bluebay2014 - Fotolia
In a cybersecurity market overrun with alerts and skill shortages, IT professionals are finding that a SIEM system alone can't meet the demands of today's ever-growing threat landscape.
Managed detection and response (MDR) is a new category of service offering that lets organizations add 24/7 dedicated threat monitoring, detection and response capabilities through a turnkey approach, according to research firm Gartner. Last year, Gartner predicted that 15% of organizations will adopt MDR services by 2020, up from 5% in 2018.
Many organizations do not have the resources to maintain around-the-clock monitoring and analysis capabilities for handling security threats in a timely manner, industry observers say. Consequently, 66% of organizations that have been affected by the cybersecurity skills shortage said the shortage has led to an increased workload for their existing staff, Enterprise Strategy Group research revealed.
MDR services vs. traditional managed security
This is where MDR services come in. Managed security services providers (MSSPs) typically alert customers when events are flagged in a security information and event management (SIEM) system and then shift the analysis and response burden to customers. MDR services replace the MSSP approach by investigating security events and providing the analysis needed to properly respond, according to MDR services provider Critical Start, based in Plano, Texas.
Most MDR providers "rely on quality cybersecurity products to deliver their services, so you have a good technology that's loaded, and then they're trying to provide additional value on top," such as triage and alert response, said Randy Watkins, CTO of Critical Start.
Without a third party to do that, the onus is on the customer to not only find issues raised by alerts, but also resolve them. Most customers aren't doing that, Watkins maintained. "Any MDR is better than no MDR, because oftentimes customers aren't doing a good enough job themselves."
"Everyone is still defining what the 'R' is in MDR," said TJ Alvino, vice president of sales and services at Cygilant Inc., a security provider headquartered in Boston. "Some customers want you to do the actual fix for them, and others, from a liability perspective, don't want you near [their network]. So they want you to take them from A to Y -- but do Z themselves."
While the cybersecurity market continues to define MDR, Alvino said Cygilant defines the term as "enabling you to do the actual fix on the patch side, but we'll load the dashboard for you, … so the liability is still on [the customer] to do that." Additionally, the response aspect of MDR provides contextual awareness around alerts and remediation services without patching, Alvino said.
"We're identifying the issue, providing the solution for the issue and teeing that up for [customers] to fix it," he said, adding that it is "an active discussion" within the market on whether the MDR service should apply the patch or leave it for the customer to do. This is what is "driving the need for clarity around what 'R' actually is," he said.
MDR services go beyond alert escalation
A commonly perceived limitation of MDR, Watkins believes, is an inability to gather data from every log source a customer has.
TJ Alvino Vice president of sales and services, Cygilant
MSSPs typically ingest logs from almost all sources a customer has, he said. An MSSP brings the logs into one place and then escalates issues to the customer "without adding much value." Although customers want MDR services to use most of their log sources, that isn't possible -- or even necessary, he said.
"The problem that these managed services and MDRs are trying to solve is a lack of head count in the industry, but that's not what the customer needs," Watkins said.
Rather than receiving "a bunch of alerts generated from another place," he said MDR providers tend to focus on fewer products and on adding more value to those products by performing response actions.
"MDR is focusing on a specific stack of products they can learn inside and out to do triage and perform response capabilities, which is more than escalating alerts," Watkins explained. MDR means "actually isolating infected hosts to lower an attacker's dwell time … in your environment before you find them and remove them."
However, MDR providers are fairly restricted when it comes to heavily regulated customers. "The technology doesn't allow for a lot of detection and response capabilities there," Watkins said.
The technologies in an MDR offering
MDR providers can opt to focus on network-, endpoint- or log-based technologies, Watkins said. Depending on their services, they'll look at firewalls and intrusion detection systems, SIEMs or endpoint technologies. Critical Start focuses on endpoint technologies, he said.
Often, developing MDR services requires firms to partner with cybersecurity vendors. To enhance its MDR offering, Critical Start announced several partnerships in recent months. Under a partnership revealed in March, Critical Start teamed up with Chronicle to provide managed services for its Backstory security telemetry platform. In April, Critical Start also announced an alliance with Microsoft to offer an MDR service for the Microsoft Defender Advanced Threat Protection platform.
Cygilant has partnered with AT&T Cybersecurity to help midsize organizations start ingesting SIEM data from multiple technologies into one interface with security operations center (SOC) as a service wrapped around it, Alvino said.
Cygilant's SOC monitoring platform is product-agnostic and aggregates alerts and network activity. It also has a feature that "orchestrates and tunes how a customer wants to receive alerts" based on their security profile, the company said.
By integrating SOC as a service, vulnerability management and patch management into one platform, Alvino said, midsize businesses don't have to buy all three features from different vendors.