What is Managed Detection and Response?

By Ron Samson Jr

Managed Detection and Response (MDR) is an outsourced security service.  An MDR provider installs their own set of security tools on a customer’s network and offers 24/7 remote monitoring of these solutions for any attacks.

MDR is differentiated from other managed security services by the fact that it goes beyond detecting anomalies in the network behavior and generating alerts for the customer to sift through.  MDR providers perform threat hunting and full investigation of potential security incidents in their customers’ environment.

Once an event has been confirmed as an actual security incident – not a false positive detection – the MDR provider will take action to help the customer remediate the issue.  This can include providing the information gleaned from the incident investigation and recommendations for how to address the issue or full support for remote incident response.

Benefits of MDR

MDR enables an organization to take advantage of comprehensive security monitoring provided by a team of experts in the field.  This allows an organization to achieve a higher level of security than may be possible to attain or maintain in-house.

Additionally, MDR also provides a number of unique benefits that may not be available with other outsourced security options.  These include access to cybersecurity expertise, full-service alert and incident management, and the ability to implement strong cybersecurity at a lower price than a fully in-house deployment.

Access to Cybersecurity Expertise

Currently, the cybersecurity industry is suffering a major skills gap with over four millions skilled positions left unfilled globally.  This skills shortage means that many organizations struggle to attract the cybersecurity personnel that they need and retaining skilled personnel can be difficult or expensive.  This can be especially true of highly-skilled or specialized roles such as malware analysts or digital forensics investigators.

MDR helps to solve this problem by supplementing an organization’s internal security staff with external professionals.  Beyond the ability to scale out their SOC team, an organization also gains access to a number of skilled and specialized cybersecurity personnel.

This access can be critical during a cybersecurity incident when a delayed response is vital to minimizing the cost and impact of an incident.  As part of a contract with an MDR provider, an organization has a fully-staffed incident response team on retainer and ready to immediately respond to a potential incident.

Alert Analysis, Investigation, and Remediation

Many organizations’ SOCs are overwhelmed by alerts from their security infrastructure with many SOCs averaging tens of thousands of alerts per day.  This massive volume of alerts can mean that SOC analysts overlook or ignore alerts indicating true security incidents while investigating false positives.

The services offered by an MDR provider include alert triage and investigation.  This means that, instead of providing a feed of alerts for an internal SOC to sift through, the MDR provider performs the investigations and eliminates false positives.

The internal SOC analysts only receive information related to events that have been confirmed to be actual security incidents.  In addition to alert data, these analysts also have access to the results of the MDR provider’s investigations, recommendations for how to respond to the incident, and the ability to ask questions of the MDR provider’s human analysts.

Cost-Sharing for Cybersecurity Tools

As organizations’ attack surfaces expand and the cybersecurity threat landscape evolves, it is necessary to deploy a number of different security solutions in order to provide complete protection against potential cyber threats.  With the cost of physical appliances, licenses, and other operating costs, an organization may not have the budget and resources required to deploy and maintain their own cybersecurity infrastructure.

An MDR provider installs its own preferred cybersecurity solutions within a customer environment.  This means that some of the costs of the provider’s tools are distributed across its entire customer base.  This enables an organization to deploy the level of cybersecurity protections that it requires with a lower cost than purchasing, deploying, and maintaining these tools internally.

Who Needs MDR?

Cybersecurity is an important component of any organization’s ability to serve their customers.  Also, the decision to outsource some or all of the organization’s security processes can be a difficult one to make.

In general, organizations are increasingly moving toward outsourcing some security functionality.  However, for certain organizations, partnering with an MDR provider is the best or only way to achieve the level of security required by an organization.

Inadequate Security Staff

Many organizations must process tens of thousands of security events each day with limited security staff.  This means that these organizations often are forced to ignore a high percentage of security alerts due to alert overload.

For organizations without the security staff or specialized expertise required to properly secure their environments, MDR is a good option for filling the gaps.  An MDR provider not only provides outsourced SOC functionality, such as triaging and investigating alerts, but also offers incident response and access to cybersecurity professionals that can answer questions or provide advice and recommendations regarding any aspect of an organization’s cybersecurity deployment.

Limited Security Infrastructure

Designing and implementing a security deployment can be a complex process.  Important considerations include the details of the organization’s attack surface, any regulatory compliance requirements, and the types of threats that the organization is most likely to face.  Based on this information, an organization can design and implement a security infrastructure.

MDR providers can help an organization to rapidly achieve the needed level of security.  An MDR provider has an existing investment in cybersecurity solutions that address the cyber threats that organizations are most likely to face and experience in deploying these solutions in a wide range of customer environments.

Once the organization’s security infrastructure is in place, the MDR provider performs continuous monitoring of the deployed tools.  This ensures that an organization does not experience a steep learning curve and can immediately take full advantage of its new cybersecurity infrastructure.

Strict Regulatory Environments

In recent years a number of data privacy laws have been passed and gone into effect, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).  These, along with existing regulations such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accessibility Act (HIPAA), require organizations to secure the customer data entrusted to them.

Organizations collecting and processing these types of protected data are a common target of cybercriminals.  In order to minimize the probability of an expensive and damaging data breach, these companies need robust incident detection and response capabilities.

MDR provides an organization with the tools and cybersecurity expertise that it requires to secure the protected data in its possession.  This includes access to an array of cybersecurity solutions deployed, configured, and monitored by the MDR provider and round-the-clock network monitoring and incident response to ensure that potential attacks are shut down before they become a data breach.

MDR vs. MSSP

MDR is not the only type of managed security service available.  Managed Security Services Providers (MSSPs) also provide an organization with the ability to outsource some of their security monitoring.  However, while both types of providers offer outsourced security monitoring, they are very different services.

Visibility and Coverage

MSSPs typically perform monitoring of log files and other data sources selected and provided by their customers.  This typically means that their visibility is limited to network-level data and threats collected and detected by security solutions deployed at the network perimeter.

MDR providers deploy their own security solutions in their customers’ network environment.  This includes both network-level detection tools and endpoint detection and response (EDR) solutions.  This provides a much higher level of visibility into the customer environment and provides the context required to differentiate true threats from false positive detections.

Detection of Unknown Threats

In general, MSSPs are primarily focused on identifying known cybersecurity threats and malware variants.  They are reliant upon information from cybersecurity tools that perform signature-based detection and possible anomaly detection and machine learning.  As a result, they can be blind to zero-day and unknown threats.

MDR providers, on the other hand, provide more in-depth threat detection capabilities.  Since these providers offer threat hunting capabilities, backed by their own choice of cybersecurity technology, they have a deeper view into the internals of a customer network.  This means that they are not limited to identifying the threats caught by the organization’s cybersecurity infrastructure and can examine other data sources for indications of threats that entered the network undetected.

Continuous Monitoring

Continuous monitoring of an organization’s network is essential to protecting against cyber threats and ensuring rapid response to a potential security incident.  The global nature of the Internet and cybercriminals’ desire to maximize the effectiveness of their attacks means that security incidents will not always occur during business hours when the organization’s internal SOC is fully staffed and ready to respond.

An MDR provider will provide 24/7 monitoring as part of its service, including continuous access to an incident response team that can help with remote remediation of a cybersecurity incident.  Not all MSSPs provide round-the-clock monitoring, and incident response is not part of the service, which can create delays in remediating a security incident.

The “Human Touch”

The “human touch”, where a customer has direct access to human experts at their managed security provider, is an extremely valuable asset.  Cybersecurity can be complex, where a simple misconfiguration could enable an incident and remediation of a cybersecurity incident requires in-depth knowledge of the systems and threats involved.

When working with an MSSP, an organization primarily interacts with their service provider via dashboards, portals, and email.  Since the MSSP likely does not provide investigation of the alerts that they receive, they are unlikely to have the level of context and understanding required to answer in-depth questions about responding to and remediating an incident.

An MDR provider, on the other hand, typically will interact directly with the customer.  When an organization has a question related to its security infrastructure, they can speak to a human expert for guidance.  During a cybersecurity incident, the MDR provider will be working alongside its customer to correct the issue.  This greater degree of direct interaction means that an organization is less likely to experience a security incident in the first place and will be able to remediate it more quickly and effectively if one occurs.

Why is MDR Necessary?

The cybersecurity threat landscape is rapidly evolving, and organizations’ attack surfaces are expanding to include new technologies such as mobile and Internet of Things (IoT) devices and cloud computing.  The resulting complexity makes it difficult for organizations to adequately secure their systems against cyber threats with the limited cybersecurity talent that they can attract and retain in-house.

MDR enables an organization to scale their cybersecurity deployment and staff levels to meet its security needs.  An MDR provider deploys and manages its chosen security stack within a customer environment, enabling it to achieve comprehensive visibility and perform threat hunting.  Additionally, an MDR provider performs full investigation of alerts before presenting them to the customer, eliminating the burden of false positive detections, and offers support for rapidly and effectively remediating incidents.

As cybersecurity threats become more numerous and sophisticated, attempting to manage security in-house or through an MSSP is increasingly unscalable and ineffective.  An MDR provider gives an organization access to the tools and expertise required to protect itself against cyber threats.

Why Clearnetwork?

When selecting an MDR provider, it is essential to pick one capable of fully protecting your organization against cyber threats.  Clearnetwork provides 24/7 security monitoring for both on-premises and cloud-based infrastructure with security solutions that can be deployed in less than an hour.  With proactive vulnerability assessments and the ability to perform direct incident response via several remotely-managed security products, we minimize the exposure of your organization to cyber threats and the impact and cost of a security incident to the organization.