Managed Detection and Response (MDR) is a type of managed security service (MSS) where a service provider is wholly or partially responsible for the detection, investigation, and response to identified cyber security threats to the customer organization.
According to Gartner’s Market Guide for Managed Detection and Response Services, “MDR services provide remotely delivered modern security operations center capabilities focused on quickly detecting, investigating and actively mitigating incidents.”
Once an organization decides to leverage an MDR service, the service provider generally conducts an initial asset identification exercise to identify all the existing IT assets in the customer’s environment. Asset identification is a key step in providing an effective security service as it helps the service provider understand the scope of protection. It also eliminates the hidden risk of shadow IT, that is, assets that are not known to the IT department. Shadow IT present hackers with an undetected route into the organization’s network.
When all the assets are identified and sorted, the MDR service provider usually conducts an in-depth security assessment. The security assessment will give the service provider and I&O leaders a detailed overview of the organization’s security posture. This includes the overall risk surface, security weaknesses, vulnerabilities, and any existing threats. The security assessment will help the service provider determine the level and scope of security protection provided to the organization.
Once the security service to be rendered has been agreed by both parties, the MDR service provider begins to manage the organization’s security operations. MDR service providers operate out of a security operations center (SOC) with a dedicated security team of qualified and experienced experts. The SOC can be located in the customer’s country or overseas. SOCs typically operate 24x7, providing continuous monitoring and threat detection and response. First, the MDR vendor conducts proactive threat hunting by continuously monitoring the customer’s network for threats and anomalous activity. Second, when the SOC receives an alert, security teams analyze and investigate the alert. Finally, the SOC provides incident response for identified security events.
Customers can choose whether to outsource the entire MDR service to the service provider or outsource partial MDR responsibilities, where the service provider works with the customer’s exiting IT security team. In this model, the service provider may be responsible for identifying threats and notifying the customer’s security team to respond to threats.
In a managed detection and response service, the service provider provides the security technologies needed to render the service. These technologies are typically delivered virtually over the cloud with minor hardware deployments on the customer’s premises. Alternatively, hardware security devices may be deployed depending on the customer’s needs. MDR vendors can leverage various security technologies as part of the service. These can include network firewalls, endpoint detection and response (EDR), network detection and response (NDR), and security information event management (SIEM). Depending on the service provider, their technologies may integrate to work together with the customer’s existing security deployments. The MDR service provider will most likely incorporate threat intelligence in their services to enhance the detection of the newest and advanced threats.
There will often be a unified portal where the customer can get an overview of its security posture. The MDR service provider may also provide regular security reports to update the customer on the number of detected attacks and how they were dealt with.
Managed Detection and Response first emerged in the mid-2010s and has gained a lot of traction over the years. According to Gartner’s Market Guide for Managed Detection and Response Services 2021, the MDR market is “estimated to reach $2.15 billion in revenue by 2025 up from $1.03 billion in 2021, for a compound annual growth rate (CAGR) of 20.2%”. There are two key drivers of MDR adoption that make it valuable to organizations that lack the resources and expertise to run a SOC, such as SMBs and public institutions like hospitals.
The biggest case for managed detection and response is the current cyber security talent shortage. According to the 2021 (ISC)2 Cybersecurity Workforce Study, the global cyber security workforce needs to grow by a staggering 65% to keep up with current demands. The cyber security talent gap poses a huge problem for organizations. Security technologies only go so far in protecting an organization. Security experts are required to analyze and investigate security alerts to detect and respond to threats. Understaffed security teams may suffer from alert fatigue and not equipped to conduct 24x7 continuous monitoring. Security staff are also required to create and continuously fine-tune security policies to ensure they remain relevant. Even the automated tasks carried out by security tools are configured by security staff. Without the adequate talent in place, organizations with the latest and most expensive security technologies are not safe from cyber-attacks. This makes MDR the ideal choice for SMBs that are not in a position to establish their own security operations or larger enterprises that wish to acquire additional support for their existing security team.
Threat actors are always upping their game with increasingly sophisticated malware and evasive techniques. Vulnerabilities keep getting exposed in the products of major developers such as Microsoft, Google, and Apple, whose products are used by millions of businesses. The ever-growing threat landscape means that organizations that are safe today may no longer be safe the next day or the next week, never mind the next month. In order to maintain the effectiveness of their security operations, organizations need to constantly stay up to date with the latest security risks and trends. This can be too much of a burden on small and mid-size businesses, especially when additional security devices are required. With an MDR service, organizations can afford to be less vigilant as the service provider takes responsibility of security matters. Moreover, subscribing to additional cloud-delivered security capabilities is generally cheaper than purchasing new hardware devices.
MDR service providers operate their SOC on a 24-hour basis with security staff working in shifts to maintain round-the-clock protection. Given that cyber-attacks can strike at any moment of the day, having 24-hour protection ensures that security events are always dealt with in a timely manner to keep business impact to a minimum.
MDR service providers are continuously developing new technologies and improving existing solutions. By leveraging an MDR service, organizations can benefit from the latest technologies without having to refresh their security stack on a regular basis. And given that security technologies are typically delivered over the cloud, CapEx is kept at a minimum.
Unlike other managed security services (MSS), an MDR service is a collaboration between security personnel and technology. Every organization is different, and the added human element allows the service provider to really understand the business and provide customer-specific protection. This significantly improves the accuracy of threat detection and investigation.
An MDR service can help organizations relieve the pressure of hiring and retaining the talent needed for running in-house security operations. MDR service providers hire their own security staff and have established training programs. Customers do not need to worry about hiring new talent even as the need for greater security increases.
An MDR service ultimately helps businesses protect their bottom line. With the backing of a professional security service, organizations are under less risk of suffering heavy impact from a cyber-attack. This can protect the company from damaging costs, such as ransomware payments, data compliance violations, business downtime, and business reputation damage.
Organizations may be wary about allowing third-party access to their network and systems. However, MDR service providers are governed by data privacy laws and regulations, such as the EU General Data Protection Regulation (GDPR). Any violation can result in heavy fines and penalties. This is why MDR service providers typically only collect and store data that is necessary for security purposes. Customers are also provided with the option the choose what data is collected and how long it is stored.
A supply chain attack is a type of cyber-attack where the attacker breaches an organization’s network through a third-party that has access to its network. The attacker first infiltrates the third-party organization, such as a software supplier or managed service provider. They then exploit to third party’s trusted access to gain unrestricted entry into the target’s network. MDR service providers are also at risk of being used as a pivot to launch a supply chain attack. However, given that they are in the business of cyber security themselves, the risks are relatively low.
Another concern over MDR services is that a third-party service provider may not understand the organization’s business as much as an in-house security team. This may well be the case. However, MDR service providers can learn a lot about the organization through the initial security assessment, asset review, and continuous security operations. In time, MDR service providers gain sufficient understanding of the organization’s business to make better sense of its network activities.
ForeNova Managed Detection and Response (MDR) is designed to help organizations enhance their security operations and better secure themselves from an ever-growing threat landscape. Our MDR service leverages human-machine intelligence concept, a combination of the latest security technologies with human experience, perception, and skepticism.
The concept of human-machine intelligence harnesses the synergy between technology and human logic, blended through years of fine-tuned processes and procedures. This enables ForeNova MDR to deliver holistic threat detection and response service with speed and precision.