Managed Detection and Response - Definition & Overview

As organizations expand their IT infrastructure, they deploy and increasing number of network endpoints such as laptops, desktops, and mobile devices. They may also develop a hybridized cloud environment where they deploy a suite of applications that support business functions. While each of these deployments helps to expand and solidify the organization's IT infrastructure, each presents a potential security vulnerability and a possible entry point for cyber attacks.

Managed Detection and Response (MDR), sometimes abbreviated MDR, is an outsourced security service that helps organizations detect malicious network activity (network intrusions, malware attacks, attempted data theft, etc.) and quickly respond to eliminate the threat. MDR service providers facilitate threat detection by deploying their own tools and technologies onto the customer organization's IT infrastructure, then managing and monitoring those tools.

Although Managed Detection and Response depends on the use of software tools to assist in the process of aggregating event logs and detecting potential Indicators of Compromise (IoC), service providers typically employ security analysts around the clock to provide 24/7 live monitoring of your network security posture. The combination of computerized and human monitoring provides excellent coverage and detection of security threats in real-time.

Managed detection and response is a relatively new model for organizations that wish to augment their in-house cyber security capabilities or fill gaps in their existing security coverage.

Streamlined Deployment - Service providers in the MDR market have extensive experience in deploying their services for customers, including the capability to quickly customize a solution that meets your organization's needs. Deploying your own threat detection and response capability can take significantly longer because of the requirements to purchase or license software tools, set up and configure them, create processes and procedures for monitoring and train staff.

Reduced Up-front Expenses - Managed Detection and Response service providers typically provide their own industry-leading tools and technologies that are deployed on the customer's server. Rather than paying to license all of these expensive tools (and spending time and money to customize each tool and train staff to operate them), the customer pays a single subscription fee to their service provider to provide and operate the technology needed to facilitate MDR.

Access to Experts - A survey conducted by Enterprise Strategy Group asked 620 respondents to identify areas where their organization faced a problematic shortage of skills. The most common response, given by 51% of respondents, was in the area of cyber security. With a skill shortage in cyber security, organizations are increasingly relying on Managed Detection and Response vendors as a means of accessing the required security expertise to protect them from threats.

Information Security Certification - For low or medium-maturity IT organizations, compliance with leading information security certifications such as ISO/IEC 27001 may simply be out of reach. A Managed Detection and Response service provider with an information security certification is a valued strategic partner who has demonstrated their commitment and capability to protect the privacy and security of your data.

Security Coverage - Managed Detection and Response has been rapidly increasing in popular since 2017, as organizations moved further away from prevention-focused approaches to enterprise security and placed greater emphasis on threat detection and response. IT organizations increasingly realized that prevention-only security solutions could reduce the number of incidents, but did little to mitigate the impact of an existing known security event. MDR helps organizations boost their security coverage, providing detection and response capabilities that complement proactive tools for preventing cyber attacks.

What is the difference between Managed Detection and Response vs Managed SIEM? Which option should your business invest in, or do you need both? Which one should you deploy first?

Managed Detection and Response is a proactive service that searches your IT infrastructure for evidence of advanced threats using tools such as SIEM, endpoint protection and network monitoring. Combining these tools means that security analysts get fewer security alerts compared to using just a SIEM, but the detected threats are likely to be more dangerous and false positives are less probable.

Managed SIEM is a more machine-driven and reactive service compared to Managed Detection and Response. Managed SIEM depends on a SIEM software tool that has been configured with correlation rules to detect threats. The tool collects and aggregates logs, analyzes them, and creates an alert when a correlation rule is triggered. Once an alert is created, it can be investigated by a live security analyst.

There are also Managed Security Service Providers (MSSPs) that offer a suite of security services, including threat detection and response, endpoint security, perimeter and email security, vulnerability management and customer service.

MDR is sometimes characterized as offering a sub-set of the services that MSSPs offer. MSSPs do offer the most comprehensive set of security solutions, but they may be focused on security operations, compliance and security monitoring functions with some threat detection while MDR services are designed to detect and investigate threats, initiate a response, contain the threat as quickly as possible and proactively discover threats to the network.

IT organizations should carefully compare MDR, Managed SIEM and MSSP products before purchasing to develop a specific understanding of which services are offered and to ensure that the chosen solution fills gaps in the organization's existing SecOps capabilities. IT organizations should deploy a Managed SIEM first before augmenting it with an MDR solution that incorporates endpoint protection and proactive monitoring.

IT organizations that wish to secure their cloud-based systems adopt a suite of security tools, including firewalls, intrusion detection and intrusion prevention systems, endpoint detection and response, user behavior analytics, SEM, SIM and SIEM tools, and more. CISOs and security managers face significant challenge in managing these tools effectively as they continue to adopt new solutions that fill gaps in the organization's security posture.

Sumo Logic offers a single integrated platform where IT organizations can aggregate log data from all IT assets on the network, including the full range of available enterprise security tools.