Managed detection and response (MDR) is a service that fulfills the needs of organizations that lack the time and resources to be fully capable of identifying risks and detecting, verifying, and responding to threats and/or security incidents.
According to Gartner, a global research and advisory firm, managed detection and response (MDR) vendors provide the following services:
MDR providers could also undertake incident validation, continuous monitoring of all IT assets, threat containment, remediation support, as well as other services; however, at its core, managed detection and response (MDR) services — sometimes referred to as threat monitoring, detection and response — provide customers with modern security operations center (SOC) capabilities to detect, investigate, verify, respond to, and analyze threats.
Wait.
Why did Gartner define “MDR provider” but not “MDR”?
Managed detection and response (MDR) is not a technology; it’s a service.
Most organizations lack the time and resources to be fully capable of identifying risks and detecting, verifying, and responding to threats and/or security incidents. MDR services provide these organizations a turn-key solution to these problems.
For a time, the mean time to detect (MTTD) a threat was about 200 days — over half a year. However, modern MDR is now capable of detecting and dealing with threats as quickly as a few hours, if not faster.
This is one of many factors that has caused the managed detection and response (MDR) market to have grown significantly over the last few years, and it is projected to continue increasing.
In their 2020 Market Guide for Managed Detection and Response, Gartner predicted that by 2025, 50% of organizations would be using MDR services for threat monitoring, detection and response functions that offer threat containment capabilities.
Each managed detection and response (MDR) vendor offers their own unique set of tools and products to detect and respond to threats. In addition to providing MDR services, many vendors also provide other services, such as threat containment and remediation guidance.
However, before you go into the differences between each vendor, it’s best to understand the similarities between the offerings from managed detection and response vendors, as clever marketing could have you chasing after the same product again and again.
Later in this article, we will discuss the differences between MDR vendors, how to evaluate MDR vendors, and how to determine which vendor is most suitable for your organization’s needs. First, we need to understand why MDR is important and what its benefits are.
In 2016, there were 2 million unfilled cybersecurity positions, a number that is expected to rise to 3.5 million by the end of 2021.
Running an effective, fully in-house security operations center (SOC) is a highly complicated endeavor that requires a plethora of tools and roles to fully and confidently execute. SOCs, unfortunately, often prove to underperform and be too resource-intensive for all but the largest organizations.
Yet even for larger organizations and enterprises, running an effective SOC is still fraught with so many communication, visibility, role, resource, cross-departmental, and complexity concerns (in addition to other internal considerations) that many organizations turn to MDR as a single turn-key solution.
“The first time I took the CISO role was at Facebook. I got great support from the executive leadership, an almost unlimited budget, the ability to grow and hire great engineers, and buy technology. But the most surprising thing is that you realize you can’t buy your way to good security. You literally can’t write a blank check and have great security tomorrow. Security requires long-term investment. It requires you to run alongside the development teams and the business teams, understand them, and help them reduce their risks.”
Joe Sullivan, former CSO at Uber and Facebook, now at Cloudflare, a16z podcast, episode 548
MDR focuses on detection, not compliance and not org-wide security protocols.
Much like other outsourced services, managed detection and response service providers offer you access to a team of experts for a discounted and affordable price. Additionally, MDR services typically include a multitude of monitoring, security, and perimeter detection tools — all attempting to detect intrusions as soon as they occur, preventing major damage to the rest of the network.
MDR addresses several key challenges for organizations, including the lack of qualified personnel, sophisticated targeted attacks, ransomware, complicated endpoint detection and response (EDR) tools.
Organizations in 2021 and beyond will face more and more pressure to increase cybersecurity resilience as more countries and insurance companies are taking stronger and stricter stances on ransomware attacks, such as French insurer AXA, who claimed they would no longer help companies pay for ransomware. On the other side of the globe, Ransomware Payments Bill 2021 would force Australian enterprises to disclose ransomware payments to the Australian Cyber Security Centre (ACSC).
MDR providers help your organization avoid sophisticated targeted attacks from escalating into business-altering security incidents; traditional managed security service providers (MSSPs) might not be prepared for the degree of sophisticated attacks MDR providers have experienced in the wild. Here are four quick differences between MDR and MSSP.
Yet another benefit of MDR services is that providers often perform all the testing, threat hunting, sandboxing, and remediation for you. If an artifact or malware is detected in your system, you may only need a separate retainer, if not already included in your service, for eradication and remediation services.
There is an ocean of publicly available and/or subscription-based threat intelligence providers out there, not including all the threat intel from red and blue teams on social media. Even larger organizations have difficulty keeping their heads above water with list after list of indicators of compromise (IoC)s. Yet another benefit of MDR service providers is that they often include up-to-date threat intelligence and perform this updating for you.
You need to enhance your organization’s cybersecurity posture. You’ve researched the need for and benefits of managed detection and response (MDR). Now, you’re ready to begin evaluating different MDR vendors and their offerings. Here are six things to keep in mind while going through all the marketing material and buzzwords.
“Response” is currently poorly defined among cybersecurity vendors as it can include anything from what basically constitutes as an alert to be handled by your in-house team, to the full recovery of your systems performed remotely.
Look for response technologies and services that fully perform investigations for you and show you the results within minutes for even the most sophisticated attacks. Make sure that those results are fully connected forensically across the entire organization into one cohesive complete understanding for each and every step of the attack. Also, make sure that a vendor provides a way to fully remediate attacks early on in the attack lifecycle.
Be careful of vendors that use AI for non-substantial subsets of tasks that inevitably push the majority of the workload of detection and investigation back to your analysts (i.e., we detected a lot of malicious activity, here is a ticket for each malicious process for you to go through).
Some solutions will give you a metric of confidence. Ask these providers to explain the difference between their solution’s 70% and 75% malicious ratings. Is this solution offering a sufficient level of automated triage, or is it just throwing the final decision back to the customer?
Ask potential vendors about their data and their ML methodology. Do any models need to be trained on-site; if so, for how long? Which types of detections tend to produce more false positives? Which types of detections are done without AI? How much of triage and investigations is automated? How often do you retrain? Also, how robust is the model against noise?
All solutions detect, respond, and report back to you, and naturally, each vendor’s technology uniquely analyzes your data. However, how they present this data to you is important. The technology seeing the problem and you, the end user, seeing the problem via the technology are entirely different concepts.
Does visibility and coverage mean giving you access to TB of raw telemetry data? Raw telemetry is mostly useful for digital forensics incident response (DFIR) services and log data compliance — not for detecting and responding to live threats.
On the other side, APT-level attacks (which now include ransomware and supply chain attack campaigns) can go months without detection. Without telemetry generating security tools coupled with long-term data retention, researchers and responders (DFIR services) won’t have much to work with in a post-breach investigation.
Be sure to have your team that will be using this technology (as opposed to the buyers) evaluate the ease of use, actionability, and thoroughness of the platform dashboard. Is information presented in an actionable way for your team? What is the workflow like? How much friction is there in the UI and UX of the vendor’s platform? Does the platform present that entire attack storyline from initial access into your system or is the storyline segmented into individual processes on individual endpoints?
If your organization hasn’t had the opportunity or resources to thoroughly develop your cybersecurity posture, you may want to strongly consider providers that offer a more comprehensive technology stack. If your organization already has access to tools, consider a provider offering tools with different utilities than yours. Most importantly, remember that tools from different vendors may not play nicely and have trouble integrating with tools or platforms from other vendors. Inquire about this and look into this when researching 3rd party reviews.
Although MDR focuses more on detection than compliance, many MDR vendors do offer services that help organizations meet compliance requirements, such as GDPR and CCA. As your organization grows, compliance — as well as cybersecurity — becomes more important and more complicated; it’s advisable to handle these issues early on to avoid trouble further down the road.
There are many questions that you need to know the answers to before you even begin evaluating MDR vendors. Here are a few.
What is your current technology stack?
What is your current coverage?
Who are the major cyber threat actors targeting your industry?
Who are the major threat actors targeting your geographical location?
What are their common techniques and tactics?
What is your current coverage in comparison to the active and emerging threat actors you listed?
Have you mapped your defenses onto the MITRE ATT&CK and D3FEND framework?
Are you familiar with the MITRE ATT&CK and D3FEND frameworks?
If you answered “no” to that last question, here is a quick reading list for you to get you up-to-date on the universal language used by all cybersecurity vendors.
1. Introduction | What is MITRE ATT&CK?
2. Behind the Curtain | Who is MITRE?
3. ATT&CK Evaluations | Complete Guide to Understanding the Round 2 Results
4. ATT&CK Evaluations | Introductory Guide to Understanding Round 3 Results
5. ATT&CK Evaluations | In-depth Guide to Understanding the Round 3 Results
6. What is D3FEND? | FAQ
There are multiple avenues open to you to evaluate MDR vendors — each with its own advantages and shortcomings. Here are a few places to get started.
Analyst Reports
There are many research and advisory firms for technology in the world; however, none have reached the impact that Gartner has.
While we will focus on Gartner for this article, there are others we also recommend, including Forrester Research, IHS Markit, HfS Research, Ponemon Institute, IDC, Everest Group.
Since the 1980s, the Gartner Magic Quadrant (MQ) and its accompanying reports have been providing leadership with insights into a growing market’s trends, maturity, direction, niche players, challengers, visionaries, and leaders.
Gartner MQ provides a snapshot of vendors in the market but also affects the market as well, with vendors in the leadership quadrant gaining much attention. A separate industry complete with books, webinars, and snake oil exists solely to aid vendors in moving their dot on the MQ up and to the right.
However, do not make the mistake of ignoring the other 3 quadrants. One Niche Player could exclusively focus on your industry and geographic region, easily making them worth looking into. Also, if you consider yourself to be early adopters of tech, then the bottom half of the MQ should prove more interesting to you — with late adopters focusing on the upper half.
While the MQ model has seen much use across multiple sectors, it does have its own shortcomings. For example, if a market proves to be too immature (such as vendors offering low-Earth-orbit satellite services or quantum computing), the MQ model would have too little data with vendor dots rapidly shifting quadrants. Whereas with a mature market, vendor dots would rarely move, if at all, as Leaders would most likely have been in the upper right quadrant for quite some time. In addition, the MQ model takes 6 months to a year to compile and, in doing so, becomes a snapshot of the market from a year ago.
Gartner started publishing annual Market Guides with a list of “sample vendors” as opposed to the MQ’s method of categorizing vendors. (Forrester has also followed suit with their annual Tech Tide reports.) Gartner Market Guides give insight into current market trends and future projections while keeping them in the context of the buyer’s size, with small, medium, and large enterprises.
In 2015, Gartner launched Peer Insights, allowing buyers and leadership to (hopefully) cut through marketing wordsmithing or potential analyst bias and hear directly from fellow buyers who have used the tools and services of a vendor.
In 2018, the MITRE Corporation launched the MITRE ATT&CK Evaluations, where MITRE evaluates the efficacy of cybersecurity products using an open methodology based on their own publicly available ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) Framework — a living, growing framework of common tactics, techniques, and procedures (TTP) used by advanced persistent threats (APTs) and other cybercriminals. Everything a hacker can do on a victim’s system can be uniquely represented in the ATT&CK Framework.
The ATT&CK Evaluations are extremely useful to end users of cybersecurity solutions as it provides transparency and publicly available data to the true efficacy of some of the leading cybersecurity products in the world.
ATT&CK Evaluation results also provide screenshots of cybersecurity solutions at work, granularly detail what is happening in each screenshot, and provide insight into a cybersecurity solution’s approach to security.
Each year (or “round”) of the ATT&CK Evaluations has cybersecurity vendors pitting their solutions against MITRE team-created emulations of known APTs (whose names somehow get progressively cooler with each round).
Round 1 (2018) Emulation — APT3
Round 2 (2019) Emulation — APT29
Round 3 (2020) Emulation — FIN7 & Carbanak
Round 4 (2021) Emulation — Wizard Spider & Sandworm
As mentioned earlier, each round MITRE Engenuity emulates a real-world threat. Additionally, the last two rounds and the upcoming 4th round each focused on a differently motivated threat group. Depending on which active and emerging threats you’d like to focus on, you may have more interest in researching one round over another.
Each evaluation round has had different metrics gauging the efficacy of each vendor’s product, so a cursory understanding of each round’s adversary would be necessary.
1. Introduction | What is MITRE ATT&CK?
2. Behind the Curtain | Who is MITRE?
3. ATT&CK Evaluations | Complete Guide to Understanding the Round 2 Results
4. ATT&CK Evaluations | Introductory Guide to Understanding Round 3 Results
5. ATT&CK Evaluations | In-depth Guide to Understanding the Round 3 Results
6. What is D3FEND? | FAQ
In general, pay close attention to vendors that achieved more General, Tactic, and Technique detections out of the box with zero configuration changes as this shows what you can actually expect from a vendor as opposed to those that rely substantially on telemetry detections or configuration changes, as this is not what you will experience using their services and tools — especially if your focus is detecting and preventing intrusions, as opposed to just being really good at post-intrusion incident response.
If your MDR vendor can’t detect something in an actionable way, then no one can respond to it, leaving you vulnerable, despite the vendor’s claims otherwise.
“Small and mid-sized organizations often do not have the resources to fully address the complexity, variability, speed, and sophistication of modern cyber threats. These orgs often face the same cyber threats that large orgs do, putting them at a distinct disadvantage. To address those challenges, small and mid-sized organizations are increasingly adopting cost-effective MDR.”
CyCraft, Securing Small, Medium, and Large ORgs for the 2020s,
22 December 2020
In terms of cybersecurity and this particular context, the size of your enterprise isn’t as critical as your level of security maturity. For example, in the last decade, we saw plenty of examples of large enterprises suffer the aftermath of a breach due to immature security standards and practices.
These SOCs/IT teams are familiar with cybersecurity industry terms and typically rely on MSSP and/or MDR due to their limited team of analysts.
Use the Technology Comparison tool on attack sub-steps. Try following the line of thought below to help narrow down vendor solutions that best suit your environment.
These SOCs have full-time analysts. The more detailed, contextual, and actionable information given to them, the better! They typically have sufficient technical knowledge. Some of the SOC analysts on their team may want super-detailed information, and some may consider that installing free tools like Microsoft’s Sysmon are efficient enough and can save money.
Try following the line of thought below to help narrow down vendor solutions that best suit your environment.
The third point is particularly important. If you only see the commands (process cmd-line, powershell cmd-line, etc.) but do not see the system-level behavior (API Call, file event, etc.), it is relatively meaningless for data collection.
Your full-time team of information security analysts operates in an ocean of alerts where drowning is not an option. Analyzing raw data 24 hours a day isn’t ideal either — at least, not for humans; however, automated alert triage and automated alert validation are only part of the answer.
Large-sized enterprises could have hundreds of thousands of endpoints. The ability to detect and verify malicious activity on any one endpoint is great, but being able to correlate malicious activity across the entire network is what you really need. This allows your team to gain the full context of the attack from initial access to attack operation objectives.
Try following the line of thought below to help narrow down vendor solutions that best suit your environment.
The MDR market can be tricky to navigate. It’s easy to get distracted by all the smoke and mirrors produced from clever marketing buzzwords, biased reports, fear-focused advertising, and hype. Hopefully, this article provided you a decent layout of the MDR cybersecurity landscape and an actionable roadmap to success. If you should ever find yourself lost out there, contact us and let us know. We’re here to help. Happy hunting.
Writer: CyCraft
CyCraft(サイクラフト)は、AIによる自動化技術を専門とするサイバーセキュリティ企業。2017年に設立され、台湾に本社、日本とシンガポールに海外拠点を持つ。アジア太平洋地域の政府機関、警察・防衛機関、銀行、ハイテク製造業にサービスを提供している。CyCraft の AI技術 と機械学習技術によるソリューションが評価され、CID グループ とテマセク・ホールディングス旗下のパビリオンキャピタルから強力なサポートを獲得し、また、国際的トップ研究機構である Gartner、 IDC、Frost & Sullivan などから複数の項目において評価を受けている他、国内外の著名な賞をいくつも受賞している。また、国内外を含む複数のセキュリティコミュニティ、カンファレンスに参画し、長年にわたりセキュリティ業界の発展に尽力している。