If anyone knows the Managed Detection and Response (MDR) market, it’s Jeff Pollard. As VP and Principal Analyst at Forrester, he’s been researching MDR since it first hit the security scene in 2015. Back then, people were still trying to understand what MDR is and how it differs from the long-standing Managed Security Services (MSS) model.
As the market has evolved, Jeff has worked with security leaders to answer increasingly complex questions. That was some of the impetus behind The Forrester Wave™: Managed Detection And Response, an in-depth research report to help security teams find the right MDR provider for their needs. The research ran through the latter half of 2020 and was revealed earlier this year.
We sat down with Jeff to discuss key findings and takeaways from the report. What do the most sophisticated CISOs look for in an MDR partner? What common traits do the best MDR vendors share? What evaluation criteria matters most and why? Find out in the following highlights from Jeff’s conversation with Keith McCammon, Red Canary Chief Security Officer and Co-Founder.
How should CISOs think about working with MDR vendors?
CISOs have a lot of questions about MDR. Some of the most common are what to look for in an MDR vendor, how to measure success, how to better utilize the rich data EDR tools provide, and how to maximize their investments. Inevitably, when conversations turn to threat hunting, a common concern arises: teams are already stretched incredibly thin, and the prospect of more alerts is daunting, to say the least.
Jeff explained, “Whenever I talk to security leaders or their teams, one of the undercurrents is something along the lines of ‘My team is already underwater. If I ask them to go out and find more alerts other than the ones they already have, they’re all going to quit. I can’t ask them to do more; we already have alert fatigue.’”
Indeed, since MDR’s emergence, the discussion surrounding alerts has been a recurring theme. A common complaint about MSSPs is that they are an alert factory. Making the distinction between someone who does basic triage and kicks things over the fence—as opposed to working incidents in tandem—has been a key point in understanding the difference between MDR and MSSP.
Jeff equates it to a scenario he sees at home with his own children. “MSSPs that send alerts are like kids who tattle on each other. Don’t you want someone who will solve the problem instead of just telling you there is one? It’s a more mature approach, and that’s what we wanted to find in our top MDR vendors.”
Marks of a winner: What makes an MDR vendor stand out?
Waves are an intense evaluation process for the analysts conducting them and the vendors who participate. Forrester began with a pool of 87 vendors and narrowed it down to just 15 top MDR providers, including Red Canary.
The top 3 marks of a standout MDR vendor are:
- Excellent threat hunting capabilities. Threat hunting can be a controversial topic in the security industry. (“I don’t think that means what you think it means.”) Vendors in the wave were able to clearly articulate their threat hunting capabilities and the expertise behind it. They had a strong perspective on what threat hunting means and how they conduct it.
- Articulation of threat intel lifecycle. The top vendors could articulate the pipeline and continuous process of applying threat intelligence to hunting, machine learning, artificial intelligence, and analytics. They had a deep understanding of the lifecycle and how they could generate and discover threat intel, use it to fuel hunting, and then turn the best of those hunts into analytics.
- Sophisticated client references. Each vendor in the wave provided more than a dozen client references for Jeff and his team to interview. The discussions demonstrated a level of client sophistication that surpassed anything Jeff had ever experienced.
Jeff remarked, “We had conversations on things like the limitations of EDR on Mac devices and how Apple’s changes to the OS had limited what organizations and vendors could do, and what the right workflow is for IR and artifacts. They were fascinating deep dives about what these clients wanted and expected from their vendors; they could have gone on for hours.”
Key takeaways about MDR providers
The strongest MDR vendors use a “squad model” as a way for clients to get a highly customized delivery experience. This approach incorporates a team of analysts, responders, and customer support specialists who work within an assigned vertical or geography. Rather than going into a queue system of triage, customers could work with people who understood their environment and had expertise in given areas, whether that was threat intel, network forensics, or endpoint.
Why it matters: Customers appreciated the ability to swap out team members during the early stages to optimize.
Detection is their superpower
One thing was abundantly clear: detection is what people want most from an MDR vendor. End users want to work with someone who is better at detecting things than they are. That doesn’t just mean being able to retroactively find things based on a set of EDR alerts, but having the ability to proactively detect things, whether there is an indicator for it or not.
Why it matters: Customers were happiest when they used vendors that could easily scale detection, customize alerts, and offer response actions intimately tailored to their environment.
Unlike the previous MSSP model, MDR is much more about the skills and capabilities an MDR vendor has and how well those sync up to your organization. It’s augmentation rather than outsourcing. MDR providers must sync up with the security technology stack, specialize in specific types of detection and response activity, and work as a complementary force to the existing security team.
Why it matters: The reason many organizations wanted to work with skilled practitioners was because they were already skilled themselves. Customers should create success criteria and select providers that can match it.
The 15 providers that matter most and how they stack up
Red Canary was one of the 15 vendors that made the cut, and one of four to be recognized as a “leader.” Forrester ranked each vendor based on the strength of their current offering, strategy, and market presence.
Vendors were scored based on the following set of criteria:
- Threat hunting
- Threat intelligence
- User interface
- MITRE ATT&CK framework mapping and use
- Managed detection
- Managed response
- XDR collection, correlation, and APIs
- Automation and orchestration
- System criticality
MDR customer priorities: What matters most?
The same things don’t matter to everyone. For instance, some large enterprises will never look at the user interface because they have their own. Although everyone has their own evaluation criteria, the customers Jeff spoke to ranked the following priorities in order of importance:
- Detects more suspicious/malicious behavior than we could detect on our own
- Provides expertise on attacker activities and behaviors
- Assists us in making more accurate decisions about suspicious/malicious activity
- Helps us identify root causes and take steps to harden and prevent future activity
- Accelerates our response activities
- Allows us to become proactive rather than reactive
When assessing these priorities, a recurring theme once again emerges: MDR is not just about finding things, but also about being a partner who uses that information to help security teams improve and make the organization more mature.
Jeff summarized, “It’s not just about handing alerts to someone; it’s about finding ways to make them better in the moment and over the long term if you’re doing a good job at MDR.”
Riding The Forrester Wave
The Forrester Wave is a helpful tool for anyone researching MDR providers and the MDR market—especially security teams who want to find the right MDR partner for their needs. In this in-depth research, Forrester provides an unbiased look at the top 15 MDR vendors and evaluates the strength of their current offering, strategy, and market presence. Download a complimentary copy of the report today.