Understand Managed Detection and Response and what to look for in an MDR solution

The threat landscape is evolving rapidly and the corporate cyber attack surface is expanding, with many trends and developments heightened by the surge in digital transformation investment during and after the COVID-19 pandemic.

But growth in attack surface often results in a gap between attackers and defenders – across skills, abilities, and resources. Fortunately, there are things corporate security teams can do to (re-)get some initiatives, for example ensuring that their approach is proactive and takes prevention, detection and response into account, including the possibility of outsourcing capabilities to expert industrial partners.

Managed detection and response (MDR) combines all of this. But not all solutions are created equal, so let’s take a look at why your organization needs MDR, and five key things to look for in a service offering.

Why do you need MDR?

The surge in investment in the pandemic era can be observed in trends such as:

• Rapid adoption of cloud computing that goes beyond internal skills, leading to misconfigurations that expose the organization to attack.
• The evolving hybrid workplace meaning potentially more unmanaged machines in the home and more easily distracted employees and taking risks when using them.
• Supply chain complexity spikes which gives attackers the opportunity to target managed service providers (MSPs), upstream open source repositories, and smaller suppliers.
• Ransomware as a service (RaaS), which has democratized the ability to launch sophisticated multi-stage ransomware attacks.
• Use of legal tools for lateral movement, which makes it more difficult to spot any signs of fouling.
• Underground cybercrimes filled with breached dataperhaps making it child’s play for attackers to sneak past perimeter defenses using legitimate credentials.
• A mature cybercrime economy where individual players, such as Initial Access Brokers (IAB), all have a clear role in the attack supply chain.
• Published CVE improvements which gives threat actors more opportunities to compromise their targets.

All of these trends and more are making compromise more likely. 2021 see publicly reported data breaches in the US hit an all-time high. And that makes those incidents more difficult to detect, and more expensive to contain. Average time to identify and contain a data breach now standing on 277 days, and the average cost is US$4.4 million for 2,200 to 102,000 compromised records.

When prevention alone is not enough

In this context, a preventive approach to security is not good enough. A persistent threat actor will always find its way into your corporate network—if not through exploiting vulnerabilities, then by using compromised, phishing, or brute-forced credentials. That means you have to add threat detection and response to countermeasures. This approach argues that if an attacker gets past your defenses, you have constant, detailed monitoring for signs of suspicious activity before the bad guys have a chance to make an impact. Your SecOps team quickly responds to these incidents before they become serious breaches.

Extended detection and response (XDR) is an increasingly popular way to achieve this. It combines critical detection capabilities across endpoint, email, cloud, and other layers plus response and remediation to stop attackers in their tracks. However, for some organizations, XDR is not a panacea. Its usefulness may be limited by:

• Internal skills gap which means there are very few trained analysts to operate XDR tools
• Deployment and management challengesagain due to understaffing and acutely managing XDR across multiple regions
• High staff costs and purchase and maintain proper XDR tools
• Excessive warning from tools that fail to accurately prioritize threats to overwhelmed analysts

That’s why MDR is increasingly favored. This effectively hands off XDR management to expert outsourcing providers, meaning that their trained analysts handle threat detection, prioritization, analysis, and response. However, with so many solutions on the market, how can you choose the right solution for your business?

Five things to look for in an MDR vendor

MDR is the ultimate blend of industry-leading technology and human expertise. They come together in what is ostensibly a managed Security Operations Center (SOC) where skilled threat hunters and incident managers analyze tool output to help minimize cyber risks. Here are five things to look for in a service:

• Excellent detection and response technology: A shortlisted provider whose products are renowned for their high detection rates, low false positives and light overall footprint. Independent analyst assessment and customer reviews can help.
• Leading research capabilities: Vendors running well-known or similar virus labs will be best placed to stop emerging threats. That’s because their experts are researching new attacks and ways to mitigate them every day. This intelligence is invaluable in the context of MDR.
• 24/7/365 support: Cyber ​​threats are a global phenomenon and attacks can come from anywhere, so MDR teams must monitor the threat environment around the clock, day and night.
• High quality customer service: The job of a good MDR team is not only to detect and respond quickly and effectively to emerging threats. This is to act like an extension of the internal security or SOC team. It has to be a partnership, not just a commercial relationship. That’s where customer service comes in. Providers must marry hyperlocal language support with global presence and delivery.
• Custom made services: No two organizations are the same. So MDR providers need to be able to customize their offerings for each client, based on their size, the complexity of their IT environment, and the level of protection required.

Global MDR market estimated to grow at a CAGR of 16% over the next five years to reach US$5.6 billion by 2027. With so much at stake and so many vendors out there, you have to do a lot of due diligence before making a decision.