Managed Detection and Response (MDR) is a hot space in cybersecurity these days. Gartner, Forrester, and IDC all have reports about the space and the many vendors looking to establish themselves there. Here are two reasons why it might be time for you to look at Managed Detection and Response.
- Cost-effectiveness. MDR solutions, like many leading-edge security offerings, first targeted the largest organizations. (Thank you again, Jim Rutt – CIO/CISO at Dana Foundation – for this insight!) MDR firms focused on those with the most to lose (banks, defense contractors and the like) and the biggest security organizations. Now, we are finding MDR firms that are embracing the SMB market with prices that begin to make sense for smaller customers.
- Scalability. The folks out there inventing new ways to hack into your networks and steal (or ransom) your data are working at scale. Managed Detection and Response gives you a way to fight back.
Managed Detection and Response Defined
Let me start by explaining what Managed Detection and Response is. A Gartner report lists four functions of MDR.
The key function here is the last one. MDR provides a response function that is sometimes missing in other threat detection and analysis solutions. What is more, recent MDR solutions are employing machine learning and artificial intelligence to help automate analysis, investigation, and response. This is important because organizations cannot solve the analysis-investigation-response problem by hiring more security staff. People with these cybersecurity skills are too few and cost too much to make hiring more staff economical.
Organizations do have the option of hiring a Managed Security Service Provider. However, throwing people at this problem has its limits. The situation reminds me of how translation and dictation services have evolved over the last ten years. At first, firms arose that offered cheap dictation and translation using low-cost labor to do the work manually. As time went on speech recognition technology progressed to the point where today translation and dictation happen in near real-time.
The Role of Machine Learning and Artificial Intelligence
I do not want to veer off into the definitions of machine learning and artificial intelligence. I will summarize things this way.
- Machine learning (ML) is like correlation. Event (a) is correlated with events (b, c, d). Machine learning does not know why event (a) happens when events (b, c, d) are present. Machine learning just knows that this is often the case. (Remember the old maxim, “correlation is not causation.”)
- Artificial Intelligence (AI) is like regression. AI attempts to go beyond correlation and predict the occurrence of event (a) given events (b, c, d). Now we have a prediction about event (a) even if we only find event (b). Of course, if we see events (c) and (d) we can predict the occurrence of event (a) with even more confidence.
I often argue for using security solutions that are built on large datasets. ML and AI algorithms can get more precise (fewer false positives or negatives) when they can analyze more data. An organization looking at just its own threat “signals” might have a dataset in the hundreds. A company building a Managed Detection and Response solution might have access to several million such signals. A service provider with hundreds of customers might see billions of signals. Feeding algorithms more data is like feeding vegetables more compost. Growth happens!
Verify, Then Trust
A riff on the old Ronald Reagan line, I know. But it makes sense. Before you can do scale up your threat response efforts, you must be confident that the automated responses make sense. You remember the other old phrase in software: Garbage In, Garbage Out. Scaling up bad security alerts and responses will make your life more, not less, stressful.
Fortunately, MDR solutions understand this. They let you start by setting the threat response to something innocuous, like writing to a log file. You can review the alerts and then “train” the ML or AI algorithms to respond more appropriately to the threat encountered. When you are confident that the MDR solution is responding correctly to certain kinds of threats, you can move the automation lever forward. You send a warning. Then later, you act first and skip the warning.
Are Your Ready to Try Managed Detection and Response?
In reviewing Azure Sentinel (aka Microsoft Sentinel) I remarked that it changed the pricing paradigm to a consumption-based one. We are evaluating an MDR solution with a similar approach: ActZero. Their pricing is not entirely granular (there is a minimum price for the first xxx events/threats) but they are directionally correct. As ActZero points out, the cost of their MDR solution is less than their competitors, including CrowdStrike, whose threat detection engine ActZero uses.
If you are evaluating a Managed Detection and Response solution, I would love to hear from you. What do you like? How well does the threat analysis work? Could you see using it to automate some of your threat response? There are a lot of players in the MDR space. We can collectively learn from each other about whose solution has the right mix of capability and usability.
If you might want to try out an MDR solution, let me know that too! I can show you how Act Zero works and we can see if it shows promise.
Wherever you stand on Managed Detection and Response, keep an eye on this space. Costs are only going to come down and automation is only going to improve. Be ready to jump in when it makes sense for your organization.