What is MDR?

Managed Detection and Response (MDR) is a security service that prioritizes the handling of detection and response capabilities on behalf of a customer. MDR enables organizations to operationalize a turnkey Security Operations Center (SOC) at a small percentage of the cost of building an in-house program.

The person in charge of procurement for a company’s security organization might start by asking the question, “What is MDR?” They already know about detection and response (D&R), sure. And because they’re asking that question, they know their organization is having trouble keeping up with D&R responsibilities. This could be due to a lack of security headcount, expertise, resources, and processes to properly stand up a D&R program.

A capable Managed Security Services Provider (MSSP) can contract with a company to act as their SOC-as-a-Service (SOCaaS) partner, providing almost all cybersecurity services for the company. An MSSP can also quickly extend the headcount of a SOC in a specific area like D&R.

According to Gartner, MDR providers should be able to deliver actionable outcomes by analyzing telemetry – logs, data, and other contextual information – as well as engaging in threat hunting and incident management. This enables MDR customers to strengthen their security posture and better focus on business priorities.

How Does MDR Work?

Managed detection and response works by enabling a customer’s ability to leverage the provider’s SOC team for 24x7x365 security operations coverage. MDR quickly extends a SOC’s headcount so the team can better: 

1. Detect threats
2. Analyze threats
3. Investigate threats
4. Actively respond to threats
5. Focus on priorities other than threats

By providing complete coverage across a customer’s entire environment, MDR can impart security practitioners with the visibility to see when and where malicious-looking activity may be taking place. The provider should further be able to help a customer: 

1. Identify a targeted threat to their specific environment
2. Repair any affected systems
3. Focus efforts into taking down a threat
4. Supply recommendations for better securing an affected system for the future
5. Weed out benign events and only report on truly positive threats

The ultimate goal of an MDR provider should be to help a customer’s SOC achieve a turnkey D&R program without the significant financial investment and stress – as well as the time it would take to interview talent while keeping the SOC running – to build a ground-up, in-house program.

What are the Benefits of MDR?

The benefits of MDR are plentiful, with a particular emphasis on creating a less stressful SOC environment. Other key benefits that come from engaging a true MDR partner are:

Improved security posture: By engaging a team of experts to extend D&R capabilities, a SOC can uncover risks earlier, shrink its attack surface, and be ready to investigate with digital forensics and incident response (DFIR) techniques.

ROI: An MDR partner should be able to provide meaningful ROI in a reasonable amount of time (3-5 years). For example, Rapid7 MDR services were able to provide customers with an average of almost 5.5x ROI over three years. By creating efficiencies in alert detection, investigation, and response, security organizations create cost savings to reinvest elsewhere.

Access to detection and response tools: An MDR customer typically will have access to the provider’s D&R technology so they can become educated on the underlying platform. They can also leverage that platform to perform their own alert investigations. Customers should also be able to access network traffic analysis, user-behavior analytics (UBA), and more.

Faster threat or breach remediation: From hours and hours spent on remediation each week to minutes spent each week, a trusted MDR partner should be able to transform a SOC’s ability to perform remediation. The average time to remediate will significantly decrease with the provider’s ability to create a plan of action specifically tailored to a customer’s environment.

Faster investigations with network analytics: A good MDR provider should also be able to rapidly ingest network device data so they can put it to work for a customer. Network data is lightweight, easily searchable, and can quickly pinpoint the exact location of an attacker in the network to identify the scope of the breach. Leveraging this data allows analysts to take action and understand what’s going on across the network layer, while correlating events to endpoints. This process is helpful for early threat detection, as well as adding context to investigations to better understand attacker behavior