Mark Nicholls
What is Managed Detection and Response (MDR)?
All organizations should have access to the skills needed to detect and contain threats. But, typically, only the very largest enterprises can afford the millions in annual staff and infrastructure investments required to maintain a Security Operations Center (SOC).
Even then, large in-house teams often only see their own environments and may not have frontline visibility to the latest threat tactics and techniques, leading to gaps in incident response (IR) and containment capability. Small and midsized businesses often struggle to recruit and retain enough experienced analysts to keep their small workday teams at full strength. These issues are exacerbated by the ongoing global talent shortage, alert fatigue, and the relentless pressure to secure an expanding attack surface rife with newly discovered vulnerabilities for threat actors to exploit.
Managed Detection and Response (MDR) services can help ameliorate these challenges by providing the people, processes, and technologies in a turn-key way to strengthen an organization’s security posture and reduce its risk exposure. This buyer’s guide assesses today’s MDR market space and the key criteria for selecting a suitable MDR partner.
In this video, Michael Cowley, head of solutions engineering for Cyber Risk, shares key takeaways for organizations looking for the right MDR solution.
Your MDR provider search should begin with a disciplined self-assessment of the outcomes you want to achieve with an MDR service. In addition to preventing breaches, what other specific outcomes should you hope to achieve? Here are the key outcomes that justify the need for MDR:
One drawback of the defense-in-depth approach to security has been the rapid proliferation of stove-piped security tools ingesting billions of events and churning out thousands of alerts daily. Many are false positives, which must still be triaged, investigated, and resolved by over-burdened security teams.
An MDR partner should be able to minimize this noise by continuously tuning and updating detection analytics and rulesets so that only true positive alerts are prioritized for investigation. They can also help identify and close gaps in your security architecture by correlating detection events to events reported in threat intelligence feeds or mapped to tactics, techniques, and procedures (TTPs) cataloged in the MITRE ATT&CK framework.
An MDR provider should help minimize attacker dwell time by rapidly identifying threats and indicators of compromise (IoCs) concealed within your endpoint, network, and cloud system telemetry. As evidence, they should convincingly demonstrate their ability to optimize metrics such as Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) through multiple methods such as ongoing threat research, detection engineering, automation, and analyst training.
An MDR provider should also help prevent an initial intrusion from escalating into a catastrophic breach by moving swiftly to contain and remediate threats. This may include such tasks as terminating malicious processes, removing persistence mechanisms from the file system or Windows registry, and isolating compromised systems from the network.
Often organizations mistakenly wait until a breach is discovered to bring in IR experts. By this time, business interruption may have already occurred, and the goal is simply to understand what happened and limit further damage. If an intrusion is suspected, bringing in this expertise as quickly as possible can get you ahead of the game to contain the threat and identify related malicious activity in other systems. Having an IR team working hand-in-hand with the SOC team streamlines the threat investigation, remediation and recovery processes. However, most MDR providers today subcontract IR support to a third party, which can introduce unacceptable delays in response and remediation and can result in finger-pointing between the MDR vendor and its sub-contractor. Common causes for critical delays in these scenarios involve getting the IR team up to speed and having to deploy a new set of agents capable of running adequate remote live forensics.
MDR is a growth market that many security firms are attempting to enter, so it’s often helpful to consider how well a company’s core business competencies align with its MDR claims.
MSSPs have traditionally focused on monitoring and managing firewalls, virtual private networks (VPNs), endpoints, and other devices. By outsourcing these functions, clients can deploy a baseline security infrastructure without adding headcount. The cost avoidance benefits are somewhat offset by a shared security model that requires clients to manage and investigate the resulting alerts. Some mature MSSPs have accepted responsibility for alert management and orchestration in recent years. However, very few provide a comprehensive MDR solution that includes threat hunting, incident response, and remediation. Consequently, most MSSPs remain poorly positioned to deploy and manage a complex, multi-layered security stack that provides the enterprise-wide visibility necessary for effective detection and response.
Product Vendors
In this model, clients outsource management and maintenance of the vendor’s security products to their implementation and support teams. Products are often supplied on a subscription basis, enabling the client to avoid capital expenditures. Vendors of security information and event management (SIEM) platforms and endpoint detection and response (EDR) systems often promote their ability to develop and deploy customized detection and response rulesets to complement default “out-of-the-box” features. Others offer ancillary services to expand their reach by ingesting and correlating telemetry from other vendors’ security tools. However, the intrinsic limitations of the product-centric approach impair their ability to detect and trace a kill chain across the enterprise attack surface or provide the proactive threat hunting, incident response, and remediation services required to meaningfully reduce a client’s risk exposure. Over time, changes in the competitive product landscape may leave an organization stuck with an outdated or inferior solution without an easy migration path and continuity of services over the long term.
MDR Providers
MDR is a natural evolution away from the historical focus on throwing alerts ‘over the fence’ for the customer’s team to deal with. MDR service providers should act as a partner, working as an extension of your in-house security team, reducing or eliminating the operational workload of monitoring alerts around the clock and adding threat detection, investigation, hunting and response expertise so you can focus on other strategic aspects of your security program or business. MDR providers should be flexible enough to scale the detection and response work as your maturity evolves and needs change, while being transparent with their detections and response processes. Leading providers are technology agnostic, leveraging both proprietary methods and the native capabilities of each security tool to collect, correlate, and investigate alerts and telemetry from across the enterprise. Clients benefit from a multi-disciplinary approach to MDR that is inherently flexible, scalable, efficient, and effective for the long run.
It's important to evaluate MDR service providers based on their maturity, scope of services, and alignment with the outcomes identified.
Choosing an MDR partner begins with objectively defining what you want to achieve from the service. What gaps exist in your security program and skill sets? What outcomes are you hoping to realize?
Having defined these expectations, you can begin assessing potential MDR partners. The questions above will help you distinguish candidates by type, service maturity, expected outcomes, global footprint, and much more. Once you have a short list, consider intangibles, such as the vendor’s reputation in the industry, ancillary and related services, and degree of alignment with your business culture.
Kroll leverages its unrivaled IR experience and frontline intelligence to run a round-the-clock global MDR service providing active response using seasoned incident responders, not just monitoring analysts. In 2014, Redscan, now a part of Kroll, became one of the first full-service MDR providers, pioneering the approach of layering custom detection analytics and hunting procedures over the security tooling (EDR, SIEM, NDR etc.), investigating the threats and responding on behalf of the customer. Today, Kroll Responder is now one of the only solutions in the market that delivers MDR with what we call “Complete Response”.
At Kroll, we believe the ‘Response’ aspect of MDR shouldn’t leave you hanging. Our response goes as far as you need it to, closing the gap between merely containing the threat to actively removing it across all affected systems and quickly understanding the root cause, to ensure it doesn’t happen again. Our Responder MDR service is backed by the same Kroll IR experts that handle thousands of high-profile breach investigations annually. We extend that service to our customers, which means they get the value of remote digital forensics and incident response without the additional cost.
Kroll Responder MDR for Microsoft: Threat Detection and Complete Response on Microsoft's Ecosystem
In this video, Kroll Managing Director Pierson Clair explains how Kroll Responder, our managed detection and response solution, seamlessly integrates with Microsoft Sentinel, Microsoft 365 Defender and Microsoft Defender for Cloud to deliver continuous threat visibility, hunting and Complete Response across their Microsoft and third-party environments.
Cloud Security Services
Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.
MDR and Cloud Security Case Studies
