attack.
In addition, when threats develop, or vulnerabilities appear, organizations can contact their MDR provider’s experts, who will be familiar with an organization’s systems, and can tailor their responses appropriately. An MDR solution must provide visibility across an organizations estate, as many attacks and vulnerabilities will only be addressable with information enriched by all of the affected systems and infrastructures.
What Makes an Effective MDR Solution?
An effective MDR solution provides protection for on-premises and cloud environments and endpoints, and it must offer security tools that are easy to deploy and scale up to detect threats lurking in thousands of events. Organizations cannot be required to configure, update, or even understand, the complexities of ingesting, normalizing, distilling, and analyzing the massive volume of security data in order to render MDR operational.
With that in mind, there are seven core tenets that are required for an effective MDR solution:
Reduce Attacks
Reduce the likelihood or impact of successful attacks.
24/7 Visibility
Provide 24/7 visibility and cover all assets in an organization.
Research New Threats
Continuously be refreshed with research on new threats and vulnerabilities.
Human Intelligence
Augment technology with human intelligence to ensure accuracy and value.
Custom Responses
Provide custom responses that reflect business and attack context and cause.
Technical Analysis and Human Insights
Scale to deliver technical analysis and human insights across dynamic environments.
Credible Reporting
Deliver results and reporting that are credible, accessible, and useful.
MDR vs MSSPs
Managed Detection and Response vendors, by definition, deliver comprehensive detection and appropriate response services to their customers. MDR integrates a curated set of technologies, advanced analytics, and human expertise, in a single service they manage, ensuring that all of the components remain current, updated, functioning, and working seamlessly together.
Managed Security Service Providers (MSSPs), in contrast, provide a wide range of services that includes third-party security tool installation, administration, monitoring, and reporting. They are typically expert in the operation of multiple security toolsets, but do not invest heavily in specific areas of MDR such as threat research, threat intelligence, or threat analytics. They are most successful when integrating third-party tools into processes for which they cannot control the roadmap. They are tasked on full security capabilities, and do not focus or adequately invest in the research or staffing required to perform managed detection and response.
Some MSSPs recognize this and outsource the detection and response aspects of their service to MDR vendors.
Related Reading: MDR vs SIEM
What to Look for When Considering Managed Detection and Response
Effective MDR security solutions should be easy to deploy, and should integrate network, log and endpoint-based detection technologies, with first class threat intelligence and active threat hunting. In delivering MDR, they should provide 24/7 support, and offer dedicated analysts to customers on a personal, first-name basis.
Managed Detection and Response pricing and licensing should have the flexibility to meet the unique needs and budget of every organization.
These are required capabilities for an effective MDR solution:
Reduce Attacks
Reduce the likelihood of successful attack with immediate action to limit the access of the vulnerable or compromised entity by restricting network access and egress or reducing user roles and privileges.
24/7 Visibility
Provide complete visibility of the environment and 24/7 monitoring by expert security professionals with the skills and experience necessary to effectively manage detection and response to attacks.
Human Intelligence
Detection must be combined with human intelligence for credible validation prior to any calls for response. The complexity and changing context of some potential security events calls for analysis and prioritization by expert reviewers.
Continuous Research
Include continuous research performed by experienced analysts to augment security tools and technologies. This research also enables prioritization of risk from those threats, measured by the likelihood and current instances of similar attacks in the wild.
Credible Reporting
Provide reporting that is credible and useful for things like compliance, governance, and risk reports, that require information from different systems across the organization.
Custom Responses
Offer custom responses for each organization’s unique environment by enriching security event notifications with additional data prior to taking any active step to mitigate the threat.
Automated Continuous Information
Scale in support of customer needs using automated continuous information gathering and analytics to provide high-quality indications of attack for further analysis, eliminating dwell time.
Alert Logic MDR
Alert Logic MDR is the industry’s first SaaS-enabled managed detection and response (MDR) provider with purpose-built technology and security experts that help identify and respond to breaches.
Intelligence Driven by Data and Humans
Alert Logic leverages industry data, continuous research from our threat intelligence team, and machine learning from the aggregated data of thousands of customers.
Scalable MDR Platform
Alert Logic’s proprietary platform analyzes network traffic and more than 60 billion log messages each day, providing coverage across an entire attack surface.
Single Point of Contact
A broad range of security, technology, and customer experience professionals are assigned to each customer, providing a personalized level of service that considers the context of your organization and role.
Endpoint Detection and Response
Alert Logic’s endpoint detection thwarts multiple attack techniques that try to compromise your endpoints.
Compliance Coverage
Alert Logic provides complete compliance solutions that give customers peace of mind and deliver on best practices for PCI DSS Compliance, HIPAA HITECH, GDPR, Sarbanes-Oxley (SOX), SOC 2 compliance, NIST, ISO, COBIT, and other mandates.