What is Managed Detection and Response? Definition, Benefits, How to Choose a Vendor, and More
Learn about Managed Detection and Response (MDR) in Data Protection 101, our series on the fundamentals of information security.
According to Gartner, managed detection and response (MDR) vendors provide services to companies and organizations that aim to improve the way they detect threats, respond to incidents, and monitor their IT assets continuously.
What is Managed Detection and Response?
Managed detection and response is a service that arose from the need for organizations, who lack the resources, to be more cognizant of risks and improve their ability to detect and respond to threats.
Different companies offer their own set of tools and procedures in detecting and responding to threats. However, all managed detection and response offerings share the following characteristics:
- MDR is more focused on threat detection, rather than compliance.
- The services are delivered using the provider's own set of tools and technologies, but are deployed on the users’ premises. The technology stack often deals with host- and network-based solutions. The provider will be responsible for managing and monitoring these tools. The tools are placed to guard Internet gateways and can also detect threats that have passed traditional perimeter security tools. The techniques providers use may vary: some rely solely on security logs and others use network security monitoring or endpoint activity to secure your network.
- Managed detection and response relies heavily on security event management and advanced analytics.
- While some automation is used, managed detection and response usually involves humans to monitor your network round the clock. Humans also do analysis of security events and alerting the customer. Customers can expect to have direct interactions with the analysts rather than relying on a portal or a dashboard when it comes to alerting, investigating security events, case management, and other activities.
- Managed detection and response service providers also perform incident validation and remote response. This means if you need to identify indicators of compromise, reverse engineer a piece of malware, or do some sandboxing, you can rely on your service provider for all these things. You can even consult with them on how to remedy or contain security vulnerabilities.
Managed Detection and Response vs. Managed Security Services
Managed detection and response may sound similar to managed security services but there are some distinct differences between the two, including:
- Coverage. Managed security services can work with different types of event logs and contexts. The customer decides which of their security data is sent to the MSSP. With managed detection and response services, they only work with event logs that their own tools provide.
- Compliance reporting. If you need compliance reporting, go for a managed security service, as managed detection and response services rarely do compliance reports.
- The human touch. One of the upsides of managed detection and response offerings is that you get more human interaction with analysts. Managed security services rely on portals and e-mail rather than direct communication.
- Incident response. With managed detection and response, you only need a separate retainer if you want on-site incident response. Remote incident response is usually included in what you pay for the basic service. This is not true for many managed security services, where you need separate retainers for both onsite and remote incident response.
Benefits of Managed Detection and Response
Like any outsourced service, managed detection and response service providers allow you to gain a team of experts at a price you can afford. For companies who don’t have the time or resources, this is especially useful. In addition, some of the tools used by these providers are too expensive to buy on your own and may not be easily found or readily available. Depending on your provider, you could even get customized implementations to cater to your specific cybersecurity needs.
MDR vendors not only detect and analyze threats, but also stop them. When a threat is detected, they will first verify if it is a real threat before informing you to take action to avoid the scare of false alarms. MDR providers can help your organization deal with advanced attacks that even traditional managed security service providers might not be prepared for. Gartner predicts that 15% of midsized businesses and bigger corporations will be using MDR services by 2020, a big leap from the less than 1% of companies that are currently using them.
What Should You Consider When Selecting a Managed Detection and Response Vendor?
If you’re considering managed detection and response services to enhance your organization’s security posture, here are a few important factors to consider:
- Not all managed detection and response service providers offer the same services or technology. Be sure to choose wisely and select the one that is a perfect fit to your organization's size, security controls in place, and needs. You can also ask for proofs of concept to validate a provider's claims.
- MDR vendors augment your current tools and expertise. If you haven’t had the opportunity or resources to dive deeply into your organization's security, consider only those providers with a more comprehensive technology stack. If you already have tools at your disposal, choose a provider that can offer you a different set of tools than what you have.
- Data and privacy regulations should be respected. Be sure that you choose a provider that is able to meet the compliance requirements you need to observe.
While a relatively new facet of information security services, managed detection and response is proving to be valuable for companies aiming to create a more robust, comprehensive security posture. If your organization is looking to improve its incident response and threat detection programs, an MDR vendor could be a cost-efficient way to achieve these goals.