Secon Cyber has been offering its Managed Detection and Response (MDR) service for around 4 years. The service was initially developed to address pain points that the organisation was facing internally due to limited resources, lack of time to inspect security logs and software consoles, and the growing number of tools and solutions in use. Knowing that the clients themselves too often faced these common industry issues, the MDR service was initially offered to them as a Proof of Concept, with both sides learning from it. This service eventually snowballed into a full-blown solution, addressing the clients pain points and enhancing their experience. With that was born our in-house developed, value proposition – Secon Cyber’s Managed Detection and Response Service. More recently, and as a part of our service enhancement, the console itself has developed into an easier to read, risk-based dashboard showing open calls, the state of your estate and the status of logs and events. Further screens allow you to drill down into this information, but the overriding console gives a clear and simple overview.
In May 2016 Gartner produced a report which outlined the MDR market, stated what an MDR service should be and further predicted how they thought the market would grow, develop or respond. Here at Secon Cyber, we’ve been eagerly looking forward to the release of Gartner’s latest report, outlining their latest insights on MDR services, the market evolution over the past couple of years, future market predictions and the latest trends. It is also interesting to analyse how Gartner’s client service level expectations match or vary with those of our client’s needs, and lastly to draw a comparison between Secon Cybers roadmap ahead with Gartner’s predictions. Well, on 11th June 2018, that keenly awaited report finally arrived and it makes interesting reading.
Perhaps we should start at the beginning and explain what MDR is, or at least how Gartner define the market now.
“Managed detection and response (MDR) providers deliver 24/7 threat monitoring, detection and lightweight response services to customers leveraging a combination of technologies deployed at the host and network layers, advanced analytics, threat intelligence, and human expertise in incident investigation and response. MDR providers undertake incident validation, and can offer remote response services, such as threat containment, and support in bringing a customer’s environment back to some form of “known good.”
This (market) definition hasn’t changed a great deal in 2 years but has become a bit more explicit with the key indicators being highlighted. Obviously, the service needs to be continuously monitored and available 24×7 but now four key elements of the service are specifically being called out: detection, investigation, validation and response.
Many people will think that this is what their MSSP is supposed to do, but that’s not quite correct. An MSSP is more like someone telling you the time with your watch. You have the tools in place and they will leverage those tools and highlight issues and problems, leaving you to interpret them, investigate, rule out the false positives and remediate any issues.
Who needs it?
This question has been asked many times and has a number of different answers. If you have a very security mature organisation you might not benefit a great deal from an MDR service. However, if you are a large organisation and are building a SOC, MDR allows you to build out your own environment whilst leveraging the skills and experience of an MDR provider. If you’re not at that level and don’t have 24 x 7 support, MDR will provide you with the eyes and ears required.
The Gartner report also states that those organisations who use an MSSP or have outsourced some elements of security, especially with regard to Security Event Management, often have “unmet expectations”, “negative experiences” or question why they have “little to show for the money they spent”.
Is it expensive?
An MDR service, according to Secon Cyber and backed up by the Gartner report, should allow organisations to identify and respond to threats in a cost-effective manner. When compared to the cost of implementing a full SIEM system, or deploying this with the aid of an MSSP, then MDR is often much cheaper. Many MDR providers will be prepared to offer it as a variable, scalable, monthly recurring charge. Cost and cost effectiveness was also highlighted in the 2017 Cisco Annual Cybersecurity Report where it was noted that security professionals aren’t sure they are getting true value from their solutions. In fact, that report indicated that many organisations aren’t using their existing tools to their full capabilities, and this was particularly true of SIEM solutions. The reality is that many security tools are complicated to set up, need dedicated hardware and/or software, skilled resources to configure and manage and take a lot of time and effort, and therefore money, to maintain effectively.
What about MSSPs?
Again, these may be useful for mature organisations and those with solid processes in place that can react and deal with the issues identified. The Gartner report includes a very useful table, re-created here in its entirety.
Where will it go next?
So, what are Gartner predicting? As they did in 2016, Gartner predict that many more MSSPs will offer MDR type services. We are also seeing traditional vendors entering the Endpoint Detection & Response (or EDR) market. They know their platforms and are starting to offer managed services under the EDR heading. Other vendors, such as Trend Micro, have launched their own MDR service, though it doesn’t necessarily match the Gartner definition. However, the vendor offerings tend to be wholly based on their own products or product suites and are often very limited, especially when compared to organisation that have offered MDR services for many years, such as Secon Cyber.
Other predictions, unsurprisingly, include the use of Advanced Analytics, Machine Learning and Artificial Intelligence (AI) to detect attacks, and a requirement to monitor cloud-delivered or cloud-based services (SaaS and IaaS). The integration with a Cloud Access Security Broker (CASB) solution can extend coverage and visibility into the cloud and some MDR services providers are implementing some form of this in their offering.
Secon Cyber’s own roadmap features some of this, integrates log management and then looks more toward user and entity behaviour (UEBA) and integrated threat intelligence whilst extending the range of devices and applications to include Industrial Control Systems (ICS) and Internet of Things (IoT) devices.
Gartner are still suggesting that organisations use MDR to augment their existing security stance and that those who lack resource or maturity should be evaluating MDR providers. In 2016 it was predicted that 15% of organisations will use an MDR service by 2020. At that time it was around 1%, whereas today it is around 5%, so Gartner are on track to meet that prediction. The big win from an MDR perspective over SIEM or MSSP is the time to detect versus the time to respond. Lots of organisations can detect threats quickly, but few are able to respond in an appropriate time frame. MDR addresses this and at a price point that should be affordable.
Secon Cyber have a mature MDR offering, based on some of the industry’s leading solutions and backed by highly skilled, highly trained, highly motivated engineers. For more information, or for a demonstration of the MDR solution please contact us using the link here.