What is Managed Detection and Response?

The Benefits, How it’s Different, How to Choose a Vendor, and More

Managed detection and response (MDR) is a service that fulfills the needs of organizations that lack the time and resources to be fully capable of identifying risks and detecting, verifying, and responding to threats and/or security incidents.

According to Gartner, a global research and advisory firm, managed detection and response (MDR) vendors provide the following services:

• 24/7 threat monitoring
• Advanced analytics
• Threat intelligence
• Human expertise in incident investigation and response
• Detection and lightweight response services to customers leveraging a combination of technologies deployed at the host and network layers

MDR providers could also undertake incident validation, continuous monitoring of all IT assets, threat containment, remediation support, as well as other services; however, at its core, managed detection and response (MDR) services — sometimes referred to as threat monitoring, detection and response — provide customers with modern security operations center (SOC) capabilities to detect, investigate, verify, respond to, and analyze threats.

Wait.

Why did Gartner define “MDR provider” but not “MDR”?
Managed detection and response (MDR) is not a technology; it’s a service.

WHAT DO MANAGED DETECTION AND RESPONSE SERVICES PROVIDE?

Most organizations lack the time and resources to be fully capable of identifying risks and detecting, verifying, and responding to threats and/or security incidents. MDR services provide these organizations a turn-key solution to these problems.

For a time, the mean time to detect (MTTD) a threat was about 200 days — over half a year. However, modern MDR is now capable of detecting and dealing with threats as quickly as a few hours, if not faster.

This is one of many factors that has caused the managed detection and response (MDR) market to have grown significantly over the last few years, and it is projected to continue increasing.

In their 2020 Market Guide for Managed Detection and Response, Gartner predicted that by 2025, 50% of organizations would be using MDR services for threat monitoring, detection and response functions that offer threat containment capabilities.

Each managed detection and response (MDR) vendor offers their own unique set of tools and products to detect and respond to threats. In addition to providing MDR services, many vendors also provide other services, such as threat containment and remediation guidance.

However, before you go into the differences between each vendor, it’s best to understand the similarities between the offerings from managed detection and response vendors, as clever marketing could have you chasing after the same product again and again.

• Remotely delivered SOC capabilities. This should include access to technologies that focus more on high-fidelity threat detection, investigation, and response than compliance.
• Threat intelligence. This typically involves a compilation of open-source intelligence, intelligence from the dark web, and proprietary intelligence — be it internally sourced or subscription-based.
• Humans (Security Experts). Different degrees and methods of automation are implemented into each vendor’s solution; however, humans are still incorporated into the service and are needed to monitor and offer support 24/7. Vendors offer 24/7 support themselves, through a partner, or share the responsibilities with a partner. Either way, customers should expect to have some degree of direct communication with security experts instead of relying solely on portals or dashboards.
• Automated incident validation and response. As they are typically done with the same technology as MDR, most managed detection and response (MDR) service providers usually offer both remote compromise assessment (CA) and remote incident response (IR) services. You may only need a separate retainer for on-site incident response or compromise assessment.

Later in this article, we will discuss the differences between MDR vendors, how to evaluate MDR vendors, and how to determine which vendor is most suitable for your organization’s needs. First, we need to understand why MDR is important and what its benefits are.

WHAT ARE THE BENEFITS OF MANAGED DETECTION AND RESPONSE?

In 2016, there were 2 million unfilled cybersecurity positions, a number that is expected to rise to 3.5 million by the end of 2021.

Running an effective, fully in-house security operations center (SOC) is a highly complicated endeavor that requires a plethora of tools and roles to fully and confidently execute. SOCs, unfortunately, often prove to underperform and be too resource-intensive for all but the largest organizations.

Yet even for larger organizations and enterprises, running an effective SOC is still fraught with so many communication, visibility, role, resource, cross-departmental, and complexity concerns (in addition to other internal considerations) that many organizations turn to MDR as a single turn-key solution.

“The first time I took the CISO role was at Facebook. I got great support from the executive leadership, an almost unlimited budget, the ability to grow and hire great engineers, and buy technology. But the most surprising thing is that you realize you can’t buy your way to good security. You literally can’t write a blank check and have great security tomorrow. Security requires long-term investment. It requires you to run alongside the development teams and the business teams, understand them, and help them reduce their risks.”

Joe Sullivan, former CSO at Uber and Facebook, now at Cloudflare, a16z podcast, episode 548

MDR focuses on detection, not compliance and not org-wide security protocols.

Much like other outsourced services, managed detection and response service providers offer you access to a team of experts for a discounted and affordable price. Additionally, MDR services typically include a multitude of monitoring, security, and perimeter detection tools — all attempting to detect intrusions as soon as they occur, preventing major damage to the rest of the network.

MDR addresses several key challenges for organizations, including the lack of qualified personnel, sophisticated targeted attacks, ransomware, complicated endpoint detection and response (EDR) tools.

Organizations in 2021 and beyond will face more and more pressure to increase cybersecurity resilience as more countries and insurance companies are taking stronger and stricter stances on ransomware attacks, such as French insurer AXA, who claimed they would no longer help companies pay for ransomware. On the other side of the globe, Ransomware Payments Bill 2021 would force Australian enterprises to disclose ransomware payments to the Australian Cyber Security Centre (ACSC).

MDR providers help your organization avoid sophisticated targeted attacks from escalating into business-altering security incidents; traditional managed security service providers (MSSPs) might not be prepared for the degree of sophisticated attacks MDR providers have experienced in the wild. Here are four quick differences between MDR and MSSP.

Yet another benefit of MDR services is that providers often perform all the testing, threat hunting, sandboxing, and remediation for you. If an artifact or malware is detected in your system, you may only need a separate retainer, if not already included in your service, for eradication and remediation services.

There is an ocean of publicly available and/or subscription-based threat intelligence providers out there, not including all the threat intel from red and blue teams on social media. Even larger organizations have difficulty keeping their heads above water with list after list of indicators of compromise (IoC)s. Yet another benefit of MDR service providers is that they often include up-to-date threat intelligence and perform this updating for you.

WHAT SHOULD YOU KEEP IN MIND WHEN SELECTING A MANAGED DETECTION AND RESPONSE VENDOR?

You need to enhance your organization’s cybersecurity posture. You’ve researched the need for and benefits of managed detection and response (MDR). Now, you’re ready to begin evaluating different MDR vendors and their offerings. Here are six things to keep in mind while going through all the marketing material and buzzwords.

1. What is “response”?

“Response” is currently poorly defined among cybersecurity vendors as it can include anything from what basically constitutes as an alert to be handled by your in-house team, to the full recovery of your systems performed remotely.

Look for response technologies and services that fully perform investigations for you and show you the results within minutes for even the most sophisticated attacks. Make sure that those results are fully connected forensically across the entire organization into one cohesive complete understanding for each and every step of the attack. Also, make sure that a vendor provides a way to fully remediate attacks early on in the attack lifecycle.

2. Artificial Intelligence should alleviate your workload — not add to it.

Be careful of vendors that use AI for non-substantial subsets of tasks that inevitably push the majority of the workload of detection and investigation back to your analysts (i.e., we detected a lot of malicious activity, here is a ticket for each malicious process for you to go through).

Some solutions will give you a metric of confidence. Ask these providers to explain the difference between their solution’s 70% and 75% malicious ratings. Is this solution offering a sufficient level of automated triage, or is it just throwing the final decision back to the customer?

Ask potential vendors about their data and their ML methodology. Do any models need to be trained on-site; if so, for how long? Which types of detections tend to produce more false positives? Which types of detections are done without AI? How much of triage and investigations is automated? How often do you retrain? Also, how robust is the model against noise?

3. Visibility and coverage. Be careful when seeing these words.

All solutions detect, respond, and report back to you, and naturally, each vendor’s technology uniquely analyzes your data. However, how they present this data to you is important. The technology seeing the problem and you, the end user, seeing the problem via the technology are entirely different concepts.

Does visibility and coverage mean giving you access to TB of raw telemetry data? Raw telemetry is mostly useful for digital forensics incident response (DFIR) services and log data compliance — not for detecting and responding to live threats.

On the other side, APT-level attacks (which now include ransomware and supply chain attack campaigns) can go months without detection. Without telemetry generating security tools coupled with long-term data retention, researchers and responders (DFIR services) won’t have much to work with in a post-breach investigation.

Be sure to have your team that will be using this technology (as opposed to the buyers) evaluate the ease of use, actionability, and thoroughness of the platform dashboard. Is information presented in an actionable way for your team? What is the workflow like? How much friction is there in the UI and UX of the vendor’s platform? Does the platform present that entire attack storyline from initial access into your system or is the storyline segmented into individual processes on individual endpoints?

4. Tools.

If your organization hasn’t had the opportunity or resources to thoroughly develop your cybersecurity posture, you may want to strongly consider providers that offer a more comprehensive technology stack. If your organization already has access to tools, consider a provider offering tools with different utilities than yours. Most importantly, remember that tools from different vendors may not play nicely and have trouble integrating with tools or platforms from other vendors. Inquire about this and look into this when researching 3rd party reviews.

5. Compliance.

Although MDR focuses more on detection than compliance, many MDR vendors do offer services that help organizations meet compliance requirements, such as GDPR and CCA. As your organization grows, compliance — as well as cybersecurity — becomes more important and more complicated; it’s advisable to handle these issues early on to avoid trouble further down the road.

6. It’s all about you.

There are many questions that you need to know the answers to before you even begin evaluating MDR vendors. Here are a few.

What is your current technology stack?
What is your current coverage?
Who are the major cyber threat actors targeting your industry?
Who are the major threat actors targeting your geographical location?
What are their common techniques and tactics?
What is your current coverage in comparison to the active and emerging threat actors you listed?
Have you mapped your defenses onto the MITRE ATT&CK and D3FEND framework?
Are you familiar with the MITRE ATT&CK and D3FEND frameworks?

If you answered “no” to that last question, here is a quick reading list for you to get you up-to-date on the universal language used by all cybersecurity vendors.

MITRE ATT&CK CRASH COURSE READING LIST

1. Introduction | What is MITRE ATT&CK?
2. Behind the Curtain | Who is MITRE?
3. ATT&CK Evaluations | Complete Guide to Understanding the Round 2 Results
4. ATT&CK Evaluations | Introductory Guide to Understanding Round 3 Results
5. ATT&CK Evaluations | In-depth Guide to Understanding the Round 3 Results
5. What is D3FEND? | FAQ

HOW DO YOU EVALUATE A MANAGED DETECTION AND RESPONSE VENDOR?

There are multiple avenues open to you to evaluate MDR vendors — each with its own advantages and shortcomings. Here are a few places to get started.

Analyst Reports

There are many research and advisory firms for technology in the world; however, none have reached the impact that Gartner has.

While we will focus on Gartner for this article, there are others we also recommend, including Forrester Research, IHS Markit, HfS Research, Ponemon Institute, IDC, Everest Group.

The Gartner Magic Quadrant

Since the 1980s, the Gartner Magic Quadrant (MQ) and its accompanying reports have been providing leadership with insights into a growing market’s trends, maturity, direction, niche players, challengers, visionaries, and leaders.

Gartner MQ provides a snapshot of vendors in the market but also affects the market as well, with vendors in the leadership quadrant gaining much attention. A separate industry complete with books, webinars, and snake oil exists solely to aid vendors in moving their dot on the MQ up and to the right.

However, do not make the mistake of ignoring the other 3 quadrants. One Niche Player could exclusively focus on your industry and geographic region, easily making them worth looking into. Also, if you consider yourself to be early adopters of tech, then the bottom half of the MQ should prove more interesting to you — with late adopters focusing on the upper half.

Peer Market Review & Market Guides

While the MQ model has seen much use across multiple sectors, it does have its own shortcomings. For example, if a market proves to be too immature (such as vendors offering low-Earth-orbit satellite services or quantum computing), the MQ model would have too little data with vendor dots rapidly shifting quadrants. Whereas with a mature market, vendor dots would rarely move, if at all, as Leaders would most likely have been in the upper right quadrant for quite some time. In addition, the MQ model takes 6 months to a year to compile and, in doing so, becomes a snapshot of the market from a year ago.

Gartner started publishing annual Market Guides with a list of “sample vendors” as opposed to the MQ’s method of categorizing vendors. (Forrester has also followed suit with their annual Tech Tide reports.) Gartner Market Guides give insight into current market trends and future projections while keeping them in the context of the buyer’s size, with small, medium, and large enterprises.

In 2015, Gartner launched Peer Insights, allowing buyers and leadership to (hopefully) cut through marketing wordsmithing or potential analyst bias and hear directly from fellow buyers who have used the tools and services of a vendor.

MITRE Engenuity ATT&CK Evaluation results

In 2018, the MITRE Corporation launched the MITRE ATT&CK Evaluations, where MITRE evaluates the efficacy of cybersecurity products using an open methodology based on their own publicly available ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) Framework — a living, growing framework of common tactics, techniques, and procedures (TTP) used by advanced persistent threats (APTs) and other cybercriminals. Everything a hacker can do on a victim’s system can be uniquely represented in the ATT&CK Framework.

The ATT&CK Evaluations are extremely useful to end users of cybersecurity solutions as it provides transparency and publicly available data to the true efficacy of some of the leading cybersecurity products in the world.

ATT&CK Evaluation results also provide screenshots of cybersecurity solutions at work, granularly detail what is happening in each screenshot, and provide insight into a cybersecurity solution’s approach to security.

Each year (or “round”) of the ATT&CK Evaluations has cybersecurity vendors pitting their solutions against MITRE team-created emulations of known APTs (whose names somehow get progressively cooler with each round).

Round 1 (2018) Emulation — APT3
Round 2 (2019) Emulation — APT29
Round 3 (2020) Emulation — FIN7 & Carbanak
Round 4 (2021) Emulation — Wizard Spider & Sandworm

HOW DO I INTERPRET THE RESULTS FROM MITRE ENGENUITY’S ATT&CK EVALUATIONS?

As mentioned earlier, each round MITRE Engenuity emulates a real-world threat. Additionally, the last two rounds and the upcoming 4th round each focused on a differently motivated threat group. Depending on which active and emerging threats you’d like to focus on, you may have more interest in researching one round over another.

Each evaluation round has had different metrics gauging the efficacy of each vendor’s product, so a cursory understanding of each round’s adversary would be necessary.

Your Crash Course

1. Introduction | What is MITRE ATT&CK?
2. Behind the Curtain | Who is MITRE?
3. ATT&CK Evaluations | Complete Guide to Understanding the Round 2 Results
4. ATT&CK Evaluations | Introductory Guide to Understanding Round 3 Results
5. ATT&CK Evaluations | In-depth Guide to Understanding the Round 3 Results
5. What is D3FEND? | FAQ

In general, pay close attention to vendors that achieved more General, Tactic, and Technique detections out of the box with zero configuration changes as this shows what you can actually expect from a vendor as opposed to those that rely substantially on telemetry detections or configuration changes, as this is not what you will experience using their services and tools — especially if your focus is detecting and preventing intrusions, as opposed to just being really good at post-intrusion incident response.

If your MDR vendor can’t detect something in an actionable way, then no one can respond to it, leaving you vulnerable, despite the vendor’s claims otherwise.

HOW DO I CHOOSE AN MDR PROVIDER FOR SMALL AND MEDIUM ENTERPRISES USING ATT&CK EVALUATION RESULTS?

“Small and mid-sized organizations often do not have the resources to fully address the complexity, variability, speed, and sophistication of modern cyber threats. These orgs often face the same cyber threats that large orgs do, putting them at a distinct disadvantage. To address those challenges, small and mid-sized organizations are increasingly adopting cost-effective MDR.”
CyCraft, Securing Small, Medium, and Large ORgs for the 2020s,
22 December 2020

In terms of cybersecurity and this particular context, the size of your enterprise isn’t as critical as your level of security maturity. For example, in the last decade, we saw plenty of examples of large enterprises suffer the aftermath of a breach due to immature security standards and practices.

Small-Sized Enterprises / Security Maturity is Not High

These SOCs/IT teams are familiar with cybersecurity industry terms and typically rely on MSSP and/or MDR due to their limited team of analysts.

Use the Technology Comparison tool on attack sub-steps. Try following the line of thought below to help narrow down vendor solutions that best suit your environment.

1. Vendors with Technique or Tactic Detections
2. General Detections indicate the detection of suspicious behavior
3. High Telemetry Detections help with post-intrusion incident response. See if they offer data retention services to store telemetry and for how long as APT-level attacks have been known to take months to detect. The less time telemetry data is retained, the less useful the telemetry data becomes.
4. If a vendor does not have any of the above, strongly consider excluding them from your list of potential candidates.

Medium-Sized Enterprises / Security Maturity is Above Average

These SOCs have full-time analysts. The more detailed, contextual, and actionable information given to them, the better! They typically have sufficient technical knowledge. Some of the SOC analysts on their team may want super-detailed information, and some may consider that installing free tools like Microsoft’s Sysmon are efficient enough and can save money.

Try following the line of thought below to help narrow down vendor solutions that best suit your environment.

1. Decide which substeps are a priority for you.
2. Overlay vendor detection coverage over your prioritized substeps. What vendors provide coverage over your prioritized substeps?
3. Use the Technology Comparison tool to focus on substeps your team has prioritized. What vendors provide useful detection data?
4. Look into each vendor’s individual results and find a product interface your team likes and can understand.

The third point is particularly important. If you only see the commands (process cmd-line, powershell cmd-line, etc.) but do not see the system-level behavior (API Call, file event, etc.), it is relatively meaningless for data collection.

Large-Sized Enterprises / SecOps with High Maturity

Your full-time team of information security analysts operates in an ocean of alerts where drowning is not an option. Analyzing raw data 24 hours a day isn’t ideal either — at least, not for humans; however, automated alert triage and automated alert validation are only part of the answer.

Large-sized enterprises could have hundreds of thousands of endpoints. The ability to detect and verify malicious activity on any one endpoint is great, but being able to correlate malicious activity across the entire network is what you really need. This allows your team to gain the full context of the attack from initial access to attack operation objectives.

Try following the line of thought below to help narrow down vendor solutions that best suit your environment.

1. Identify vendors that can provide MSSP / MDR as their solutions may be better at triage.
2. Identify vendors that can generate more Technique and Tactic detections as these detections can greatly reduce MTTD and MTTR.
3. Use the Technology Comparison tool to focus on substeps your team has prioritized. What vendors provide automated General, Technical, and Tactic detections?
4. Identify a product interface that your team likes and can understand.
5. Does the solution correlate all malicious activity across all endpoints into one attack storyline stemming from the root cause of the attack to potential attack operation objectives? Does the solution provide end users with a straightforward, easily digestible visual representation of the attack, or is it a wall of text?

The MDR market can be tricky to navigate. It’s easy to get distracted by all the smoke and mirrors produced from clever marketing buzzwords, biased reports, fear-focused advertising, and hype. Hopefully, this article provided you a decent layout of the MDR cybersecurity landscape and an actionable roadmap to success. If you should ever find yourself lost out there, contact us and let us know. We’re here to help. Happy hunting.

Everything Starts From Security

CyCraft Customers can prevent cyber intrusions from escalating into business-altering incidents. From endpoint to network, from investigation to blocking, from in-house to cloud, CyCraft AIR covers all aspects required to provide small, medium, and large organizations with the proactive, intelligent, and adaptable security solutions needed to defend from all manner of modern security threats with real-time protection and visibility across the organization.

Engage with CyCraft

Blog | LinkedIn | Twitter | Facebook | CyCraft

CyCraft secures government agencies, police and defense organizations, Fortune Global 500 firms, top banks and financial institutions, critical infrastructure, airlines, telecommunications, hi-tech firms, SMEs, and more by being Fast / Accurate / Simple / Thorough.

CyCraft powers SOCs using innovative AI-driven technology to automate information security protection with built-in advanced managed detection and response (MDR), global cyber threat intelligence (CTI), smart threat intelligence gateway (TIG) and network detection and response (NDR), security operations center (SOC) operations software, auto-generated incident response (IR) reports, enterprise-wide Health Check (Compromise Assessment, CA), and Secure From Home services. Everything Starts From Security.

Meet your cyber defense needs in the 2020s by engaging CyCraft at engage@cycraft.com

Additional Resources

• Read our latest white paper to learn what threat actors target Taiwan, their motivations & how Taiwan organizations retain resilience against some of the most sophisticated and aggressive cyber attacks in the world.
• Is your SOC prepared for the next decade of cyber attacks? Read our latest report on building effective SOCs in the 2020s, the challenges to overcome, and the stressors to avoid — includes research from Gartner, Inc. on why Midsize enterprises are embracing MDR providers.
• New to the MITRE Engenuity ATT&CK Evaluations? START HERE for a fast, accurate, simple, thorough introductory guide to understanding the results.
• Our CyCraft AIR security platform achieved a 96.15% Signal-to-Noise Ratio with zero configuration changes and zero delayed detections straight out-of-the-box.