(A preview for the SC Media eBook “All about MDR: What it is and how to optimize it." )
Cultivating in-house cyber expertise is costly and time-intensive, and many companies simply lack the resources to make it work in their favor.
Faced with this talent shortage, more organizations have turned to managed detection and response (or MDR) to achieve the vigilance and functionality of a security operations center at a fraction of the cost.
What is MDR?
MDR describes an agreement whereby a cybersecurity vendor performs dedicated threat hunting investigations and incident response on behalf of a customer organization.
While MDR in practice can look different depending on the customer organization’s needs, it’s safe to assume that any MDR relationship will at least consist of the following fundamentals.
- Access to human threat hunters: Security tools can improve threat hunts, but they can’t provide the intuition, curiosity and ingenuity that only humans can. Threat hunting brings skilled security practitioners together to proactively identify and eliminate threats before they materialize. Hunters are well-versed in the latest attack methodologies and exploits, and tend to bring years of training and first-hand experience to the table. For that reason, they’re a rare and highly sought-after commodity.
- Specific focus on threat detection and threat response: Results from a SANS 2020 Threat Hunting survey show that 75% of organizations with a threat hunting capability use staff who already juggle other work duties – such as incident response or SOC upkeep. In contrast, MDR vendors employ dedicated threat hunters whose sole occupation is to hunt and eliminate threats, and nothing else. This is critical because it prevents hunters from being pulled into other pursuits that would distract or take time away from their main mission.
- Continuous monitoring and scanning: To counter more sophisticated cyber attacks, organizations need to be on guard at all times of the day. But many attackers know that’s not the case, and will purposely launch their attacks on weekends or over holidays (when most of the workforce are home). For MDR vendors with a global footprint across multiple time zones, they can provide continuous scanning 24 hours a day, 365 days a year. It also means that once a vulnerability is detected in one location, the vendor can rapidly identify and fix the vulnerability in all other customer environments.
- Guided remediation: Oftentimes, the problem isn’t finding a vulnerability; it’s knowing which vulnerability to prioritize based on the risk it presents to the organization. Security alert fatigue is well-documented as many organizations contend with hundreds of thousands of alerts on a daily basis. With MDR, however, a customer can defer this responsibility to the vendor who has the personnel and automation tools to sift through alerts and identify the most pressing concerns.
- Working partnership built on shared and non-shared responsibilities: While threat hunting, detection and response may be performed by the MDR vendor, it does not absolve the customer of upholding their part of the working relationship. For MDR to succeed, customers need to be responsive, receptive and swift in acting on the recommendations or intelligence provided by the vendor.
What MDR is not
While MDR shares or incorporates elements of the concepts below, it should not be seen as synonymous or as a stand-in for:
- Endpoint detection and response (EDR): A security product that scans and monitors endpoint health across an organization’s network. Besides scanning, it mainly functions to generate alerts of suspicious activity for further investigation by security teams. While EDR is a core exercise in the MDR toolkit, it is by no means the only one.
- Extended detection and response (XDR): A more robust version of EDR, XDR is a security product that ingests data from a multitude of inputs across the organization to provide greater visibility and context for why things happen on the attack surface. An advantage of XDR over EDR is that it integrates multiple data streams instead of relying exclusively on endpoints, with the goal of providing security teams as much context upfront as possible to better prioritize alerts and facilitate faster, more precise remediation. More MDR vendors have begun employing XDR to help customers prioritize critical vulnerabilities over non-critical ones. “XDR takes in multiple data sources, not just EDR but also other telemetries like your firewall or your mail filter, for example,” says Mat Gangwer, Vice President of Managed Threat Response at Sophos. “Then it synthesizes all that information for your MDR provider, who sits on top of that. They’re taking the output, tuning the tool, and then operating on the artifacts coming out of it.”
- Managed security service provider (MSSP): The scope of an MSSP’s duties can be wide and varied. In addition to general monitoring and examination of alerts, they might also oversee the sunsetting and replacement of technology, compliance controls, identity and access management, and other items that go beyond the parameters of detection and response. While they can improve an organization’s cybersecurity upkeep, they do not generally engage in threat response specifically. So how is a MSSP different than a MDR? MDR is a specific discipline and service agreement, focusing primarily on threat detection and response as opposed to other cybersecurity administrations that an MSSP would cover.
- Security information and event management (SIEM): Similar to XDR, a SIEM is capable of ingesting and synthesizing data from multiple sources and flagging any behavior that is suspicious or unexpected. SIEMs are vigilant, but oftentimes to a fault – prone to generating an avalanche of security alerts or even failing to detect common attack signatures altogether. Unlike SIEMs, MDR vendors don’t call it a day once they’ve identified suspicious behavior. Instead, their teams of threat hunters dive into the data to provide customers context and interpretation for what the alerts mean. “Fundamentally, MDR requires a high fidelity of telemetry,” says Greg Rosenberg, Director of Sales Engineering at Sophos. “In other words, you need a really deep set of information that can show the adversary’s activity — like, can you actually see privilege escalation or credential theft? Because a lot of the time, you're not going to get that in the logs of a SIEM.”
