Virtualization Technology News and Information
Defining MDR and MSS

AlertLogic VMblog 

By Jack Danahy, SVP and Chief Evangelist, Alert Logic

Complexity has become the defining characteristic of cybersecurity today.  Cyber threats have become more sophisticated and automated while security teams are being asked to protect a rapidly expanding attack surface.  As the challenge of meeting these threats has become increasingly complicated, so too have the tools designed to address them. Few businesses have the necessary resources or security expertise to untangle these knotty issues, making protecting their assets an uphill battle.

In this environment, no level of investment can provide complete immunity from attacks, and new attention and urgency have been given to rapid detection and efficient response. Companies are increasingly turning to a new kind of managed security service - managed detection and response (MDR). As with any new approach, there is confusion about the benefits and definition of MDR, from the security outcomes that should be expected to how it differs from traditional managed security services (MSS). By resolving these questions, businesses will be able to recognize and extract maximum value from MDR.

The role of traditional MSS

Organizations of all sizes use MSS as an extension of their in-house security operations. The company is able to partially or fully outsource a range of common but critical tasks like firewall management, anti-virus, intrusion prevention and detection, and compliance reporting. Organizations tap into external security expertise and resources at manageable cost, and the MSS provides a basic level of security.

Potential security incidents are identified by matching monitoring data against rules and signatures, and MSS providers decide which alerts to send. The company is then left to investigate these alerts and determine their relevance and the appropriate response. While these services have helped resource-constrained security teams extend their capabilities, they are not designed to help organizations respond to the active, sophisticated threats seen in today's more aggressive threat landscape. The result is a high noise level, alert fatigue, and an inability to identify and respond quickly to attacks in progress.

Traditional MSS are also limited in threat detection. The data produced from the combination of multiple disjointed tools and services isn't easily normalized for analysis, making it difficult to detect more complex threats. Proactive threat identification, like threat hunting and user behavior analytics, are usually absent in these services.

So, while traditional MSS delivers security management capabilities, they aren't designed or equipped to respond to today's barrage of security incidents, threats, and vulnerabilities. The MSSP's expertise is in configuring and monitoring security technology-managing the systems, maintaining their health, and providing the output from them back to the organizations they serve. They cannot investigate or contextualize alerts or respond to a fast-spreading attack. This is where MDR comes in.

What is MDR?

MDR sits under the umbrella of MSS, but MDR isn't focused on device management. MDR services reduce the likelihood or impact of successful attacks, proactively monitoring, detecting, and responding to new vulnerabilities and threats across an organization.

MDR services collect and analyze data from across the organization's network, endpoints, servers, and cloud to detect advanced threats. Analyzing this data employs advanced techniques that start with continuous threat intelligence to maintain visibility into current threats and vulnerabilities across all of these platforms. The high volume of monitoring and threat data is then processed and distilled through the use of machine learning and behavioral analytics to identify security events. Together, these methods enable MDR analysts to identify new threats, prioritize alerts based on the business's unique environment, and respond quickly to vulnerabilities and attacks.

MDR delivers a much a higher level of guided expertise and human contact around alert data than does traditional MSS. MSSPs emphasize automation with little human security support, where MDR, by contrast, always integrates the expertise of a range of dedicated security professionals in validating and communicating alerts. These analysts, incident responders, and threat hunters deliver hands-on services tailored to the organization's unique needs.

As a result, MDR providers detect verifiable threats and help the organization determine and execute the most effective response. Organizations are given the option to respond on their own, to act in conjunction with the MDR provider, or to fully rely on the MDR provider's response capabilities. Depending on the nature of the security event, the response actions will include some or all elements of investigation, notification, containment, elimination, and remediation.

What to look for in an MDR solution

In response to growing market demand, some traditional MSSPs are renaming their existing solutions as MDR. Others are adding new services in an effort to deliver MDR. With no universally accepted definition, offerings have to be evaluated based on the outcomes that MDR should provide.

The purpose of MDR is to reduce the likelihood or impact of a successful attack. To do that, MDR must be continuously refreshed with research on new and evolving threats. It has to maintain a high level of visibility across all of an organization's assets. And it must accurately identify attacks in progress to mitigate the damage that can be caused. These principles and others are outlined in the MDR Manifesto, a document created with input from analysts, experts, partners, and practitioners in the security space. Together these tenets provide the groundwork for defining the capabilities and value organizations should expect to get from an MDR provider.

MDR in demand

MDR isn't just a new acronym for MSS, and it requires investment in a different type of data gathering infrastructure, analytics, response capabilities and analysts. While it can be part of a larger MSS solution, it provides a different and specific outcome: minimizing the impact of threats on an organization. Addressing the constant change and advanced actors in today's sophisticated threat landscape requires tools and skills most businesses don't have. MDR fills this gap, providing an effective and affordable way to strengthen an organization's security posture.


Next Up: Defining Detection Left of Boom and Right of Boom


About the Author

Jack Danahy 

Jack Danahy is SVP and Chief Evangelist at Alert Logic, where he applies nearly 30 years of security experience to the challenge of managed detection and response (MDR).  He is an innovative security leader with proven success creating, delivering, and evangelizing new security approaches.  He has founded three successful security companies, most recently the endpoint and behavioral analytics firm Barkly, acquired by Alert Logic in 2019. In 1999, Jack founded Qiave Technologies (acquired by WatchGuard Technologies in 2000) and in 2003, he started application security pioneer Ounce Labs (acquired by IBM in 2009). At IBM, Danahy was Director for Advanced Security, and also led the delivery of security services for IBM across North America. Jack holds a dozen security patents and is a frequent writer and speaker on a wide range of security topics.

Published Wednesday, June 24, 2020 8:25 AM by David Marshall
Defining Active Threat Hunting and Threat Intelligence : @VMblog - (Author's Link) - August 31, 2020 9:58 AM
Defining Daily Tasks and Skills of a SOC Analyst : @VMblog - (Author's Link) - September 10, 2020 8:34 AM
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<June 2020>