What is managed detection and response (MDR)?
Managed detection and response (MDR) is a fully-managed, 24/7 service delivered by experts who specialize in detecting and responding to cyberattacks that technology solutions alone cannot prevent. By combining human expertise with protection technologies and advanced machine learning models, MDR analysts can detect, investigate, and neutralize advanced human-led attacks, preventing data breaches and ransomware.
Demand for MDR services is soaring and Gartner predicts that by 2025, half of organizations will be using MDR services.
Why Is MDR Important?
The reality is that technology cannot stop every attack. Today’s well-funded adversaries abuse stolen credentials, security misconfigurations, and legitimate IT tools to bypass defense technologies, and they continually innovate and industrialize their approaches.
The only way to reliably detect and neutralize determined attackers is with 24×7 eyes-on-glass delivered by security operations professionals. Providing this round-the-clock expert coverage is unrealistic for most organizations on their own and, as a result, companies are increasingly turning to specialist Managed Detection Response (MDR) providers for support.
What Do MDR Services Offer?
Each MDR service will vary, however they typically include:
- 24/7 expert-led threat monitoring and response
- Expert-led threat hunting
- Threat Containment: attacks are interrupted, preventing spreading
- Full-scale Incident Response: threats are fully eliminated
- Root Cause Analysis: to prevent future recurrence
- Health checks to ensure strong security posture
- Weekly and monthly reporting
How Do MDR Services Work?
There are six primary steps to the detection and response process:
- Collection - Security telemetry is gathered from across the full IT ecosystem: endpoint, firewall, network, cloud, email, and identity solutions. The more analysts can see, the faster they can respond.
- Threat Detection - Threat intelligence and business context are added to the data to provide a more complete view. Related security events are grouped into clusters for complete and efficient investigation.
- Threat Hunting - Highly-trained analysts proactively detect threats that bypass security products. They look for tactics, techniques, and procedures (TTPs) commonly used by cybercriminals and threats that may bypass various security tools.
- Investigation - Analysts determine the scope and severity of the threat and identify next steps.
- Remediation - Analysts interrupt the attack to prevent it from spreading, removing malware and isolating impacted systems.
- Neutralization - Analysts perform root cause analysis to fully eliminate the attacker and prevent recurrence.
Who uses Managed Detection and Response?
All types of organizations across all sectors use MDR services, from small companies with limited IT resources to large enterprises with an in-house SOC group. The question is really: how do organizations work with MDR services? There are three main MDR response models:
- MDR team completely manages threat response on behalf of the customer
- MDR team works with the in-house team, co-managing threat response
- MDR team alerts the in-house team and provides remediation guidance
Each organization is different and should chose the MDR response model that best meets their needs.
What are the Main Types of MDR Providers?
There are three main types of MDR providers:
- Bring your own technology - These providers collect security information from multiple sources, but they typically only provide alerts, and not action; and they are limited in the depth and speed of their insights.
- Single vendor - The second category are vendors who provide MDR services for their own security products; here the technology tools and MDR service are integrated, but they require a customer to rip and replace their existing cybersecurity tools, and they are limited to actions that can be taken by their own products.
- Fully flexible - Fully flexible providers combine the strengths of both approaches. They can use any combination of your existing security products (removing the need to rip and replace anything) and their own security product (providing deep response capabilities).
What Are the Benefits of MDR?
- Superior cyber defenses - One of the major advantages of using an MDR provider over in-house only security operations programs is elevated protection against ransomware and other advanced cyber threats. With MDR you benefit from the breadth and depth of experience of the provider’s analysts. An MDR vendor will experience a far greater volume and variety of attacks than any individual organization, giving them a level of expertise that is almost impossible to replicate in house.
- Free-up IT capacity - Threat detection and response is time consuming and unpredictable. The urgent nature of the work can prevent teams from focusing on more strategic — and often more interesting — challenges. Working with an MDR service enables you to free up IT capacity to support business-focused initiatives.
- 24/7 peace of mind - An attack can come at any time. Adversaries are most active at the times when your IT team is least likely to be online, such as evenings, weekends, and holiday periods. Consequently, threat detection and response is a round-the-clock task; if you only do it during office hours, you leave your organization exposed. By providing 24/7 coverage, MDR services provide considerable reassurance and peace of mind. For IT teams this means — literally — being able to sleep better at night. They can relax knowing that the buck stops with the MDR provider — not them — and regain their personal time. For senior leaders and customers, 24/7 expert coverage and a high level of cyber readiness at all times provides powerful reassurance that their data and the organization itself are well protected.
- Add expertise, not headcount - Threat detection and response is a highly complex operation. Individuals in this space need to possess a specific and niche set of skills. This rare combination of competencies, exacerbated by a notable skills shortage, makes recruiting threat analyst expertise an uphill — if not impossible — task for many organizations. MDR services provide the expertise for you, enabling organizations to expand their security operations capabilities without expanding their headcount.
- Improve your cybersecurity ROI - Maintaining a 24/7 threat hunting team is expensive. To provide round-the-clock coverage, you need a minimum of five or six cybersecurity staff members working separate shifts. By leveraging economies of scale, MDR services provide a cost-effective way to secure your organization and stretch your cybersecurity budget further.
Plus, by elevating your protection, MDR services also greatly reduce the risk of experiencing a costly data breach and avoid the financial pain of dealing with a major incident. With the average cost of remediating a ransomware attack in mid-sized organizations coming in at $1.4 million in 2021⁶, investing in prevention is a wise financial decision.
By choosing a vendor that integrates with your current security technologies you can increase return on existing investments. Plus, MDR services enables organizations to meet many of the cyber controls that are key to insurability and superior premiums and coverage offerings.
How Does MDR Compare to Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR)?
MDR should not be confused with EDR (endpoint detection and response) and XDR (extended detection and response).
While MDR, EDR, and XDR all support and enable threat detection and response, EDR and XDR are tools that enable analysts to hunt for and investigate potential compromise; MDR is a service where a security vendor’s analysts hunt for, investigate, and neutralize threats on your behalf.
As their names suggest, EDR tools work with telemetry from endpoint protection technology, while XDR tools extend their data sources across a wide IT stack (including firewall, email, cloud, network, identity and mobile security solutions) to provide greater visibility and insights. At Sophos we use industry-leading EDR and XDR solutions when delivering our MDR service.
What's the Difference Between MDR and Security Information and Event Management (SIEM)?
- SIEM is a technology that collects data from security tools that you're already using. The SIEM then aggregates and analyzes this information to identify threat anomalies.
- MDR is a human-led service that combines telemetry analysis with deep threat expertise and investigation and response capabilities.
What's the Difference Between MDR and a Managed Security Services Provider (MSSP)?
MDR providers specialize in threat detection and response. MDR doesn’t do is day-to-day cybersecurity management, such as deploying your security technologies, updating policies, applying patches, or installing updates. Managed security service providers (MSSPs) deliver IT security management services to organizations looking for support in this area.
How to Choose the Right MDR Service Provider
Organizations looking at MDR services should consider:
- What breadth and depth of service does the provider offer? What is their level of threat intelligence and expertise?
- What service models do they provide, and how do they align to your needs?
- How many people do they have delivering the service?
- What experience do they have of your industry sector?
- How do they provide 24/7 coverage? Do they have security operations centers (SOCs) around the world?
- What is their average time to detect and respond to threats?
- What integration do they offer with your existing security investments?
- What do customers say about the service?
- How do they perform in independent assessments?
- Do they offer a breach warranty? If so, how much coverage would your organization actually qualify for?
Sophos MDR Delivers the Best Security Outcomes
Sophos Managed Detection and Response is the world’s leading MDR service. You can use Sophos MDR to protect your computers, servers, networks, cloud workloads, email accounts, and more. To get started with Sophos MDR, please contact us today.
Related security topic: What is endpoint security?