Table of Contents
Threat detection and response are top of mind for organizations facing increasingly aggressive ransomware attacks.
What is Managed Detection and Response (MDR)?
So, what is MDR, and how does proper integration improve its efficacy? MDR, or Managed Detection Response, is a managed cybersecurity service that combines intrusion prevention and detection, event log monitoring, and endpoint monitoring, all of which allow for efficient and effective response service and remediation. Gartner Research discussed the highlights of MDR in its Market Guide for Managed Detection and Response Services by stating, “The goal of MDR services is to rapidly identify and limit the impact of security incidents to customers. These services focus on remote 24/7 threat monitoring, detection, and targeted response activities. MDR providers may use a combination of host and network-layer technologies, as well as advanced analytics, threat intelligence, forensic data, and human expertise for investigation, threat hunting, and response to detected advanced threats.”
There is never a shortage of security vendor promises in today’s crowded market, and it’s often difficult to sift through the noise. Even without RSA and Black Hat this past year, vendor marketing engines haven’t skipped a beat; in fact, the hyperbole has grown, and vendor claims have escalated even without the large events in which to spend marketing dollars. Today, we can observe this phenomenon, especially in the detection and response space. It’s essential to differentiate truth from fiction with so much on the line, particularly for healthcare organizations. In recent months, increasingly aggressive ransomware attacks have thrust cyber threat detection and response to the top of our priority list. Gartner predicts that 50% of organizations will be using MDR services by 2025. To better understand what MDR is and how it works, first, we’ll walk through the evolution of the detection and response space and the challenges and differentiators facing MDR service providers.
The Evolution of Detection and Response
It all started at the endpoint when encryption of network traffic became pervasive, and legacy endpoint protection suites as a strategy seemed hopeless. The obvious leverage point was acknowledging the attack sequence started on the endpoint and evolving our strategy from AV/HIPS/DLP to an analytics-driven endpoint detection and response capability. EDR, or Endpoint Detection and Response, can identify a cyber threat at its landing spot before the attacker can complete the attack sequence, thus providing an early response opportunity.
EDR is an endpoint technology and, as such, has its limitations. Attackers have adjusted by automating tactics to avoid endpoint detection, and as workloads move to the cloud, threat actors have begun exploiting this new attack surface. It has become apparent that telemetry from network traffic, SaaS applications, network services, and clouds was necessary to have any chance at thwarting an attack. Effectively, detection and response required context beyond the endpoint.
Vendors adjusted and started the xDR movement (little x as there were many first initials and acronyms early on) as a broad description of the need for broader telemetry and to enhance context. Extended Detection and Response (‘big X’ XDR), pushed by the end-user vendor companies, has recently been promoted to widen vendor product coverage by network vendors to endpoint and endpoint vendors into the network. This push resulted in multiple acquisitions of startup companies and new broad XDR vendor messaging. Some of these companies even co-opted the MDR moniker and began representing themselves as Monitor, Detect and Respond vendors.
The jury is still out, but over the years, it has become apparent integrating disparate companies, products, and workflows is incredibly difficult and rarely results in a viable solution for end users. Primarily, it results in a new vendor “markitecture” and something new for their salesforce to sell. As the former Chief Strategy Officer of an endpoint DLP company, I experienced this very phenomenon when we followed the analyst’s suggestions and acquired a network DLP company. Five years later, with a lot of money, time, and engineering gone by the wayside, there was very little customer value and little effective integration of products or workflow.
What are The Benefits of MDR?
- 24x7x365 management by CyberMaxx Security Operations Center of experts
- Full-stack visibility of your assets both on-premise and in the cloud
- Improved MTTR and reduced false positives through automation and orchestration
- A proactive approach to identifying threats and protecting vital assets to meet compliance regulations and gain insights
- Fully managed endpoint security and network security
- More effective Incident Response through visibility and orchestration between all assets
- Analytics platform for better integration with SAAS and IAAS
How Does MDR Work?
Today, most MDR service providers have evolved either from their roots as MSSPs or are newly minted MDR service providers. The legacy MSP/MSSPs have evolved from operationally managing and monitoring third-party products. These types of services differ significantly from providing integrated detection and response services. Effective threat detection and response requires very different operational systems, personnel, and skillsets than a third-party monitoring and configuration operation.
MDR vs EDR
EDR, or Endpoint Detection and Response, is software focused on detecting and investigating suspicious activities on endpoints (workstations, laptops, servers, IoT, etc.) MDR, or Managed Detection and Response, is the management of tools that monitor, identify and respond to threats. MDR is made up of multiple technologies and often includes EDR.
The Problem with Most MDR Providers: Lack of Integration Expertise
The newly minted MDR providers contract with multiple end-user products and profess to absorb the brunt of the product integration and orchestration challenges. They predominantly suffer from the same challenges as end-users in integrating disparate products and orchestrating workflows across different vendor products. This lack of integration and workflow orchestration often leads to ineffective detection and response. For the most part, these new MDR providers don’t have the expertise or knowledge to effectively remediate threat situations and cause lasting harm to the organization.
Today, proper Detection and Response services are essential. We cannot stop attacks given their funding, sophistication, and automation. Still, we can prevent the majority of damage and costs if we can detect them early and respond in a timely fashion. Organizations constantly face a blizzard of alert white noise, creating the detection ‘needle in the haystack’ challenge. The plethora of context data spread out over multiple systems required to respond appropriately (the needle in a needle stack challenge) exacerbates the problem. Few organizations have sufficient time, budget, or resources to address these issues.