MDR use cases: Achieving detection and response with lower costs and higher productivity

As any CISO would tell you, good cybersecurity doesn’t come cheap.

It takes significant time, money and human capital to build a security operations center from the ground up. Even once an SOC is up and running, there are other costs to consider too — the periodic acquisition of new security tools, the effort in training and retaining skilled workers and the occasional departures of key personnel that result in loss of institutional knowledge.

In response to these considerations, more organizations are allying with a managed detection and response provider to meet their SOC needs. MDR effectively grants companies a fast pass to the front of the line. Instead of sinking millions of dollars into recruiting experts and building up an SOC from within — an effort which can take years to reach fruition — companies can immediately get access to elite threat hunters and detection technologies by subscribing to the MDR service model.

Here’s why MDR makes sense, not just financially, but from a business standpoint as well. 

MDR boosts productivity

Whether it’s sifting through an influx of miscategorized alerts, distinguishing false positives from genuine threats or trying to establish visibility of all endpoints, many security analysts find themselves in a constant firefight mode and are struggling to come up for air. Case in point: a recent study found that SOCs devote an average of two to three hours a day responding to suspicious emails, and nearly 58 days a year handling alerts that are later determined to be false positives. MDR addresses this inefficiency by giving companies a chance to refocus time and energy in support of their core business objectives.

“MDR can take care of 99% of the crap that's at the bottom that just is constantly hitting you every single day. That just needs to be dealt with proactively from both the detection and the response side of things,” says John Shier, Senior Security Advisor at Sophos.

This allows in-house security teams to be more productive, solving problems that actually move business forward — like rolling out new policies or training employees in cyber hygiene – while letting MDR vendors handle day-to-day response and investigation duties.

MDR provides affordable access to elite threat hunters

One of the biggest benefits of an MDR service is that it grants access to top-tier threat hunting professionals that would otherwise cost companies hundreds of thousands of dollars to recruit and retain full-time. Threat hunters bring an extremely valuable set of skills to the table — a deep understanding of the latest TTP used by adversaries, a fluency in translating highly technical subject matter into prescriptive advice for businesses and a talent of pulling together insights across a vast set of data.

Some organizations may be fortunate in recruiting top-notch cybersecurity talent or onboarding advanced detection tools, but it can be expensive and rare to check off both boxes. “The way I crudely think about MDR is that the ‘D’ of detection is the machinery, the automated stuff mostly,” says Shier. “And the ‘R’ of response is the people. You need both of them together to be able to do this effectively. And if you are struggling and you don't have either the D or the R, then you’re going to need help.”

MDR doesn’t take holidays

There’s no rest for the wicked. When most of the workforce, including IT, is out enjoying weekends and holidays is when adversaries are most likely to strike. With MDR, however, there’s never a lull in monitoring or response operations. MDR providers, like Sophos, employ threat hunters at every hour of the day, 365 days a year. Hunters work in shifts, clocking in and out of their battle stations, providing detailed descriptions of their activities to the next hunter so they have context on what to prioritize.

“That’s really where the idea for MDR came from,” says Andrew Mundell, Principal Sales Engineer at Sophos. “It was this recognition that you, when there is an active adversary, you need an active defender. But the vast majority of organizations are not in a position where they can run that fully staffed, 24/7 by 365. You really need to have eyes on glass at all times.”

MDR gives customers more control over the cost

MDR isn’t meant to replace SOCs, but to augment what’s already under the hood. For example, larger companies that already have well-staffed security programs might use MDR for quality control and overall peace of mind, somewhat like a writer enlisting the help of a seasoned proofreader to scan and critique a first draft. For small to medium-sized businesses that have just a handful of analysts on board, MDR can be a lifeline, delivering fresh threat intelligence and security operations that weren’t really feasible before.

Ultimately, customers decide what they want their partnerships to look like and MDR providers oblige, offering various degrees of commitment. Sophos, for example, offers three tiers of service (or “response modes”) depending on the customer’s requirements and threat hunting maturity:

  • Fully embedded: The vendor completely manages threat response on behalf of the customer.
  • Collaborative: The vendor works in tandem with the customer SOC, responding to threats as a joint partnership.
  • Alert and advise: The vendor alerts the customer SOC to threats and provides remediation guidance, but does not execute remediation themselves.

Regardless of the arrangement, customers have more control over the cost of their security operations and can even modify their service over time as in-house capabilities mature.

“Our job as a MDR provider is ultimately to get our customers to a point where they don't need us,” says Mat Gangwer, Vice President of Managed Threat Response at Sophos. “You may go through various stages of cyber maturity as you’re building up your threat hunting program. And if you don't have the capability, the resources, the budget or the funding to be able to build it yourself right now — but you know it’s important to protect the organization — then it's cost effective to work with a MDR provider.”

Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.