Managed Detection and Response

What is managed detection and response?

The rise of more advanced threats has led to a demand for a service that could address the kinds of threats that in-house security or even traditional managed security services (MSSs) could not accurately detect and respond to. Security providers have started offering complex endpoint detection and response (EDR) platforms and network detection appliances as means of protecting organizations from these new threats. But these technologies come with a caveat: They usually require a high level of skills to effectively use, something that many organizations lack. Managed detection and response (MDR) has emerged in answer to this cybersecurity skill gap.

MDR is a service offered by security providers to augment organizations’ existing security infrastructures and to address threats that can bypass traditional security controls. More specifically, it is an outsourced service that provides organizations with threat hunting services and responds to threats once they are discovered. It also involves a human element: Security providers often provide their MDR customers access to their pool of security researchers and engineers, who are responsible for monitoring networks, analyzing incidents, and responding to security cases. Additionally, organizations subscribed to MDR typically have direct communication with the MDR security team, rather than relying on indirect contacts or portals.

Thus, this service is ideal for organizations that want to protect themselves from more advanced types of cyberthreats. While some of these organizations may already be using multilayered security technologies, they may lack the expertise to manage and maximize the potential of these solutions.

The diagram below shows the basic process of how MDR responds to threats. Once a threat is detected, the MDR team will analyze it and then provide recommendations to the organization for remediation.

What challenges can MDR address?

The primary problem that MDR tries to address is the lack of security skills within organizations. While training and setting up dedicated security teams that can do full-time threat hunting may be feasible for larger organizations that can afford it, most companies will find it a difficult proposition. This is especially true for medium and large organizations that often find themselves being the target of cyberattacks but lack the resources or manpower for such teams.

One of the most important skills that security professionals need is the ability to contextualize and analyze indicators of compromise in order to better position the company against future attacks. Security technologies may have the ability to block threats, but digging deeper into the hows, whys, and whats of incidents requires a human touch. And this is essentially what MDR aims to accomplish: to not only detect threats but also analyze all the factors and indicators, and then finally provide recommendations and changes to the organizations based on the interpretation of the security events.

Today’s threats are a far cry from the simplistic malware of yesteryear, and they often come with advanced features that enhance their capability to do damage. Some of the more prevalent modern-day threats, such as network attacks, targeted attacks, cryptominers, fileless malware, and remote access tools (RATs), in addition to being difficult to detect, are able to bypass many types of security technology. The widespread nature of these kinds of threats makes them likely to become significant problems for many organizations.

For example, much of an organization’s focus is on perimeter defense, that is, knowing where threats enter and exit the organization’s network. Less focus is given to lateral movement or the movement of threats after they enter the organization’s system. Consequently, detecting and responding to threats that are already within the network may prove problematic. Traditional security is not equipped to handle these types of threats, especially those that need continuous detection and response.

Also, not all organizations have the same security requirements. For example, a hospital may need more focus on protecting its patient database, while a brick-and-mortar supermarket may concentrate on securing its point-of-sale (PoS) devices. With this in mind, MDR providers are able to customize their services to fit the specific needs of their clients and, perhaps more importantly, identify where exactly the weak points are in their clients’ security strategies.

MDR is designed to solve the problem of an organization’s cybersecurity skill gap. It tackles the issue of more advanced threats that an in-house IT team cannot completely address, ideally at a cost that is less than what the company will need to spend to build its own specialized security team. MDR can also offer the organization access to tools that it may not normally have access to. The diagram below illustrates what an organization stands to gain when MDR comes into play.

How do MDR providers compare with MSSPs?

Organizations have traditionally turned to managed security service providers (MSSPs) for their external security needs. In contrast with MDR providers, which can detect lateral movement within a network, MSSPs typically work with perimeter-based technology as well as rule-based detections to identify threats. Also, the kinds of threats that MSSPs deal with are known threats, such as vulnerability exploits, reoccurring malware, and high-volume attacks. MSSPs have security professionals who perform log management, monitoring, and analysis, but often not at a very in-depth level. In essence, MSSPs are able to manage an organization’s security but typically only at the perimeter level, and their analysis does not involve extensive forensics, threat research, and analytics.

In terms of service, MSSPs usually communicate via email or phone, with security professionals as a secondary access, while MDR providers carry out 24/7 continuous monitoring, which may not be offered by some MSSPs. 

However, MSSPs still provide value to organizations. For example, managing firewalls and other day-to-day security needs of an organization’s network is a task that is more apt for an MSSP than an MDR provider, which offers a more specialized service. Accordingly, MSSPs and MDR providers can work in conjunction with each other — with MDR providers focusing on the proactive detection and behavioral analysis of more advanced threats and giving remediation recommendations for organizations once the threats are discovered.

How does MDR maximize EDR?

The EDR market emerged as a result of the need for technology that can address threats designed to bypass traditional security. EDR, which is typically installed on host systems, consists of powerful tools that can provide analysis, detection, threat investigation, reporting, and alerting beyond what basic security solutions can offer. EDR can also feature technologies such as machine learning and behavioral analysis integrated into its complex tools, while also having other technologies built into the provider’s core products. However, because of the complexity of the technology, many in-house IT teams do not have the skills to maximize EDR. This means that many organizations spend plenty of time and resources purchasing EDR solutions that they cannot fully use.

[Read: The Endpoint Detection and Response (EDR) Conversation]

MDR can address the difficulties organizations face when deploying complex EDR solutions — as well as their challenges with their lack of time, skills, and funds to train personnel to handle the EDR tools — by integrating EDR into the service. Essentially, EDR provides organizations powerful tools for comprehensive security implementation, which MDR can then use for its detection, analysis, and response roles.

In addition to EDR, MDR can manage an organization’s other security technologies, such as breach detection systems (BDSs) and endpoint protection products (EPPs). Without MDR, the management and handling of these tools will also have to be done by the in-house IT team.

[Learn more about Trend Micro's Detection and Response solutions]