Managed Detection and Response, Explained

Tech has no shortage of buzzy new technologies – and cutting through the hype to see what will actually impact the enterprise can be challenging. We're here to help. Starting in 2021, our contributors will give a rundown on an emerging tech and whether it'll pay off to pay attention to it. For security in 2021, here’s our look at managed detection and response.

To see the other trends highlighted in our IT Trends To Watch series, read our Emerging IT Trends To Watch report.

What Is Managed Detection and Response?

Managed detection and response (MDR) is a service-based approach to threat monitoring, hunting, detection, incident analysis and response. Often, MDR acts as an extension of an organization’s security operations team. MDR services collect logs, telemetry and metrics, and then use automated logic to elevate the logs that could indicate a threat. This logic consists of both “IF this THEN alert” type of logic, as well as advanced algorithms that can learn and adapt to their dataset, like machine learning. An analyst then confirms the activity or feeds it back into the detection logic as a false positive. Confirmed threats are acted upon within seconds to minutes to contain the threat and begin the incident response process.

MDR providers tend to be flexible about what tools they provide. If a company already has invested in Endpoint Detection and Response (EDR) technology, a SIEM or SOAR, or a network detection and response solution, it’s reasonable to ask the MDR provider if they can use that existing investment and add only what’s missing. Other MDR providers come with their own technology, requiring customers to install agents that feed security data into the MDR provider’s detection and response platform. Most providers offer some level of custom software to help with the communications and reporting of their services during the engagement. Depending on the breadth of the offering, some MDR providers also will provide vulnerability scanning and management solutions. The key, says Glen Combs, managed detection and response partner at consulting firm Crowe LLP, is to use whatever combination of technologies, tools and people will best improve visibility as well as streamline investigations and incident response.

“Detecting and responding to threats requires specialized knowledge not only in security, but in system administration and data management,” said Combs. “Organizations are finding they can more cost-effectively and with greater confidence outsource this function rather than attempt to build it in-house.”

How Long Has It Been Around?

In general, the concept of managed detection and response has been around for more than decade, but has built up significant momentum in the past year or two as threat levels expand, IT security professionals are scarce and attacks become more sophisticated.

(That’s a difficult question to answer more precisely. Some say early EDR providers came up with the idea, based on the premise that technology and humans are the best combination for fighting threats. Others say it’s an outgrowth of incident response services. Still, others say it was first offered by managed security services providers (MSSP).)

Why Are People Paying Attention to It Now?

The number of companies relying on managed detection and response services is growing. According to ESG, 35% of companies currently use an MDR service, while 38% are actively pursuing one.

There are several reasons for that growth in MDR service use. The threat landscape has expanded significantly, taking advantage of the growing attack surface that now includes more devices, infrastructure living on multiple clouds and employees working from home on unmanaged devices. Forrester security analyst Jeff Pollard noted that one FinTech company he spoke with recently said it had experienced a 300% increase in attacks against their organization since March of 2020.

In addition, the types of threats and attacks are more varied as adversaries get more sophisticated. Finally, there are relatively few cybersecurity analysts available, thanks to a skills shortage. According to a survey from (ISC)², the cybersecurity workforce has a skills shortfall of more than three million.

These factors also have led organizations to realize that automated defenses alone simply aren’t good enough. “While automated defenses have reach very high efficacy levels, there continue to be a small percentage of attacks that evade these controls,” said Dave Gruber, a senior cybersecurity industry analyst at ESG. “These attacks are often related to software or configuration vulnerabilities, and in some cases, rogue systems that lack core security controls. These scenarios enable attackers to compromise infrastructure, requiring detection and response to stop attacks before they do damage.”

Who Benefits From It?

When a cyberthreat is stopped, everybody wins. More specifically, security and risk teams win, because they have fewer successful attacks to deal with and can better manage risk. The IT staff wins because they have less technology to support, and the C-suite often wins when the services-based approach ends up costing less than supporting technology and managing threats internally. It’s not uncommon for MDR providers to claim that customers’ annual security costs can be reduced by 50% with this approach.

Where Can You Get It?

Pureplay managed detection and response providers include:

Managed Security Service Providers offering MDR include SecureWorks and Trustwave.