MDR 101:

What is Managed Detection & Response

We know you want to protect the security of your organization. We know that risk sucks, and you don’t want to accept it…and you shouldn’t have to. Consider this your resource for Managed Detection and Response (MDR) so that you can learn what it takes to eliminate the fear of risk. Here, you can learn how cyber threats are evolving and how to stay ahead of them. You can learn why MDR is such an essential part of a comprehensive security strategy and what it takes to make MDR successful.

So what is MDR exactly?

Managed Detection and Response (MDR) services provide remotely delivered security operations capabilities to quickly detect, investigate, and respond to threats. This is far more than the EDR or SIEM technologies of the past. EDR monitors endpoints, such as workstations or laptops, for suspicious behavior. SIEM collects, analyzes and stores data from EDR and logs from across an organization. However, what was lacking was an effective way to make use of the overwhelming amount of data and alerts that came from EDR and SIEM. MDR takes this chaos and brings order, visibility, and direct action to detect, mitigate and remediate security threats.

“Managed detection and response services provide customers with remotely delivered modern security operations center (MSOC) functions. These functions allow organizations to rapidly detect, analyze, investigate and actively respond through threat mitigation and containment. MDR service providers offer a turnkey experience, using a predefined technology stack (covering areas such as endpoint, network and cloud services) to collect relevant logs, data and contextual information. This telemetry is analyzed within the provider’s platform using a range of techniques. This process allows for investigation by experts skilled in threat hunting and incident management, who deliver actionable outcomes.”

Managed Detection and Response (MDR) Services Reviews and Ratings”, https://www.gartner.com/reviews/market/managed-detection-and-response-services, 2022

Why is Managed Detection and Response important?

In the 2021 Cost of a Data Breach Report, IBM and the Ponemon Institute announced that 2021 had the highest average total cost of data breaches in 17 years, rising to $4.24 million. But the same report also found that the average cost of a breach was USD 1.76 million less at organizations with a mature zero trust approach compared to organizations without zero trust. But what does it cost an organization to take a zero-trust position in dealing with security alerts? On average, a single endpoint will generate 5,000 alerts annually. If a hypothetical business has 2,000 endpoints, it will translate into 10,000,000 alerts per year that security analysts will need to investigate.

Human Cost without MDR

This example is based on an assumption of 8-hour shifts. But an attack rarely comes when it’s convenient. To provide 24×7 protection will require a minimum of 10 individuals, regardless of the size of the organization or the number of alerts generated. With an average annual cost of $75,000 per analyst, that’s a minimum of $750,000 per year.

Many companies may attempt to control costs by only investigating critical- or high-priority alerts. But this can be an expensive mistake as many of today’s ransomware attacks start as attacks that are only detected through medium or low-priority alerts, and by the time they become high-priority alerts, the attacker’s damage is already done.

Providers that offer MDR services can help you take advantage of economies of scale to shrink the total cost of ownership while increasing the expertise and resources you have at your disposal. The analysts provided by an MDR provider work across a variety of industries, enabling you to capitalize on their expertise while taking advantage of the cost efficiencies of not shouldering the entire burden of bringing these individuals on as full-time employees. This type of partner will already have the real estate, technology, and expertise to integrate efficiently with your current environment. Software license costs can be significantly reduced since an MDR vendor can purchase licenses at scale, distributed across their entire client base.

How to select an MDR partner

Once you decide to work with a partner in deploying managed detection and response to your organization, you need to know what to look for in selecting the right vendor. The simple truth is that not all are created equal. Consider asking a potential vendor the following questions as indicators of how they will perform when your organization is facing a threat:

  • How long does your team take to respond to alerts? Are there contractual obligations around this, and do these obligations include SLAs or SLOs? Do these obligations apply to every security alert from the monitored tools?
  • Will my company have access to your SOC as needed or is that an additional charge?
  • Is there any hardware associated with this tool?
  • If my company grows quickly can the MDR tool you’re using scale quickly?
  • Can this tool help me respond to SIEM, EDR, and XDR from one console?
  • Can we investigate and respond to alerts natively from our phones?

The last two questions are particularly important, as they can determine what kind of control and visibility you will have in determining the direction of your new security environment. Information on alerts needs to be accessible from one device and one platform, and it should be accessible at any time and place to ensure critical threat and response information is always available as it happens.

Our MOBILESOC® application enables you to reduce attacker dwell time by accessing our Cyber Operations Risk and Response™ platform right from your phone. You can take action or communicate directly with Critical Start security analysts from anywhere and at any time.

Is it really MDR?

As you’re evaluating solutions, it’s important to determine if what you’re evaluating is a Managed Security Service Provider (MSSP) or true MDR. An MSSP takes incident and event data and monitors it 24×7. But an MSSP can be overly broad and does not dive deeply into the underlying causes of alerts. MDR providers use their own SOC, security processes, and infrastructure to investigate alerts and uncover the hidden reasons behind them. Effective MDRs also have a much deeper and more sophisticated response plan in place to identify both vulnerabilities and threats and then they move forward with an active, dynamic response to resolving those issues.

Endpoint or SIEM? And what about XDR?

Exactly what information should be fed into an MDR process is an interesting question. Many providers simply ingest data from Endpoint Detection and Response tools. These tools primarily search for advanced threats on endpoints, with activities such as registry monitoring, searching for modifications to file structures, and validating signatures. The behavioral analysis ability of these tools also provides a capability for forensics during incident response.

But to be truly effective, MDR must process more. Data from Security Incident and Event Management (SIEM) tools is also essential, as it can identify, monitor, record and analyze security events in real time. It provides a comprehensive and centralized view of the entire security scenario of an IT infrastructure. It can provide correlation to offer context on data and to create relationships based on predefined rules, architecture, or alerts. It’s also adaptable to different vendors, sources of information, and data formats. While many companies neglect SIEM or relegate it to log collection and compliance needs, any MDR approach must be comprehensive enough to make use of all the robust capabilities that SIEM has to offer.

And this comprehensive approach also means using XDR to take the information coming out of EDR and SIEM to the next level. XDR provides something that is missing from both EDR and even SIEM platforms. That something is context. XDR joins related alerts together into security incidents to tell a story. These incidents provide clarity into what’s really happening in an environment while requiring fewer resources to make an actual threat determination. Combining MDR with XDR is the key to helping you operationalize your security investment and reduce risk acceptance.

Extremely Important for Managed Detection and Response: Do they treat every alert as critical?

The most essential component of any successful MDR provider is that every alert collected must be treated equally. With thousands of alerts pouring in from EDR, SIEM, and XDR tools, many vendors will actually disable detection logic to prevent alerts that they feel do not require attention. Others may rank alerts by categories such as critical, high, medium, low or informational, and only focus on the alerts that appear critical (or maybe high if they have the time.)

The problem is that attackers are increasingly being detected through a SIEM platform appearing through medium, low and even informational alerts. A top-down approach to dealing with alerts is simply not sufficient in today’s threat environment.

A far more effective strategy is to use a trust-oriented approach to handling alerts at scale. An MDR vendor should work with their client to determine which alerts indicate normal behavior and can be trusted. Resources can then focus on suspicious alerts, regardless of how threatening they may appear at first, to ensure every alert has the attention it deserves.

How to measure success

When working with an MDR firm, if they have the right team, tools, methodology, and process to protect your organization, then over 99 percent of security alerts should be resolved effectively.

We’ve also found that many companies accept dwell times, or the time from when an incident is first detected to the final resolution, of 100 days or more. With the right MDR in place, we’ve found that dwell time should be 22 minutes on average.

How Critical Start achieves these types of results

The Critical Start approach to MDR follows all of the highly successful strategies outlined here and through an industry-first combination of the following:

  • Resolution of every alert
  • A zero-trust policy toward alerts by building a trusted, known-good registry
  • Total 100 percent transparency for client teams, including the industry’s first MOBILESOC®, where you can remotely resolve and remediate endpoints and collaborate with security analysts with full audit trails.
  • Integration with industry-leading security tools, including:
    • Microsoft 365 Defender, Defender for Endpoint, Defender for Cloud, and Sentinel
    • Palo Alto Networks Cortex XDR
    • CrowdStrike
    • SentinelOne
    • VMware Carbon Black
    • Splunk
    • BlackBerry Protect

How to Implement Managed Detection and Response

Once you have selected an MDR partner, there’s several things to keep in mind to ensure a successful relationship. Your new partner must be willing to work with you to develop a registry of known-good and safely trusted alerts so that the MDR team knows exactly where to focus their attention. They need to clearly define roles and processes to help you understand the relationship so that both partner and internal teams can maximize their performance. They need to provide thorough training and a constant point of contact so that everyone within your organization feels comfortable with the level of provided protection. And your partner must be ready to constantly evolve to help you stay ahead of a shifting threat matrix.

Join us at RSA Conference - booth #449 South!
This is default text for notification bar