From Managed Detection and Response (MDR) to Managed Security Service Providers (MSSPs) to Security Information and Event Management (SIEM), deciding on the right threat detection solution for your business is not easy.
In this article, we aim to cut through the jargon by outlining how these solutions compare, their potential challenges and their impact on organisations’ security posture.
What is SIEM?
SIEM is a threat detection technology that combines the event monitoring, correlation and notification capabilities of security event management (SEM) with the analysis, retention and reporting functions of security information management (SIM). It is made up of integrated log management and monitoring tools that can help your organisation to detect targeted attacks and data breaches. SIEM helps to boost your security by aggregating and analysing log data from devices, infrastructure, systems and applications, and generating alerts for your security team to review and respond to.
SIEM solutions enable your business to improve visibility of cyber security threats inside your network. They can also help your organisation to achieve the cyber security monitoring capabilities required to support compliance with the GDPR, NIS Directive and PCI DSS, as well as other data regulations and standards.
To facilitate event correlation and alerting, SIEM tools collect logs from a wide range of data sources from across your company. Sources typically include network devices, infrastructure, systems, applications and security technologies such as firewalls, endpoint protection platforms and intrusion detection and prevention systems.
SIEM itself is a product rather than a service, providing visibility of environments to support detection of and response to threats. However, managed SIEM often forms a crucial element of MSSP services, and telemetry from SIEM can also play an important role in delivering MDR.
A common problem with SIEM is that organisations find that they are unable to manage it effectively without a large team of security experts to deploy, manage and monitor their chosen solution and analyse and respond to the high volume of alerts it is likely to generate. Alert fatigue is a frequent problem for security teams tasked with dealing with a large volume of false positives – often leading to important alerts being missed or overlooked. Even when genuine threats are identified, knowing how to quickly and effectively respond to them is a separate challenge in itself. The wide range of SIEM tools on the market means that specialist platform training and certification may also be required.
When looking at the cyber security market, you’ll probably notice that SIEM is often incorporated within broader SOAR and threat management platforms. Rather than letting price define your choice, look at how effectively your potential SIEM solution can integrate with data sources and deliver the quality of threat coverage and visibility to fully address your threat detection use cases. Ensure that you also look at deployment options, support for threat intelligence sources and incident response capabilities. Or, instead of managing a SIEM solution in-house, you may wish to consider a managed SIEM service. This enables your business to benefit from both the latest SIEM technology as well as the resources needed to manage and monitor it, 24/7.
What is an MSSP?
“MSSPs use high-availability security operation centers (either from their own facilities or from other data center providers) to provide 24/7 services designed to reduce the number of operational security personnel an enterprise needs to hire, train and retain to maintain an acceptable security posture.”
As well as SIEM, an MSSP might manage other tools such as managed firewalls, intrusion detection, virtual private networks and vulnerability management tools. MSSPs offer a range of cyber security services, including management and monitoring of security technologies, continuous threat detection, vulnerability management and incident alerting. While some businesses fully outsource their entire cyber security function to an MSSP, others only outsource specific aspects. Working with an MSSP can help businesses to gain additional expertise to enable them to address gaps in knowledge and meet compliance requirements.
While companies can make cost savings compared with investing in cyber security in-house, many find that MSSPs don’t adapt quickly enough to the evolving threat landscape, and are too slow to deliver value. Another common challenge associated with MSSPs is that they tend to be focused on alert triage and management rather than incident investigation, incident response and remediation. The detection coverage of MSSPs is mainly focused at a network level, and buyers may find that they have limited capabilities in cloud security monitoring.
What is MDR?
MDR is an advanced security offering that combines dedicated security expertise, a range of network and host-based detection technologies, plus advanced intelligence, analytics and forensics to help organisations proactively hunt for, investigate, respond to and remediate threats, 24/7. But MDR is about much more than managing a collection of tools. Beyond simply addressing the resource challenge, MDR is a turnkey solution designed to provide clear and actionable security outcomes.
An MDR service enables companies to detect and respond to threats, and reduce risk exposure. MDR enables organisations to achieve an enterprise-standard cyber security capability at a significantly lower cost than establishing the same capabilities in-house. Using MDR allows your organisation to benefit from improvements to both Mean Time to Detection (MTTD) and Mean Time to Response (MTTR), helping to eliminate breaches before they cause damage and disruption.
In recent years, MDR has emerged as one of the fastest growing security solutions in the industry, growing 48.9% between 2020 and 2021. Recent research suggests that the MDR market will increase to $5.6 bn by 2027. The 2023 Gartner Market Guide for Managed Detection and Response Services states:
“By 2025, 60% of organizations will be actively using remote threat disruption and containment capabilities delivered directly by MDR providers, up from 30% today.”
With so many options on the market, a key challenge is ensuring that the MDR solution you choose will provide complete detection and response. A true MDR service should offer a broad scope of telemetry collection, remote containment and disruption, forensics and response capabilities. This will ensure that you are able to quickly understand root cause, eliminate threats across all affected systems and ensure they don’t happen again.
Keep in mind that MDR requires long-term commitment to be effective. All of this means that selecting the right MDR solution is vital in ensuring that your business can achieve the ideal balance between effective security and return on investment.
MDR vs. MSSP
The history and impact of MSSPs and MDR are closely connected. Growing concerns about traditional MSSPs were a key driver behind the rise of MDR. Many MSSPs only offer basic monitoring and alerting, while also failing to provide the level of context and guidance that companies need to identify genuine security incidents and effectively respond to and remediate them. With in-house resources under pressure, organisations relying on MSSPs may find that they don’t receive the support they require when they need it most.
Traditional MSSPs are reactive rather than proactive, relying on signature and rule-based detection techniques that can overlook more advanced threats, such as memory-resident and polymorphic malware. They often simply pass security alerts generated by managed security technologies ‘over the wall’, providing little contextual information or guidance on how to respond. As Gartner suggest, with more and more MSSPs moving into the MDR market, it is important to review the capabilities of your potential providers to ensure that they meet expectations:
“Adoption of the term MDR by MSSPs should be met with healthy scepticism by buyers… Those exploring MSSPs for MDR services should assess the MSSP’s supported technologies and the availability of threat hunting skillsets”
How Kroll can help
Kroll Responder, our award-winning managed detection and response service, provides the extensive capabilities your organisation needs to hunt for and eradicate threat actors across your on-premise, cloud and hybrid environments.
Functioning as an extension of your IT or security team, Kroll Responder combines world-class security expertise, leading network and endpoint detection technologies, and aggregated security intelligence to help hunt for threats and shut down breaches before they can damage and disrupt your business. Being vendor-agnostic, we can manage multiple SIEMs, both on-premise and on the cloud. We can also enrich alerts and contextualise them with telemetry from other cloud and endpoint sources.