About MDR Security

Why Modern Security Teams Choose MDR

Managed Detection and Response (MDR) offers enterprises the technology and expertise they need to stop threats that have bypassed other security controls. Learn how secure MDR provides value far beyond closing your IT security skills gaps.

MSSP vs. MDR Buyer's Guide Learn about Red Canary MDR

A tiny market with big potential

While the MDR market is fairly new and market penetration is in its infancy, interest in MDR is incredibly strong, as indicated by the EMA research data shared below. Access the full EMA report here.

10%

estimated current market penetration

94%

of organizations are evaluating MDR services

79%

of organizations are considering adopting MDR services in the near term

 

What is MDR?

MDR security services are designed to quickly detect threats and improve an organization’s response once compromises have been found. The solutions deliver an operational capability to organizations that often lack the resources to build it themselves. Think of MDR as the combination of technology, processes, and expertise that effectively extend your security team so you can scale and refine your security operations.

The best MDR offerings closely integrate into an organization’s security team, continually learn about the environment, and use that information to support investigations and threat hunting. The end result is that MDR users have a team of experts who are continually monitoring and searching through their environment to quickly detect threats and strengthen response.

Commonly held beliefs by organizations using MDR:

  • Satisfying compliance requirements is no longer enough and additional security investments must be made to reduce risk.
  • Prevention will fail. No matter how many products are put in place, attackers will always find a way in.
  • Visibility, monitoring, detection, and response is the only way to reliably identify attackers within an environment.
  • Detection and response is a capability, not a product. The capability requires equal parts technology, process, and expertise.
  • Building an internal detection and response capability will be burdensome and there are new advanced services delivering a true capability that can be trusted to help secure an environment.
  • Organizations using MDR might have a SOC with dedicated threat hunters who want a second set of eyes watching their environment. Or, they might have a lean security team managing day-to-day security operations with no extra time to build a full detection and response capability.

All are investing in MDR to accomplish one goal: quickly identify new threats and limit an attacker’s dwell time within an environment.

Technology

A unique data analytics platform that evaluates an organization’s activity using multiple detection technologies and techniques

Expertise

Highly technical security analysts and threat hunters capable of conducting in-depth investigations, malware analysis, and threat research

Process

A well-refined process that relies on data science, efficient security operations, and incident response best practices

MSSP vs. MDR

As organizations consider MDR it is important that they understand key differences when compared against the traditional outsourcing option of MSSPs. Many organizations that are predisposed to pass over MSSP detection and response offerings will find that MDR can help them fill gaps within their internal capabilities.

Think of MSSPs as the general practitioners and MDR security providers as the specialists. While MSSPs typically offer a broader swatch of services, MDR providers are laser-focused specifically on improving an organization’s advanced threat detection, investigation, and response.

Take a look at the comparison chart below, and get answers to 8 common questions in our full guide comparing MSSPs and MDR.

CapabilitiesMSSPMDR
Capabilities:
Collection, Detection, and Response Platform
MSSP:

Perimeter technology; signature/rule-based detection to identify threats

MDR:

Inspection across endpoints and networks; behavioral analysis and machine learning to detect threatening behaviors

Capabilities:
Triage, Investigation, and Response
MSSP:

Focused on meeting SLAs by quickly performing cursory triage that often results in high false positives

MDR:

Designed to investigate and confirm threats at Tier 1 and Tier 2 levels and provide a more complete understanding of incidents

Capabilities:
Role in Internal Security Program
MSSP:

Meant to supplant basic internal security functions

MDR:

Augments and enhances an existing security program with advanced technology and highly specialized analysts, threat hunters, and incident responders

Capabilities:
Integration Across Security Program
MSSP:

Technology frequently lacks integration points with internal tools

MDR:

Usually designed to plug into organization’s SIEM, workflow, and SecOp tools. Some include additional data source ingestion options

Capabilities:
Threats Detected
MSSP:

Known vulnerabilities, known malware, and common, high-volume attacks

MDR:

Malware, targeted attacks, zero-days, and insider threats

Capabilities:
Staff Specialization
MSSP:

Basic log management, monitoring, investigation via playbook or script

MDR:

Advanced malware analysis, threat hunting, forensics, incident response, data science and security analytics, and security breach

Selecting a provider

Organizations of all sizes across all industries are enlisting MDR solutions to support their detection and response efforts. These organizations recognize their existing security program stops a percentage of threats but can never realistically stop every threat.

Those interested in adopting MDR services have a couple of choices in the types of services they can adopt. Although managed endpoint detection and response (EDR) comes to mind most often when thinking about MDR services, other options exist. Prospects can also elect to procure a managed SIEM service or a combination of both managed EDR and SIEM.

 

Calculating ROI

Once a service provider is selected, the process of onboarding customers and establishing the rules of engagement can take anywhere from less than a day to up to three months, depending on how extensive the service offering is, how much if any integration is required with the customer’s existing security infrastructure, and other considerations. For direct Red Canary customers, the median time to complete onboarding tasks is 30 days. A longer training helps us solidify the partnership and ensure our customers feel confident and comfortable with the tools and processes in place.

Whatever the cost concerns some organizations have around contracting with MDR services providers, there is no doubt that users are seeing results in the drive toward more quickly discovering and vanquishing advanced threats already operating within organizations’ networks and infrastructure.

As a result of MDR services, organizations were able to significantly reduce mean time to resolution (MTTR) of attacks. The largest percentage of MDR users (35%) saw an MTTR reduction between 25% and 49%.