Gartner Blog Network


MSSP is/and/or/vs MDR?

by Anton Chuvakin  |  December 14, 2017  |  4 Comments

So, we are wrapping up our research on the effective use of managed services for security and that debate of MSSP vs MDR came up … again!

Gartner defined MDRs (here), perhaps a bit vaguely, as providers that “deliver services for buyers looking to improve their threat detection, incident response and continuous-monitoring capabilities.”

For years, Gartner defined MSSP as “the remote monitoring of security events and security related data sources, or the management of IT security technology along with security event monitoring, delivered via shared services.”

An astute reader may observe that even people without much imagination will notice that these overlap … a lot. On the other hand, a cynical [but perhaps no less astute!] reader may quip that “an MDR is simply an MSSP that knows how to detect actual threats and not just to monkey around with compliance.”

On yet another hand (there is one more?), somebody may point out that a hotshot MDR won’t manage your firewalls and NIPS boxes, so if you need help with that, MSSP is the right choice. This, BTW, has led some clients to procure the services of both an MSSP and an MDR (and, in case of one organization I’ve heard of, that of one MSSP and two MDRs … and both of them pushed EDR agents on clients’ machines … and hilarity ensued). This of course creates beautiful opportunities for finger-pointing after they are hacked!

Furthermore, our “bucket of MDRs” contains plenty of fairly dissimilar providers: some rely on EDR agents (and represent a “managed EDR” type of MDR… confused yet?), some use logs and other data, some focus on traffic analysis, and others do a mix of all of the above, backed up by some analytics, often of unknown provenance…

Given that in all likelihood more of infosec / cybersec will end up with 3rd parties (and/or robots!) over time (despite known problems), this is important to get right. We even have a document about how to understand all those befuddling MSSP services and some research on how to test them.

Finally, it seems to us that over the next 1-2 years, MDR will become simply a type of an MSSP service type that focuses on detection excellence and remote incident response (wherever such IR is possible).

Dear MDR vendors, please consider disagreeing! :-) Perhaps some of you are offended by being thrown in with what you’d call “legacy MSSP riffraff”? On the other hand, MSSPs that offer a range of valuable services may be offended by being thrown together with such “narrow” offerings as MDR?

In other words, have I just offended everybody? :-)

Related posts:

Category: mssp  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on MSSP is/and/or/vs MDR?


  1. Kosh says:

    Are there similarities in evolution with vendors doing MDR ultimately becoming mssp as with ueba vendors evolving into siem tools ? Demonstrate you can do a particular / challenging use case reasonably well and then expand to generic or more compliance type check box activities that are reasonably easier to do.

  2. Steven Cohen says:

    Great question and summary Anton!

    As with many things security – there is a lot of confusion, non-standardized terminology and as a result, organizations that create FUD in positioning one solution vs another. Kudos to the Gartner team to tackle this challenge.

    In my personal opinion, I think that it is not a question of MDR or MSSP? Rather, the two offerings are complimentarty services that can help solve different problems (with the caveat that YES … there can also be overlap between the services).

    Organizations need to understand what is the problem that they are trying to solve first and what are the requirements from the service provider. That will help define if MDR, MSSP or perhaps a combination of both are required.

    It is best to have the RIGHT level of security layers to manage your organization’s risk – that requirement will dictate if you need MDR, MSSP or potentially both. Further, vendors need to be able to adjust their services to meet the ever-changing needs of organizations.

    Looking forward to other opinions.

    Steven Cohen



Leave a Reply to Steven Cohen Cancel reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.