Managed Detection & Response, or MDR, has been generating some buzz in the security industry. Last year, Gartner created a separate category for MDR and started selling research papers. Vendors took notice and started marketing their services as MDR offerings. What does all of this mean to you?
What is Managed Detection & Response?
There doesn’t seem to be a fully agreed upon definition of MDR, but the general characteristics are:
- Vendor-provided technology for threat detection
- Monitoring and analysis by human security analysts
- Possibly the use of threat intelligence or data analytics
MDR services are meant to complement or fill gaps in existing security teams. Implementing more advanced security technologies can be a time-consuming and frustrating process, and the pain doesn’t end when the product is installed. Your staff will need to spend time continuously tuning the solution, responding to alerts, and then investigating and triaging security incidents.
Organizations are increasingly looking for service providers that can solve these challenges.
How is MDR different from MSSP?
Traditionally, companies have turned to Managed Security Service Providers (MSSPs) to supplement internal IT teams. MSSPs have historically focused on perimeter devices like firewalls and IDS/IPS, and provide device management services like updating firewall rules and monitoring utilization.
MDR services might include firewall log monitoring, but also focus on detecting threats that have penetrated the perimeter. These threats are becoming more prevalent as attackers improve their methods of circumventing signature-based defenses.
The different emphasis might show up in the service deliverables. MSSPs tend to commit to SLAs based on service requests for managed devices. MDRs on the other hand, will be focused on deliverables like threat notification and possibly remediation guidance.
Is MDR actually different from MSSP?
While there’s some truth to the differences above, in reality there is a range of vendors with different capabilities. It might not be easy, or even productive, to try to classify them in two buckets. MDR providers will probably not offer device management, and MSSPs tend to be weak on remediation guidance and rely on 3rd-party technology. However, there is also plenty of overlap between the two these days.
Instead of trying to sort vendors into categories, you should judge vendors by how well they help you meet your security operations and compliance goals.
Where does SOCVue fit in?
SOCVue is security-as-a-service built on our Security Operations and Analytics Platform. SOCVue provides the people, process and technology needed to meet security and compliance objectives.
We’ll let the analysts figure out how to label us. Instead we’re laser-focused on providing superior service, and helping our customers through:
- 24x7 security monitoring, investigation and remediation guidance
- Proactive vulnerability management and automated patching
- Correlation with external threat intelligence
- Integrated operational workflows, ticketing, and reporting
Call it what you want, SOCVue’s deliverables provide a turn-key solution for the security monitoring, vulnerability management, and patch management requirements in HIPAA, FFIEC, PCI and numerous other security best practice frameworks.