Businesses want to inject efficiency or maturity into their security operations. There are, however an inordinate number of ways that this can be achieved. Buying characteristics and needs of consumers have widely shaped and defined the managed detection and response (MDR) space so that only detection and response services with a particular set of attributes line up to meet what MDR’s actually offer.
These characteristics include:
- A provider owned and managed technology stack that is either; wholly developed by that provider, an integrated set of commercial technologies the provider has carefully curated or a combination of both of these things.
- Staff that interact with the client data on a daily basis (much like the customer SOC would). Providing support and expertise in threat monitoring, detection and hunting, threat intelligence (TI) and incident response.
- The capability to offer remotely delivered response in the form of containment or mitigation, going beyond simple advisory or notification.
- A turnkey experience, delivered utilising a predefined set of capabilities for the identification, recording and containment/mitigation of threats.
What are the likely new features of the market?
The cloud and the CyberSecurity Mesh will play a larger role in what we need and want to monitor. Castle and keep methodology doesn’t work in the way it once did. We are realising the benefits of not actually owning and managing our infrastructure, work in the office is optional nowadays. Decentralised data, API connectivity and disparate cloud applications all mean we need to rethink what to monitor, and how to monitor it.
Looking at exposure rather than just vulnerability will become more important. “Where are my assets vulnerable” is shifting to “how is my business exposed to cyber threats”. Social media, importance of brand and passive data leakage are all key areas attackers are focusing on to gain an advantage. MDR providers are seeing the relevance and importance of other assets, besides things that simply connect to the network.
Validation and testing is getting more focus, thanks to Breach and Attack Simulation (BAS). We all want to know the answer to “What would happen if…” and “would we notice if…”. Validation in other forms is bleeding into capabilities such as Threat Hunting
Is MDR right for us?
MDR is well defined solution, but its not a ready made SOC or complete security outsource. Organisations looking to MDR should be focused on; how they will consume the service, and what they want the service to do for them:
- Need some monitoring for compliance reasons, MDR is probably not for you.
- Like the idea of shiny security tools but don’t know how to operate the, MDR might fit.
- Know your business risks well, your IT architecture roadmap but don’t know the first thing about security, then MDR is perfect.
- Operate a SOC, and want to scale some of the more repeatable detection and response tasks, then MDR will likely be a well aligned option.