Managed Detection and Response
Analyst Coverage: Fran Howarth
Managed detection and response (MDR) refers to a threat monitoring, detection, incident analysis and response services. It acts as an extension of an organisation’s security operations team, whether as a virtual security operations centre (SOC) or auxiliary expertise. MDR services can help an organisation to get the best out of existing technology investments, or help with the deployment and use of best of breed technologies.
MDR services not only relieve the burdens on organisations, but ensure that they are better able to face up to the threats that they face in an efficient and effective manner. They will help organisations to close security gaps and prevent them from becoming the next salacious headline.
What does it do?
MDR services collect telemetry from an organisation’s environment, including its network, endpoints, cloud services and user activity, and correlates and analyses it in conjunction with threat intelligence services. Working not only in a reactive mode, threat hunting services can use offensive security techniques to proactively uncover hidden and unknown threats.
Experts from the service provider can then help the organisation to define and execute the best response to threats, events and incidents uncovered. Automation and orchestration capabilities are required for the most efficient and effective response. Other aspects that are routinely part of MDR services include machine learning, user behaviour and big data analytics.
The need for improved threat detection and response cuts across organisations of all sizes, from small organisations that have just a couple of staff tasked with security right up to the largest enterprises. Everyone needs help to stay ahead of the game. Two of the main reasons why MDR services are growing in popularity are the security skills shortage and the overwhelming complexity of the technology tools available for detection and response.
Most organisations are reporting that they are finding it difficult to recruit and retain skilled security professionals—and especially those with the skills required for manning a SOC. MDR service providers report that they are winning the battle here owing to the interesting and varied workload that they can offer. Many provide their security professionals with ample opportunity to perform advanced security research as part of their daily jobs, providing an attractive incentive for those who wish to further their careers.
Complexity is often seen as the enemy of security and many of the technology tools that are available for threat detection and response are extremely complex to manage and use effectively, leading to organisations getting less return on their investments than they had anticipated. MDR service providers can do much of the heavy lifting involved with such technologies, working alongside SOC teams or providing the services of a SOC to those who don’t have one.
The ability to detect threats hidden deep in networks depends on detailed analysis of log and event data from a wide variety of sources—endpoint, network, cloud and systems attached to the network.
Many organisations have become dependent on security incident and event management (SIEM) systems, but found that they had many limitations in terms of data that it could ingest and therefore analyse, including insider threats and those using remote endpoints as an attack vector.
Advanced analytics and machine learning techniques enable a deeper level of insight to be gained from event data, greatly enhancing the capabilities of such tools. This has led to the development of complementary technologies, including endpoint detection and response (EDR), security orchestration, automation and response (SOAR), user and entity behavioural analytics (UEBA) and network flow analysis.
Many MDR services have EDR technologies at their core, either those that they have developed themselves or those that they license from other vendors. Some of these provide their technology and services to managed security service providers (MSSPs). Some MDR providers, known as MDR pure plays, have built telemetry platforms that ingest feeds not only from endpoint and network events, but a wide range of other sources, processing vast amounts of information. Almost all MDR providers, whatever their flavour, cover feeds from endpoints, the network, cloud services and increasingly devices from beyond the core network, including industrial controls and IoT devices.
An increasing focus is being seen in this market on offensive security, offering services such as threat hunting combined with threat intelligence to proactively search out threats that may bypass other controls. Pen testing and red teaming are being offered by many in order to test an organisation’s defences and to help them to shore up their defences over time.
The vendor landscape is wide and varied, with many vendors touting that they are focusing to a greater extent on services provision. Gartner estimates that there are at least 100 vendors operating in this space and that number is likely to grow.
Bloor has asked a large number of vendors to participate in its research into the MDR market. It has produced an initial MDR market guide and an MDR market update that look at some of the leading vendors in the market and their capabilities. More vendors will be included in future updates.