The IT universe is filled with acronyms, and the world of managed security is no exception: MDR, MSSP, SIEM, EDR. Today I’m going over one of them: MDR, or Managed Detection and Response. And I’ll explain why it may be time to consider this level of advanced security service to protect your organization.
What is an MDR?
Managed Detection and Response is one type of outsourced IT cyber security service. Like other services, it detects intrusions, malware, and malicious activity in your network. But more importantly, it works to actively eliminate those threats. It’s the evolutionary successor to a Managed Security and Service Provider (MSSP). An MSSP monitors network security events and send alerts when anomalies are identified. However, the MDR provider takes things further by doing the following:
Incident Investigation MDR providers investigate each alert to determine whether it is a legitimate incident or a false positive. This is done through a combination of data analytics, machine learning, and human analysis.
Alert Triage MDR providers organize and prioritize security events, enabling the most critical to be handled first.
Remediation MDR providers remotely take action and respond to security events within a customer’s network.
Proactive Threat Hunting Not all security incidents are immediately detectable by an organization’s own security stack. For that reason, MDR providers proactively search the network and systems for subtle signs of an ongoing attack. (An example would be an under-the-radar Advanced Persistent Threat) Subsequently, if one is found, the MDR takes the necessary steps to cleanse the system of it.
It is important to note that while the average time across industries to detect a compromised asset is close to 198 days, using an MDR typically reduces that to hours, and therefore minimizes the impact of a security event.
Who needs an MDR?
Organizations with a regulatory requirement to provide detection and response, yet without an IT department large enough to handle that responsibility, are the most obvious candidates for an MDR. And clearly, organizations who retain high-value and sensitive data within their network would have a critical need for MDR.
Tips for evaluating an MDR for your organization
Pay attention to detail
MDR has become the industry-leading managed IT security service over the past couple of years. Unfortunately, some MSSPs have tried to characterize their services as such by simply applying the language of MDR to their marketing materials. Be sure to carefully compare what is being offered to what you actually expect and need from an MDR.
Availability of staff
An effective provider should have a 24/7 Security Operations Center that is fully staffed with incident response teams. This should include a central point of contact that is available to you for any questions, and during emergencies.
The threat landscape changes quickly, and attackers are constantly developing new techniques. Therefore, it is imperative your provider have experienced analysts who perform continuous research to augment your security tools. Ideally, you should find out what their approach is to ensuring threat intelligence is current.
The human factor
Automated cybersecurity tools are not enough for analyzing activity at scale and filtering out the noise. MDR needs to include human “forensics” to understand context and impact that may be unique to your environment. Their analysis should help shape the appropriate response in every situation. Ask the MDR providers you’re evaluating: Are your cybersecurity professional experts in the field? Are they involved in the analysis of security events to reduce false positives? Do they play a part in threat prioritization? Is incident response customized for my unique environment and situation?
It’s all about the response
The important thing to remember when considering MDR and selecting a provider is this: It’s the R in MDR – Response – that makes the service uniquely effective. Cybersecurity is complex and challenging, and becomes more so every day. However, with the right combination of advanced tools and expert human input, it is a challenge that can be effectively managed. A good MDR partner will keep constant watch over your environment and prioritize its response to all relevant threats, so you don’t have to. After all, aren’t there too many other meaningful things you would rather be doing for your organization?