Resources Blog Product updates

2021 Gartner® Market Guide for MDR Services: Behind the research

The 2021 Gartner Market Guide for Managed Detection and Response Services can help you better understand the capabilities, tactics, and providers within the MDR market.

Alex Spiliotes

Managed detection and response (MDR) is an increasingly attractive solution for IT and security professionals, but don’t take our word for it. According to Gartner, “By 2025, 50% of organizations will be using MDR services for threat monitoring, detection and response functions that offer threat containment and mitigation capabilities.” Gartner also notes that it observed a 35% increase in inquiries about MDR from IT and security practitioners over the last year.

This increase in MDR services does not elude technology vendors: Gartner calls out that there are well over 100 providers of MDR as of 2021. It’s not feasible for customers to evaluate even a quarter of the providers in the market, so you can use this Market Guide to make the landscape easier to understand. Let’s dive into the research.

What is MDR?

Gartner defines MDR services as, “remotely-delivered modern security operations center capabilities focused on quickly detecting, investigating and actively mitigating incidents.” The definition is straightforward, but it’s helpful to think about what MDR services are not: slow detection and investigation capabilities accompanied by few mitigation measures. The negative of MDR services sounds a lot like what frustrates end users about traditional managed security services. Gartner rightly identifies that improved speed of detection and response are critical components of MDR services.

What are the core components of an MDR service?

Gartner notes, “The MDR services market is composed of providers delivering 24/7 threat monitoring, detection and response outcomes.” Critically, as indicated in the graphic below, threat hunting informs an MDR provider’s investigation process: behind the scenes, MDR providers should be creating detections informed by hypothesis testing, threat intelligence, behavioral analysis, known indicators of compromise, and their security expertise.

Where is the MDR market going?

Options for cloud security, MDR for more mature organizations, and validation and testing are among the capabilities driving the evolution of the MDR market as cited in the Market Guide. These features of MDR services reflect customers of all sizes’ desire for improved security outcomes across the broadening threat landscape, as well as a means to keep vendors accountable. With the number of new entrants to the market, customers will benefit from validation, testing, and seeking out other proof points to ensure that a prospective MDR provider can deliver the results that it promises.

How can customers set themselves up for MDR success?

Gartner cites as one of its key findings that, “Many customers fail with their threat monitoring, detection and response initiatives because of the focus on wide-scale collection of data and generic security monitoring. Instead, they should be focusing on risks and outcomes that will directly impact their business objectives.” At Red Canary, we agree and believe that true MDR delivers improved security outcomes to customers. Customers should determine what they hope to gain from engaging an MDR provider, but critically, the MDR provider must be able to cite outcomes—improvements in their customers’ mean-time-to-detect and mean-time-to-respond, increase in detection coverage relative to the customer’s earlier state, the provider’s false positive and false negative rate, and more—to demonstrate its value.

1. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Red Canary.
2. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.
3. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
4. Gartner, Market Guide for Managed Detection and Response Services, By Pete Shoard, Craig Lawson +etc., 25 October 2021

 

Run Atomic Red Team tests with Microsoft Defender for Endpoint

 

Microsoft Identity: Demystifying Defender for Identity and Azure Identity Protection

 

A steady hand throughout security sea changes

 

Respond and remediate faster with Red Canary’s new Splunk Phantom integration

Subscribe to our blog