MDR vs. MSSP

When evaluating managed cybersecurity solutions, you’ll likely come across one primary consideration: Managed Detection and Response (MDR) vs. Managed Security Service Providers (MSSP). It’s important to understand the key functionality and differences between MDR providers and MSSPs to make the best security decision for your organization.

Definitions

What is a Managed Security Service Provider (MSSP)?

Managed Security Service Providers originated from internet service providers (ISP) and monitor customers’ network and information security. MSSPs provide 8×5 or 24×7 monitoring and management of intrusion detection systems and firewalls, overseeing patch management and upgrades, and performing security assessments and security audits.

According to Forrester’s November 2021 report, Understanding Today’s Security Services: MSS, MDR, and SOCaaS, “MSSPs that focused on network telemetry and infrastructure log data saw a massive market opportunity to leap forward with service delivery by managing EDR software…as managed detection and response (MDR) demand exploded, another flavor of service emerged…”

What is Managed Detection and Response (MDR)?

Managed detection and response (MDR) solutions provide 24×7 monitoring to identify active threats and quickly respond to either eliminate, investigate, or contain them. MDR solutions use a combination of technology and human expertise to monitor the customer’s environment, catch emerging and active threats, and respond accordingly. MDR providers’ solutions include threat hunting, detection, investigation, and remediation.

According to Gartner, “These functions allow organizations to rapidly detect, analyze, investigate, and actively respond through threat mitigation and containment.”

Goals

MDR providers and MSSPs seek to address similar customer pain points:

• Take in alerts and help alleviate alert fatigue
• Cover for shortage in staff or skills gap
• Provide tools for security operations leaders to quickly detect and mitigate threats and reduce exposure

However, MSSPs and MDR vendors differ in the methods and models they use to solve these pain points.

Models

MSSP
MSSPs’ primary workflow initiation is typically through security information and event management (SIEM) technology. The SIEM can either be managed by the customer or co-managed by the MSSP. MSSPs monitor security networks and send alerts when an anomaly is detected. Since their primary focus is on firewall, endpoint, and patching, the customer is still often required to do their own incident response, threat intelligence, and remediation.

MSSPs also sell ancillary security solutions, including penetration testing and security awareness training. and MDR. Although MSSPs will overlap with some aspects of MDR, MSSPs alone do not work to eliminate threats—this solution is much more focused on prevention with the response element left up to the customer.

While Managed Security Service Providers (MSSPs) support many different parts of a security program, detecting and responding to advanced threats is not where they specialize.

MDR
MDR providers focus on both detection and response. They intake alerts from customers’ endpoints and often also include other data sources such as network, email, cloud, or SaaS applications, not just the SIEM. This deeper analysis allows them to detect threats faster than MSSPs.

MDR providers also offer teams with robust security expertise to help customers who may be experiencing alert fatigue or are struggling to hire security staff with the right skill sets. These security specialists deliver deep visibility that supports faster and more accurate detection, threat hunting, incident response, and other capabilities.

When it comes to response, MDR providers are able to apply customizable playbooks so customers can go from alert to action faster. MDR providers may also offer real-time guidance during incidents and ongoing coaching.

Forrester’s evaluation of MSSPs vs MDR providers is that while MSSPs deliver a broad range of services, MDRs go more in-depth in protecting organizations from a cybersecurity breach by detecting and responding to threats in their environments.

MSSPs mostly rely on signatures and rule-based detection and frequently miss advanced threats (and increasingly, even basic attack tactics). When incidents are discovered, many MSSP customers are still responsible for managing containment and mitigation or need to pay the provider’s incident response team extra for help. Even then, the MSSP’s staff may not be specifically trained to effectively respond to an incident.

Conversely, MDR services focus specifically on improving an organization’s advanced threat detection, investigation, and response. They are used to augment and enhance internal capabilities. They frequently examine similar data sets as MSSPs, such as network logs or endpoint telemetry, but at a much greater depth. Additionally, they are specifically tailored to use advanced technologies, such as Endpoint Detection and Response (EDR), behavioral analytics and custom security event management platforms.

Which one is right for you?

The choice depends on your organization and the security outcomes you are looking to achieve. While MSSPs offer a greater breadth of offerings and can provide you with a bird’s-eye view of your security posture, they alone do not eliminate threats—this solution is much more focused on prevention, with the investigation and response elements left up to the customer. MDR goes deeper, leveraging the human expertise required to quickly detect and analyze threats and respond to vulnerabilities.