After Gartner released its 2018 MDR Guide, we noticed it addressed many of the differences between the offerings of MSS and MDR that we called out back in November. So, with a small refresh, enjoy this (slightly biased) insider perspective.
Original blog posted on 23, November 2017.
Just what is this category people keep talking about? Why is everyone saying they do EDR/MDR? For those in the multi-billion dollar Managed Services business prepare to be disrupted! Time to stop Marketecture FUD and go beyond the hype of AI/Machine Learning jargon overload and get the facts plain and simple. Here is the real difference between Managed Detection and Response (MDR) and MSS providers.
MDR: Makes Their Own Stack
General purpose security operations centre (SOC) tools are nice, but a well-honed set of proprietary tools will help an experienced team actually find and stop threats. Using a SIEM, EDR, and Firewall and calling it MDR will land you in trouble: they do not scale with your business. They also don’t integrate, so you won't find out which process is the root cause of your IPS alert.
MSS: Work Coverage is Priority
You are looking for people who can make changes and monitor availability 24-hours a day in your MSS. Typically MSSs have an objective of keeping systems up all the time (sometimes 99.999%). Why ask for that? When I was working for a large outsourcer, I found it strange that the contracts came from the networking group taking over security, and that the contract SLA on firewalls was the same at 24/7. It was based on the idea that if the Internet is down, the business is down. However, we found an issue with this model with MDR: people were sleeping. That’s why our combination of automation and human responses protects you 24/7. When there is a breach, we are the ones awake at night responding to it.
MDR vs. MSS: Better to Respond Than to Notify
As described in the last section, notification is insufficient. That’s why a critical capability of true MDR is to actually do something when a security incident occurs. Specifically, contain or eliminate the threat. If your MDR doesn't come with a networking component or EDR (Endpoint Detection and Response Agent) which can kill processes, shut-down ports or change VLANs, then the best they can do is tell you what happened. That is annoying when you have outsourced the security management and not just the detection. Ensuring you can respond is vital in evaluating the difference: an MSS only notifies users or makes changes to managed equipment - which almost never includes the endpoint.
MSS: The Vendor Will Manage Whatever You Have
MDR is not about outsourcing your firewalls, servers or rack-space. There are plenty of companies that do that. It's about finding the 10% of security problems which bypass traditional firewall and anti-virus security and responding to them. That means collecting data from your tools and your endpoints to find out if you can or have been breached, not managing them and alerting you.
MDR vs. Building a SOC
If you have a SOC staffed with multiple engineers, analysts, several firewalls and round-the-clock surveillance, then delete this site from your browsing history. Companies choose MDR so they won’t need to build their own SOC. MSS vendors can still layer in service hours or other components to augment your team managing a SOC themselves or support you during off hours.
In conclusion, most medium-sized enterprises (MSEs) look to MDR to find the threats that Firewalls and AV don’t capture. Combining threat intelligence, endpoint/network data, security hygiene and anomaly information is what MDR is all about. Making a case for MSS requires buying technology, hiring qualified people, and training and retaining them. Leveraging such services on point-products is typically not scalable, nor can an MSE use them to ensure their minimal cybersecurity budget keeps them secure.