Tech Perspectives

The Emergence of Managed Detection & Response (MDR)

A new subset of security services & providers have emerged to provide managed detection & response (MDR). Define and explore MDR with IDC's Martha Vazquez.
Pinterest LinkedIn Tumblr

Organizations are in a constant state of flux by having to implement changes in their IT environments; that state is even present during the COVID-19 pandemic, as we witness the increase of remote workers. The need to rapidly implement new technologies has become crucial for businesses to operate during hard times while also maintaining a secure infrastructure.

Staying ahead of the threats while implementing emerging IT technologies has not gotten any easier. Attackers and adversaries are confident they can quickly take advantage of an organization’s lack of security skills and shortage of security professionals, leaving gaps created with vital security protections are not properly set up. These vulnerabilities give cybercriminals an edge. Cybercriminals regularly use weak IT systems to access confidential data, pushing CISOs to better understand and protect the organization’s rising risk level due to the expanded attack surface

The ability to keep all assets safe and secure as the threat landscape evolves remains a top challenge. Organizations are continually turning to security service providers to help with managing and securing their disparate systems IDC’s 2019 U.S. MSS Survey include the top five reasons an organization turns to a Managed Security Service Provider (MSSP):

  • Need to protect against advanced security threats
  • Need for 24X7 support
  • Improve performance and availability
  • Access to new emerging security technologies
  • Need to maintain compliance regulations

MSSPs can respond to many attacks that are occurring across a network, but with the number of sophisticated cyberattacks on the rise, security service providers have been forced to move up the stack by providing enhanced functionalities. As a result, a new subset of security services and providers have emerged to provide managed detection and response (MDR)services.

MDR has become the latest buzz word in the security space. Many MSSP’s have responded to the demand for MDR services by adding their own MDR offering to meet this new demand. IDC’s MDR: The Next Generation of Managed Security Services research perspective defines the core capabilities and technologies in depth that go into an MDR service. 

Understanding MDR

According to an IDC US MDR survey, organizations are looking for MDR services to assist with:

  • Faster detection of intrusion
  • Providing consistent threat management across onpremises and cloud domains
  • Access to threat intelligence
  • Accelerate the time to detect security breaches through proactive threat hunting
  • Providing incident response capabilities

IDC believes that MDR services need to include several core components to help customers in improving their security posture and enabling them to respond quickly and effectively to sophisticated threats. IDC’s recent survey work around MDR shows that 64% of organizations stated that MDR will help them gain faster detection of intrusion.

To stay effective from the influx of attacks, security service providers need to keep up with the modern needs of an organization by providing advanced security services and technologies that make up MDR. Organizations are no longer looking for a traditional service provider to simply provide basic management of security products along with management of policies and rule sets.

Today the market has shifted beyond providing basic protection against and detection of threats and toward offering a response and/or remediation —in rapid fashion —that’s tailored to an organization’s needs.

Martha Vazquez

IDC also found that 41.4 % of organizations stated that it can take their provider 6-24 hours to detect an incident or breach. From a containment perspective, 41.4% stated that it can take 1- 7 days to contain the incident with 41.7% stating the same for remediation. Organizations need to partner with providers that can help them become more effective and give them the ability to reduce the number of false positives and focus their resources on the real attacks that need attention.

IDC also found that 41.4 % of organizations stated that it can take their provider 6-24 hours to detect an incident or breach. From a containment perspective, 41.4% stated that it can take 1- 7 days to contain the incident with 41.7% stating the same for remediation. Organizations need to partner with providers that can help them become more effective and give them the ability to reduce the number of false positives and focus their resources on the real attacks that need attention.

 Effective MDR services should deliver better security outcomes by providing tools and technologies such as threat intelligence, threat hunting, 24X7 consistent monitoring, advanced analytics, containment and removal of incidents or breaches where data is suspected or known to have been exfiltrated or destroyed. IDC believes that an MDR offering should go beyond offering guidance and recommendations.

 Effective MDR services should deliver better security outcomes by providing tools and technologies such as threat intelligence, threat hunting, 24X7 consistent monitoring, advanced analytics, containment and removal of incidents or breaches where data is suspected or known to have been exfiltrated or destroyed. IDC believes that an MDR offering should go beyond offering guidance and recommendations.

Lots of Players in MDR

CISO’s recognize that traditional security services such as managed firewalls/ UTM, IPS, VPNs, antivirus and vulnerability management services by themselves are not going to keep the bad guys out. There is nothing wrong with traditional perimeter focused cyber defense capabilities, but service providers are shifting to the recognition that an active perimeter defense capability needs to be matched up with an orchestrated response capability for the attacks.

IDC recognizes that there are many MSSP’s that are offering MDR services, while at the same time some firms are separating themselves in the market from traditional MSSP’s by focusing only on their own MDR service offerings. In fact, in the last 2-3 years, IDC has seen an upsurge of newer technologies and services that combine advanced functionalities being offered by various service providers. Today, many security service providers have either partnered or developed their own capabilities to offer MDR. The additional capabilities, with their associated buzzword loaded offerings that various service providers offer, need to be carefully scrutinized to make sure that they are truly offering a major uplift in the cybersecurity maturity for their current and potential clients.

IDC found in a 2019 U.S. MSS survey that when looking for a MSSP, organizations have decided that these four requirements are of upmost importance for forward thinking MSSPs especially with because of the need to respond quickly to advanced threats: 1) strong security credentials and/ or reputed security service capabilities, 2) strong analytic and/or cognitive enablement capabilities, 3) strong digital consulting capabilities, and 4) customer centricity, as show in the chart below.

Partnering with a security service provider that can provide advanced technologies and capabilities can speed up an organization’s mean time to detect (MTTD) and mean time to respond (MTTR) by assisting analysts in identifying and triaging the alerts that need immediate attention.

Every organization operates at a different maturity model in its security program, so it is important that buyers carefully match up their needs with what the various service providers can offer to help them to reach their desired security posture.

Learn more about IDC’s definition of the MDR market; read “MDR: The Next Generation of Managed Security Services.”

Craig Robinson, Program Director for Security Services, also contributed to this piece.
Martha Vazquez

Senior Research Analyst, Infrastructure Services