In recent years, managed detection and response (MDR) has emerged as a vital security solution that addresses the shortcomings of legacy managed security services.
In this blog post, we discuss the reasons behind the growth of MDR and outline how it enables organisations to address cyber threats more quickly and effectively.
The rise of MDR
MDR brings together human expertise, threat intelligence and a range of network, endpoint and cloud detection technologies to help organisations detect and respond to threats. Delivered by specialist providers, MDR services enable businesses that lack extensive internal expertise and resources to achieve an enterprise-standard cyber security capability at a fraction of the cost of establishing the same capabilities in-house.
The use of MDR has grown in response to increasing concerns about traditional MSSPs. Because, while MSSPs were previously popular with organisations seeking to strengthen their threat monitoring and alerting capabilities, they have proved unable to meet the challenge of defending businesses against current and emerging cyber threats.
Many MSSPs only offer basic monitoring and alerting, while also failing to provide the level of context and guidance companies need to identify genuine security incidents and effectively respond to and remediate them. With in-house resources under pressure, organisations relying on MSSPs may find that they don’t receive the support they require when they need it most.
MDR: Going beyond MSSPs
MDR services go far beyond the scope of MSSPs by providing organisations with the specialist expertise, technology and intelligence required to identify, contain and eliminate the most complex and persistent of threat actors 24/7, before they cause damage and disruption.
The security benefits of MDR have made it one of the fastest-growing solutions in the industry. The 2021 Gartner Market Guide for Managed Detection and Response Services predicted that, by 2024, a quarter of organisations would be using MDR services, while 40% of midsized enterprises would be using MDR as their only managed security service. Market trends suggest this shift is well underway, with more recent research suggesting that the MDR market will reach $2.2 bn by 2025, then increase to $5.6 bn by 2027.
What is included in MDR?
Typical elements of MDR include security orchestration, continuous network and endpoint monitoring, threat hunting and integrated response measures, such as remote threat containment and disruption. Some advanced MDR services may also offer extended cloud service coverage which can include detection and response in AWS, Azure and Google Cloud Platform, or common SaaS application suites like Office 365 and G Suite. A number of providers are also expanding capabilities across industrial control systems and supervisory control and data acquisition systems in operational technology (OT) environments.
EDR technologies form a crucial part of the MDR technology stack, allowing MDR security teams to use endpoint telemetry to achieve deeper threat visibility and coverage. Some providers even offer MDR services specifically dedicated to endpoint detection, often marketed as Managed EDR.
In most cases, EDR is just one of several tools included as part of an MDR service. To achieve comprehensive visibility, MDR providers also typically include logging and network monitoring solutions such as Security Information and Event Management (SIEM), intrusion detection, network traffic analysis and vulnerability management tools. In delivering an MDR service, an MDR provider will deploy, configure and monitor all technologies included with the solution.
What are the benefits of MDR?
MDR offers a number of important advantages, including:
A fully turnkey approach
An effective MDR service supplies the tools required to detect and respond to threats, as well as the people needed to deploy, configure and monitor them. Unlike legacy managed security services, MDR services are not defined by their underlying technologies, but instead offer a turnkey approach built around defined outcomes and goals to address specific security use cases. As part of this, they supply human expertise, threat intelligence and a range of detection technologies as part of one comprehensive service offering. Being turnkey means that MDR services can be deployed in weeks rather than months, significantly reducing time to value and providing organisations with higher quality, swifter and more comprehensive response to threats.
Actionable security outputs and insights
One of the most common concerns about traditional MSSPs is that they fail to deliver tangible insight and guidance, with many seen as just “passing alerts over the wall.” MDR offers a more proactive and outcome-focused approach to threat discovery and remediation, including automated response actions to contain and disrupt threats before they can cause damage.
MDR utilises the latest tools and intelligence to provide actionable insights and analytics for greater incident awareness and faster, more reliable decision-making. By providing regular reports, MDR not only helps companies to better understand the risks they face but also fulfils the requirements of the GDPR, the Data Protection Act 2018, the Directive on the Security of Networks and Information Systems (NIS Directive or Cyber Security Directive), Payment Card Industry Data Security Standards (PCI DSS) and more.
MDR provides genuine response, forensics and remediation activities, unlike traditional MSSPs, which tend to be focused on monitoring particular technologies (often customer-owned) and may not provide enough detection coverage to identify and defend against more advanced attacks.
By expanding threat coverage and visibility across environments, detecting malicious activity in its early stages and accelerating the time it takes to respond effectively, an effective MDR solution performs well in a wide number of threat scenarios.
Enhanced threat hunting
MDR places a strong emphasis on threat hunting and the detection of unknown risks. This proactive approach is achieved through the aggregation and analysis of a wider range of security telemetry and the use of behavioural-based detection tools, plus the use of the latest endpoint detection and response (EDR) platforms to hunt for, contain and isolate threats. This ensures that MDR providers don’t have to wait for alerts to be generated and can provide actionable remediation guidance and automated playbooks.
MDR providers also use the services of real-time threat hunters, who use the latest behavioural analytics and up-to-the-minute security intelligence to proactively hunt for new types of threats which evade existing defences. By baselining and optimising a range of technologies, including AI, user and entity behavior analytics (UEBA) and machine learning tools, configuring custom rulesets and watchlists to flag specific behaviours, and performing deep forensic analysis, threat hunters are able to rapidly identify indicators of compromise (IOCs) and break the kill chain of attacks.
Integrated incident response
Effective MDR solutions have a heavy focus on incident response, with a mix of deep forensics, analysis and remediation capabilities to ensure threats are shut down rapidly before they have a chance to spread. Many MSSPs lack the capacity to provide the high level of practical support and advice required to effectively respond to and remediate incidents. Organisations should look for an MDR provider that includes EDR capabilities to isolate and contain threats, and incident playbooks to support swift responses to a wide range of threat scenarios. Their chosen provider should also have the ability to provide additional virtual or onsite support to assist with high-priority incidents.
Advanced security intelligence
Another crucial component of an effective managed security service is high quality security intelligence. MDR typically uses a broad range of intelligence, combining external threat information with in-house research and first-hand insights from clients across a range of industries. By utilising a diverse range of intelligence sources, MDR helps organisations to identify adversarial tactics, techniques and procedures (TTPs) and IOCs and provides deep and well contextualised security analytics. High quality intelligence is used to help improve detection processes, including the development of correlation rulesets and incident response playbooks.
Evaluating MDR providers
With more and more MSSPs moving into the MDR market, organisations should review the capabilities of potential providers to ensure that they meet their expectations.
A report by Gartner from 2018 sounded a note of warning about this:
“Adoption of the term MDR by MSSPs should be met with healthy scepticism by buyers … Those exploring MSSPs for MDR services should assess the MSSP’s supported technologies and the availability of threat hunting skillsets.”
Source: Gartner Market Guide for Managed Detection and Response Services
It can be beneficial to understand the different types of providers in the marketplace. These include:
MSSPs have traditionally focused on monitoring and managing firewalls, virtual private networks (VPNs), endpoints and other devices. However, they usually work on a shared security model that requires clients to manage and investigate the resulting alerts. While some mature MSSPs have accepted responsibility for alert management and orchestration in recent years and a few provide a comprehensive MDR solution, most MSSPs remain poorly positioned to deploy and manage a complex, multi-layered security stack.
In this model, organisations outsource the management and maintenance of the vendor’s security products to their implementation and support teams, with products often supplied on a subscription basis. The risk of this product-centric approach is that it undermines their ability to detect and trace a kill chain across the enterprise attack surface or provide the proactive threat hunting, incident response and remediation services required to meaningfully reduce a client’s risk exposure.
MDR service providers should act as a partner, working as an extension of your in-house security team, reducing or eliminating the operational workload of monitoring alerts around the clock and adding threat detection, investigation, hunting and response expertise so you can focus on other strategic aspects of your security program or business. Organisations benefit from a multi-disciplinary approach to MDR that is inherently flexible, scalable, efficient and effective for the long run. It’s important to distinguish early between those with a MSSP history and those with an actual MDR history.
Effective MDR providers: key characteristics
Organisations can identify top-tier MDR providers by looking for the following characteristics:
- The ability to monitor telemetry and alerts across the digital estate, using a unified threat management platform
- Proactive, bespoke threat hunting tailored to your organisation
- Readiness to respond to issues, all day every day
- The capacity to go beyond containment to remove malware, understand the root cause and remediate the threat
- An adversary-driven mindset – or teams beyond their core SOC that engage with live attacker campaigns and use this information to frequently update detections.
Learn more about how to evaluate MDR providers and select the best one for your organisation’s requirements with our MDR Buyer’s Guide.
How Kroll can help
Kroll Responder, our award-winning managed detection and response service, provides the extensive capabilities your organisation needs to hunt for and eradicate threat actors across your on-premise, cloud and hybrid environments.
Functioning as an extension of your IT team, Kroll Responder combines world-class security expertise, leading network and endpoint detection technologies, and aggregated security intelligence to help hunt for threats and shut down breaches before they can damage and disrupt your business.