Content

How managed detection and response became a game changer

Gartner recently released its 2020 Market Guide for Managed Detection and Response (MDR) Services. Reading the fifth edition of this report reminds me of how far the industry has come and just how far it needs to go.

I remember 2016 and working with Gartner analysts to champion a new category that better described what eSentire delivered. We managed threats, not devices like managed security service providers (MSSPs), but no category existed. In response, the first MDR market guide contained a baker’s generous dozen of vendors with varying services.

Five years on, Gartner predicts that the majority of firms will use MDR by 2025 and they have seen a 44 percent increase in user inquiries. MDR has mass, but a history of vendor accretion still leaves MDR without a cohesive identity. Plus, many MSSPs simply relabel their services to jump on the bandwagon.

Half a decade later, there is still an argument whether alerting equates to response (FYI, it doesn’t!). Your kid telling you water is flooding your basement is an alert and does nothing to stop the resulting damage. Alerts don’t equate response. If your security vendor can’t even triage the leak and turn off the water source, then they are simply managed detection and alerting. That’s it without the ultimate payoff of real response.

What does that look like? MDR vendors must respond to millions of security events per client (potentially leaking pipes and flooding basements) and begin triage within minutes and resolve (contain attacks and report with full forensics) in less than 30 minutes. Criminals measure their time in minutes and hours, not the typical days or months of their victims.

Experience counts. The lessons learned in business continuity as a result of the 9/11 attacks were predicated on the resiliency of a primary facility. Back-ups in New Jersey were sufficient to recover from events in Manhattan. But, a little over a decade later, Hurricane Sandy flooded Manhattan and made us see resiliency as more than protecting a building. COVID-19 and work-from-home was business as usual for companies prepared for distributed workforces but was devastating to organizations that focused on the traditional perimeters.

Vendors focused on the network and porting log-based responses from MSSP to MDR marketing could not protect their clients during COVID-19. Or at least, there were massive delays and gaps in which criminals could exploit their clients. Consider the tens of thousands of hospital beds in compromised healthcare facilities or theft and disruption targeting critical infrastructure and manufacturers working to deliver life-saving technology.

Digital transformation is accelerating like a runaway freight train. Everything is connected and there is nowhere to hide. Every surface is exposed. When you look over your cybersecurity wall, look at the MSSP or MDR vendor at your side. Are they shiny and full of promise, or do they carry the weight of experience? When it comes to protecting my business, I want experts who have seen it all and know how to confront cyberthreats. Catchy phrases, pretty slide decks and enticing price tags won’t seem very comforting when the cybersecurity predators start circling your business.


Mark Sangster, Vice President and Industry Security Strategist, eSentire

Mark is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.