Blog post

MSSP is/and/or/vs MDR?

By Anton Chuvakin | December 14, 2017 | 4 Comments


So, we are wrapping up our research on the effective use of managed services for security and that debate of MSSP vs MDR came up … again!

Gartner defined MDRs (here), perhaps a bit vaguely, as providers that “deliver services for buyers looking to improve their threat detection, incident response and continuous-monitoring capabilities.”

For years, Gartner defined MSSP as “the remote monitoring of security events and security related data sources, or the management of IT security technology along with security event monitoring, delivered via shared services.”

An astute reader may observe that even people without much imagination will notice that these overlap … a lot. On the other hand, a cynical [but perhaps no less astute!] reader may quip that “an MDR is simply an MSSP that knows how to detect actual threats and not just to monkey around with compliance.”

On yet another hand (there is one more?), somebody may point out that a hotshot MDR won’t manage your firewalls and NIPS boxes, so if you need help with that, MSSP is the right choice. This, BTW, has led some clients to procure the services of both an MSSP and an MDR (and, in case of one organization I’ve heard of, that of one MSSP and two MDRs … and both of them pushed EDR agents on clients’ machines … and hilarity ensued). This of course creates beautiful opportunities for finger-pointing after they are hacked!

Furthermore, our “bucket of MDRs” contains plenty of fairly dissimilar providers: some rely on EDR agents (and represent a “managed EDR” type of MDR… confused yet?), some use logs and other data, some focus on traffic analysis, and others do a mix of all of the above, backed up by some analytics, often of unknown provenance…

Given that in all likelihood more of infosec / cybersec will end up with 3rd parties (and/or robots!) over time (despite known problems), this is important to get right. We even have a document about how to understand all those befuddling MSSP services and some research on how to test them.

Finally, it seems to us that over the next 1-2 years, MDR will become simply a type of an MSSP service type that focuses on detection excellence and remote incident response (wherever such IR is possible).

Dear MDR vendors, please consider disagreeing! 🙂 Perhaps some of you are offended by being thrown in with what you’d call “legacy MSSP riffraff”? On the other hand, MSSPs that offer a range of valuable services may be offended by being thrown together with such “narrow” offerings as MDR?

In other words, have I just offended everybody? 🙂

Related posts:

Comments are closed


  • Kosh says:

    Are there similarities in evolution with vendors doing MDR ultimately becoming mssp as with ueba vendors evolving into siem tools ? Demonstrate you can do a particular / challenging use case reasonably well and then expand to generic or more compliance type check box activities that are reasonably easier to do.

  • Steven Cohen says:

    Great question and summary Anton!

    As with many things security – there is a lot of confusion, non-standardized terminology and as a result, organizations that create FUD in positioning one solution vs another. Kudos to the Gartner team to tackle this challenge.

    In my personal opinion, I think that it is not a question of MDR or MSSP? Rather, the two offerings are complimentarty services that can help solve different problems (with the caveat that YES … there can also be overlap between the services).

    Organizations need to understand what is the problem that they are trying to solve first and what are the requirements from the service provider. That will help define if MDR, MSSP or perhaps a combination of both are required.

    It is best to have the RIGHT level of security layers to manage your organization’s risk – that requirement will dictate if you need MDR, MSSP or potentially both. Further, vendors need to be able to adjust their services to meet the ever-changing needs of organizations.

    Looking forward to other opinions.

    Steven Cohen