MDR: A Better Solution to Preventing Cybercrime?
Updated: Feb 28, 2019
Despite advances in cybersecurity, criminals have managed to hack into organizations’ networks using a variety of methods.
According to Cybersecurity Ventures’ 2017 Cybercrime Report,“Cybercrime damages will cost the world $6 trillion annually by 2021.”
With so many new threats emerging one after the other, it is clear that businesses need a better option to prevent cyberattacks. In fact, organizations have been looking to improve traditional threat detection and response capabilities without the expense of hiring additional employees.
Plato famously said, “Necessity is the mother of invention.” And so, Managed Detection and Response (MDR) has emerged as a service.
What is MDR? Managed Detection and Response (MDR) is a service that focuses on continuous monitoring (24/7). It also involves conducting advanced and unknown threat detection using sophisticated analytics and contextual threat intelligence, remote, prompt incident validation and actionable recommendations or remediation management.
According to Gartner’s Market Guide for Managed Detection and Response Services, “Managed detection and response improves threat detection monitoring and incident response capabilities via a turnkey approach to detecting threats that have bypassed other controls.”
Prior to the emergence of MDR, many organizations were using MSS (Managed Security Services).
Just like MDR, MSS is a systematic approach used to manage an organization’s security needs.
Both MSS & MDR employ a systematic approach to manage an organization’s security needs.
What is the difference between MDR and MSS? Traditional MSS providers (MSSPs) use SIEM (Security Information and Event Management) technology when reacting to security events. If well-implemented, SIEM can correlate events from all types of devices in real-time and is able to flag anomalies for deeper forensic analysis.
MDR vendors, also use SIEM as a part of their services, but are proactive in looking for evidence of compromise within the client’s network and help them respond to attacks.
MSSPs typically act more as an alerting function. MDR vendors are usually more deeply involved even after a security incident identification. This can range from more thorough analysis of security incidents as standard such as reverse engineering, sandboxing, forensics and incidence response consulting. At present, there are MSSPs that include this service but they charge an extra fee.
MDR is also a more affordable alternative. According to Gartner, it observed, “some MDR vendors specifically focusing on the small business and smaller midsize organizations with small IT teams and minimal investment in security.”
As mentioned earlier, MSSPs have relied on automation to identify and react to security events. The focus of MSSPs is on remote device management, vulnerability management, security event monitoring and alerting. Most MSSPs lack the skills needed to prioritize threats, perform forensic analysis, and identify compromised networks and systems.
MDR is more dependent on human experts to triage, escalate and participate in post-incident response phase of cybersecurity. These experts have comprehension of the latest attack vectors, access to varied global threat intelligence, and in-depth knowledge of the client’s IT infrastructure.
What brought about the development of MDR? MSSPs became available to organizations a decade or so ago. Generally, there was a positive outlook towards the services they could provide. However, the technology available at the time was not as advanced compared to today. Additionally, many organizations were wary about outsourcing security. So, most ended up with perimeter device management and monitoring security solutions. As a result, there was limited visibility into security events within company systems and networks and this hindered the ability to differentiate between real breaches and false positives.
The MSSPs also went through a major change. The focus of MSSPs shifted from providing great customer service and a deep understanding of the clients’ environment to driving ROI. They lost the relationship they initially developed with their customers. Consequently, customer satisfaction and retention rates have declined.
Where is the use of MDR headed? According to Gartner, MDR is still an emerging market. There are a number of new entrants at present but they anticipate more providers will enter the market during the next several years. MDR services are offered in a variety of forms and new approaches are still being introduced in the market.
Gartner has also observed that the number of providers offering services that align with the MDR market definition (rather than the definition of an MSSP), has become more visible during the past year.
The growing awareness regarding the benefits of MDR among small and medium businesses against cyberthreats can fuel demand for the service in the coming years. Gartner predicts that 15% of organizations will be using MDR by 2020 compared to less than 1% of organizations using it today. In addition, 80% of MSSPs will try to offer MDR-type services by 2020.
Netswitch offers MDR services to small and medium-sized businesses as well as large enterprises. For more details on how we can assist you in establishing a cybersecurity solution to fit your environment and meets your requirements, please contact us today for a consultation.