In recent years, data breaches and compliance failures have made organisations increasingly aware of the need for comprehensive cybersecurity solutions to detect and address threats. However, not all organisations have had the means to invest in and manage the staffing and infrastructure required for a Security Operations Centre (SOC).
This is where Managed Detection & Response (MDR) providers come in. MDR providers offer an all-in-one solution for organisations that combines people, processes, and technologies to strengthen security measures and reduce risk exposure. They include monitoring for potential threats and incidents, responding to confirmed breaches, and providing support for incident investigation processes. Many will also use advanced technologies such as artificial intelligence, machine learning, and data analytics to improve detection accuracy and speed up response times.
In this blog, I’m going to explore the pros and cons of using an MDR provider and whether it’s better choosing a boutique provider over that of a traditional big brand. I’ll be discussing the market, terminology, and three core features I believe you should consider. I’ll also be considering the benefits that they can offer, as well as the potential drawbacks. I’ll be doing this in three parts, as there’s a fair bit to get through.
So, whether you’re an enterprise or a small to medium sized business considering an MDR solution, keep reading because by the end of this three-part blog series, you’ll have a better understanding of which option will best suit your needs.
MDR providers have grown immensely since Gartner first coined the term in 2017. Since then, providers have been attempting to reduce the term by using different names and acronyms in an attempt to set themselves apart. Examples include Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), Threat Detection and Response (TDR), and SOC-as-a-Service (SOCaaS). Whilst some can be related, simplistically, here’s (very briefly) how they differ from each other.
EDR provides endpoint-focused threat identification, remediation and threat hunting support.
MDR is EDR as a fully managed 24×7 service.
XDR is a threat centric network traffic analysis (NTA) service.
TDR proactively identifies and mitigates security breaches by monitoring network activities, endpoints, and cloud environments. TDR detects known threats and identifies anomalous patterns indicative of emerging risks. This proactive approach enables swift response measures, minimising the impact of potential breaches. TDR services provide real-time insights, correlating data from diverse sources to offer a view of the security stance. TDR uses automation to enhance the efficiency of incident response teams, ensuring a rapid and effective defence against cyber threats.
SOCaaS refers to outsourcing the entire security operations centre function to a third-party provider, including people, processes, and technology for monitoring, and responding to security events. While SOCaaS is an outsourced service offering and can encompass managed threat detection and response as part of its offerings, it also includes other security operations functions such as log management, incident response, vulnerability assessment, and more.
SOCaaS is a growth market and is predicted to grow from $6.7 billion in 2023 to $11.4 billion by 2028, with a CAGR of 11.2%. As MDR is one of the top three most popular cyber security operations to outsource, it’s largely become popular amongst enterprise and mid-size organisations. Unsurprisingly there’s a wide range of providers in the market, and the easiest way to illustrate this is with a diagram, see below.
As a result, many buyers find it hard to ascertain which MDR provider is right for them, and whether a boutique provider is a better fit than a big brand. So, let’s examine this and the first feature, technology.
Core Feature #1: Technology
It takes considerable resources and experience to be able to provide a comprehensive MDR service and one of the best ways to compare providers is by examining the ways in which they operate their technologies, so let’s look at threat detection.
When a threat actor penetrates your company, or there’s been a compliance failure, you need to know ASAP. In order to lessen the time and impact of an attack or breach, an MDR provider will reduce false positives, and quickly identify true threats, Indicators of Attack (IoA) and Indicators of Compromise (IoC) hidden within their client’s endpoint, network, and cloud system telemetry. They use network segmentation and “shift left” strategies in the attack chain to isolate attacks or disrupt threat actors before they have a chance to launch their threat campaign. As such, it is essential to review the methods and techniques an MDR provider uses for threat detection, including threat hunting, intelligence, and research.
For threat intelligence and research to be effective, it must be broad, deep, and incorporate client specific information. A variety of Open-Source Intelligence (OSINT), and proprietary sources should be included to identify not only the IoA, and IoC, but also the Tactics, Techniques and Procedures (TTPs) used by attackers. If a company were to invest in building this capability internally, the cost would be enormous. Accessing dark web forums, live incident response feeds, forensic analysis, and insights into cybercriminal and nation-state level activity requires significant resources and expertise. Fortunately, outsourcing these capabilities to an MDR provider significantly reduces the overhead and cost of accessing such tooling, making it a more practical and cost-effective solution for organisations.
Many big brands state they offer threat hunting capabilities, but their approach typically involves a limited set of telemetry, reactively investigating automated alerts, and relying on default detection rulesets included by their preferred EDR and Security Information Event Management (SIEM) vendor.
Boutique providers are more proactive than big brands as they know they have to work harder to attract and retain their clients. With teams recruited for their attacker mindset, they won’t be solely reliant on automated searches for IoC, and the default detection rulesets set by product vendors. Rather they’ll be researching, gathering threat intelligence, deconstructing zero-day malware, and using the Cyber Kill and MITRE ATT&CK frameworks to update and fine tune rulesets based on changes to the threat landscape. Additionally, they’ll be tailoring dark web monitoring to their client’s specific monitoring, for example, searching for company mentions that may include data from a breach, or industry specific breach reports.
They’ll be using human-led, hypothesis-driven investigations that incorporate current and historical data from their clients’ logs.
A boutique provider will also run simulations at periodic intervals, such as launching a ransomware attack (non-malicious) or simulating a Business Email Compromise (BEC) attack to demonstrate their capability to respond. Their clients are also allowed to run the same simulations to verify that they can detect and respond. You’ll find them responding all day, every day, providing high-touch engagement, detecting threats across endpoints, networks, and clouds, and executing effective incident response.
Incident response times and service levels agreements vary greatly between boutique providers and big brands with some simply offering alerts, reporting, and advice on what to do when an incident happens.
A recent report by e2e-assure, a managed TDR provider, found that buyers of cyber defence services such as SaaS want to pass more responsibility to their providers so they can gain faster decision-making (70%) and response times (68%), improve cost efficiencies (67%), and reduce the reliance on their team (63%).
To get the most out of an MDR provider, your priority should be containment, malware removal, remediation, and root cause analysis – to stop threats in their tracks – followed by alerts and reporting metrics.
MDR providers shouldn’t be waiting until a breach is discovered before calling in incident response experts. Acting before an intrusion has occurred is best practice as it limits damage and helps you identify any related malicious activity in other networks and systems. It’s why MDR providers work with incident response (IR) teams to streamline threat investigations, remediation, and recovery processes. And why it’s essential for you to confirm whether your prospective MDR provider’s IR team is in-house.
Boutique providers and big brands can outsource their IR support to third parties, especially if they’ve just begun to offer the service or as a way to lower overheads. Watch out for this as it can cause delays in response and remediation times – a stress few ITDMs and security managers care to accept.
Technical support is an important factor to consider when selecting an MDR provider. Boutique providers typically support an organisation’s existing technologies so they can offer more personalised technical support services, which can be beneficial for organisations that need more guidance as they set up their systems and troubleshoot any issues. These firms may provide one-on-one consultations with technical / SOC engineers as part of the service level agreement.
In contrast, big brand providers tend to have more standardised technical support processes which provide clients with the same level of service regardless of their individual needs. They are often designed to fit around traditional managed security services – “ticketed” systems with a shared security model that requires clients to manage and investigate the resulting alerts. However, they often offer FAQs, tutorials and automated systems for user onboarding and troubleshooting which can be helpful for clients who don’t need a lot of handholding.
Innovation and Agility
The ability to innovate and stay agile is an important factor when selecting an MDR provider for your organisation. As threats change, detection mechanisms should too, so you need to ask MDR providers about product roadmaps. A lot of providers present well but when it comes to delivery, they fall behind leaving clients frustrated especially when they find out they’re tied into “sticky” contracts.
Boutique providers tend to have smaller teams, vertical expertise, and better understanding of their client’s needs. As their business is only MDR and they don’t have the reputation of a big brand to fall back on, they also tend to be more attentive to changing client needs and industry trends. This means they can often develop or implement innovative solutions faster than big brands, providing their clients with the speed and agility to adapt their services as needed.
In contrast, big brands typically have more resources, and some can invest in longer-term research projects which may be beneficial for organisations that need advanced solutions. They also tend to have more established processes and procedures in place which can make them slower to respond to changes but faster to scale as their client demands increase. Many can also offer additional free resources such as security assessments, data insights, analytics and communities that help clients stay ahead of industry trends.
Leading MDR providers, typically boutique firms, are technology agnostic, utilising both their own tools and the native capabilities of different security tools to analyse data from all parts of an organisation. This enables them to integrate with a variety of product vendors and offer a more customised multi-disciplinary approach to MDR which is highly agile, scalable, efficient, and effective.
In contrast, big brands, aside from some of the largest tax, audit and risk giants (Big 5), tend to have more standardised technology solutions which are designed to provide clients with the same level of service regardless of their individual needs. These firms often offer a limited range of pre-integrated vendors but numerous APIs which is helpful if your organisation doesn’t need much customisation. Some will pin a vendor’s flag to their mast though, which means you’ll need to buy additional licensing for the MDR service to work. This may be wrapped up in the contact, and if it is, check it thoroughly as it can cause problems when it comes to switching providers or termination, as I’ll describe shortly.
Now I want to hear from you…
If you’ve already invested in an MDR solution, I’d love your insights. Please tell me are there any specific technology-related questions you wish you’d asked your provider before making the purchase?
Or, if you haven’t yet decided on an MDR provider, please tell me what are the burning questions you’d like answered?
If you’re looking for an MDR provider, please join me for a decision-making workshop with e2e-assure’s CEO, Rob Domain – Choosing your MDR Provider: Boutique or Big Brand. It’s being held on Wednesday, February 21 at 11AM GMT.