Cleaning Up the MDR Confusion

390

Jack Danahy, SVP, Strategy and Security Chief Evangelist, Alert Logic

As organizations struggle to secure and protect increasingly complex ecosystems from an expanding threat landscape, managed detection and response (MDR) solutions have been getting a lot more attention. Unfortunately, there are multiple, differing, definitions for MDR, and no common commitment to the value it should provide. For organizations to understand the role of MDR in their security portfolio, we need to reach a consensus on what MDR delivers, and arm prospective buyers with a set of criteria with which they can make informed MDR choices.

What Is MDR?

Managed detection and response solutions identify active threats across an organization and then respond to eliminate, investigate, or contain them. Some of these threats appear prior to attacks, like exploitable vulnerabilities in software or service misconfigurations, while others occur during an attack or as a consequence of its success.  MDR has increased in visibility and importance as organizations realize that no level of investment will provide 100% protection against all threats and as the scale and complexity of the security challenge becomes intractable for a growing number of organizations.

MDR has existed under other names for decades.  Alert Logic was providing managed threat intelligence at its founding in 2002.  What’s changing, and driving a coalescence in the market, is the fragmentation and complexity of the cybersecurity ecosystem. Companies of all sizes and across all industries are investing in security tools and services designed to prevent and detect attacks, but the resulting administrative costs and overwhelming volume of notifications have driven security team burnout and alert fatigue.  Worse, a persistent shortage of cybersecurity talent makes it difficult to hire and retain the trained personnel necessary to configure these solutions, analyze resulting events, and respond effectively. Managed detection and response services address this issue.

The ultimate goal of MDR is to minimize the likelihood or impact of any successful attacks.   To understand MDR, it is helpful to start from that outcome and consider what management, detection, and response need to look like.

Breaking down M, D, and R

Let’s look at the three title elements of MDR—Management, Detection, and Response.  Each requires specific capabilities in order to deliver on the promise of MDR.

Management

Comprehensive visibility, both over an organization’s assets and over a 24X7 window, and an understanding of business needs are essential for effective security management, especially in MDR. An MDR provider is engaged to promptly identify and mitigate threats or attacks in progress and doing so requires this visibility across the network environment and an up to date inventory of all assets being managed. Management also requires security professionals with sufficient experience and expertise to validate and communicate security events when they arise..

Detection

Current threat intelligence is required for effective detection. The MDR provider needs to be able to recognize emerging threats and take steps to reduce the risk posed by those threats. Detection includes both proactive measures to identify and patch vulnerabilities, reducing the attack surface, and having security professionals capable of understanding the complexity and changing context of security events who can validate and prioritize security incidents. To achieve the objective of reducing the likelihood or impact of a successful attack, supporting technology must also be implemented to be as close to real-time as possible.

Response

There are a variety of potential responses depending on the nature of the security event detected, the value and type of asset under threat, and outcome you are trying to achieve. As a result, response is not a simple action, and there is no “one size fits all” approach. Response may involve investigation, elimination, notification, containment, remediation, or a combination of any or all of the above.

The Seven Core Tenets of MDR

Having described characteristics of effective management, detection, and response, what remains is a more granular exposition of the underlying capabilities required of all MDR providers.  As you explore the available options, ensure that the managed detection and response provider you choose can meet all seven of these essential tenets that define a comprehensive MDR solution:

  1. Reduce the likelihood or impact of successful attacks
  2. Provide 24/7 visibility and cover all assets in your organization
  3. Continuously be refreshed with research on new threats and vulnerabilities
  4. Augment technology with human intelligence to ensure accuracy and value
  5. Provide customer responses that reflect business and attack context and cause
  6. Scale to deliver technical analysis and human insights across dynamic environments
  7. Deliver results and reporting that are credible, accessible, and useful

MDR is gaining momentum as businesses recognize that it improves protection, reduces cost, and benefits from both economies of scale and community sharing of security intelligence and events.   Choosing the right provider of MDR starts with understanding the baseline requirements, and then weighing competitors’ performance against the seven tenets to ensure a match with your own environment and priorities.

With this clarity and careful examination, MDR will become an integral part of your security portfolio, leaving you time for more strategic or pressing security and business priorities.

Learn more about how to integrate MDR into your security portfolio.

Jack Danahy is SVP, Strategy and Security and Chief Evangelist at Alert Logic, where he applies nearly 30 years of security experience to the challenge of managed detection and response (MDR). He is an innovative security leader with proven success creating, delivering, and evangelizing new security approaches. He has founded three successful security companies, most recently the endpoint and behavioral analytics firm Barkly, acquired by Alert Logic in 2019. In 1999, Jack founded Qiave Technologies (acquired by WatchGuard Technologies in 2000) and in 2003, he started application security pioneer Ounce Labs (acquired by IBM in 2009). At IBM, Danahy was Director for Advanced Security, and also led the delivery of security services for IBM across North America. Jack holds a dozen security patents and is a frequent writer and speaker on a wide range of security topics.