Managed detection and response - definition & overview

Managed detection and response (MDR) is an outsourced security service that helps organizations detect malicious network activity (network intrusions, malware attacks, attempted data theft, etc.) and quickly respond to eliminate the threat. MDR service providers facilitate threat detection by deploying their own tools and technologies onto the customer organization's IT infrastructure, then managing and monitoring those tools.

As organizations expand IT infrastructure, they deploy an increasing number of network endpoints such as laptops, desktops, and mobile devices. They may also develop a hybrid cloud environment where they deploy a suite of applications that support business functions. While each of these deployments helps to expand and solidify the organization's IT infrastructure, each presents a potential security vulnerability and a possible entry point for cyber attacks.

Although MDR depends on software tools to aggregate event logs and detects potential Indicators of Compromise (IoC), service providers typically employ security analysts around the clock to provide 24/7 live monitoring of your network security posture. The combination of computerized and human monitoring provides real-time coverage and detection of security threats.

MDR is a relatively new model for organizations to augment their in-house cyber security capabilities or fill gaps in their security coverage.

Streamlined deployment - Service providers in the MDR market have extensive experience deploying their services for customers, including quickly customizing a solution. Deploying your own threat detection and response capability can take significantly longer because of the requirements to purchase or license software tools, set up and configure them, create processes and procedures for monitoring and train staff.

Reduced up-front expenses - MDR service providers typically provide their own industry-leading tools and technologies on the customer's server. Rather than licensing these expensive tools (and spending time and money to customize each tool and train staff to operate them), the customer pays a single subscription fee to their service provider to provide and operate the technology to facilitate MDR.

Access to experts - With a skill shortage in cyber security, organizations increasingly rely on MDR vendors to access the required security expertise to protect them from threats.

Information security certification - Compliance with leading information security certifications such as ISO/IEC 27001 may be out of reach for low or medium-maturity IT organizations. An MDR service provider with an information security certification is a valued strategic partner who has demonstrated their commitment and capability to protect the privacy and security of your data.

Security coverage - MDR has been rapidly increasing in popularity since 2017, as organizations moved further away from prevention-focused approaches to enterprise security and placed greater emphasis on threat detection and response. IT organizations increasingly realized that prevention-only security solutions could reduce the number of incidents but did little to mitigate the impact of an existing known security event. MDR helps organizations boost their security coverage, providing detection and response capabilities that complement proactive tools for preventing cyber attacks.

MDR is a proactive service that searches IT infrastructure for evidence of advanced threats using tools such as SIEM, endpoint protection and network monitoring. Combining these tools means that security analysts get fewer security alerts than just a SIEM. Still, the detected threats are likely to be more dangerous and false positives are less probable.

Managed SIEM is a more machine-driven and reactive service than MDR. Managed SIEM depends on correlation rules to detect threats. The tool collects and aggregates logs, analyzes them, and creates an alert when a correlation rule is triggered. After creating an alert, it can be investigated by a live security analyst.

Managed Security Service Providers (MSSPs) offer a suite of security services, including threat detection and response, endpoint security, perimeter and email security, vulnerability management and customer service.

MDR is sometimes characterized as offering a sub-set of the services that MSSPs offer. MSSPs offer the most comprehensive security solutions but may focus on security operations, compliance and security monitoring functions with some threat detection. Whereas, MDR services are designed to detect and investigate threats, initiate a response, contain the threat as quickly as possible and proactively discover threats to the network.

IT organizations should carefully compare MDR, Managed SIEM and MSSP products before purchasing to develop a specific understanding of which services are offered and to ensure that the chosen solution fills gaps in the organization's existing SecOps capabilities. IT organizations should deploy a Managed SIEM before augmenting it with an MDR solution incorporating endpoint protection and proactive monitoring.

IT organizations that wish to secure their cloud-based systems adopt a suite of security tools, including firewalls, intrusion detection and intrusion prevention systems, endpoint detection and response, user behavior analytics, SEM, SIM and SIEM tools, and more. CISOs and security managers face significant challenges in managing these tools effectively as they continue to adopt new solutions that fill gaps in the organization's security posture.

Sumo Logic offers a single integrated platform where IT organizations can aggregate log data from all IT assets on the network, including the full range of available enterprise security tools.