The Managed Detection and Response (MDR) market has experienced great traction over the last few months and years. This has been, in part, due to the simplicity of the concept. Although there have been a few ‘pretenders’ that have tried to get into the club with ‘fake ID’. As with all new and exciting terms, its really easy for marketing departments to grab onto them and put together a PowerPoint. All of a sudden that vendor is an ‘MDR’, but are they? Recently, questions from vendors and end users alike have regularly included “What really is MDR?”
I thought it might be worth writing a blog post to try and explain what MDR is. As well as how it sits within the wider sphere of ‘Detection and Response’ type services. Much like any product in any market. There is competition and the story becomes about adding differentiation to try and make a product stand out. This is easy with a chocolate bar or a breakfast cereal, but not so easy with security services. Unlike most products its difficult to cut through to what you are actually buying when you buy that security service. Buyers must be consumption-model and outcome focused to get clarity. Herein lies the key to understanding the difference between MDR and ‘other’ detection and response services.
What defines MDR?
Does MDR really mean you’re going to get the ‘best’ detection? Are you really looking for the most advanced tool-sets and funky dashboards? There are three defining characteristics that buyers of threat detection and response must be focused on for MDR to be right for them:
- Turn-key, fast to deploy service.
- Skilled threat analysis, interpretation and actionable outcomes.
- Fully managed, not a technology, not automated.
Naturally there are some things here that i have missed out. MDR services must have a wide range of use cases, ability to detect threats and capability to respond quickly and remotely. But other services that detect and respond to threats can have these things. In the same way buyers don’t go-to a car showroom and say “I’d like a car, with wheels and lights”. You don’t need to go to a MDR provider and ask for the things that are most common with detection and response type services.
A firm favorite is ‘Threat Hunting’. Its obvious that all MDR services must run on well-developed Threat Hunting processes. If they don’t they are simply not delivering on #2 of the defining characteristics above. you can dig a little deeper into my thoughts about this in a post i published in April “What Really is Threat Hunting?”
Does MDR need to run on specific data/technologies?
Can MDR run on log data, or using a SIEM? The simple answer is yes, but there are a few caveats; Log data is often difficult to integrate with a detection solution, especially custom log sources. Therefore log data does make it harder, but not impossible to meet #1 of the defining characteristics above. Furthermore it is hard to create a solution which includes ‘response’ if it is simply a passive listener. It then stands to reason that logs alone cannot make a detection and response service MDR. The same applies for any passive collection and processing based technology.
The ‘R’ in MDR means there is a direct requirement for a method for feedback. And before someone says “isn’t a security incident report with actionable ‘advice’ feedback”, yes it is, but its not response. The same way that simply telling your four year old not to draw on the wall again is not as effective a response as taking the crayons away.
What about Automation?
Finally, in defining characteristic #3 ‘not automated’ is important, and it is. When you buy a ‘service’ you don’t expect the technology to do all of the work (not that it would be possible anyway). It’s perfectly acceptable (and beneficial) for services providers that offer MDR to automate ‘parts’ of their workflow. That’s logical cost optimisation and improves consistency. But no managed security service is fully automated. Without the skilled threat analysis, constant evolution and development, they become outdated and useless over time.
So, in answer to the question i posed at the beginning, The one that brought you here… Is MDR just Another Acronym that means Managed Security? No its not, its a breed of detection and response service, one that helps you accelerate maturity by being turnkey, one that brings expertise, evolution and development. Something that can be part of a wider detection and response strategy or stand up on its own. MDR provides outcomes that reduce cyber security risk in your organization.