MDR 101:
What is Managed Detection & Response
We know you want to protect the security of your organization. We know that risk sucks and you don’t want to accept it…and you shouldn’t have to. Consider this your resource for Managed Detection and Response (MDR) so that you can learn what it takes to eliminate the fear of risk. Here you can learn how cyberthreats are evolving and how to stay ahead of them. And you can learn why MDR is such an essential part of a comprehensive security strategy and what it takes to make MDR successful.
Managed Detection and Response (MDR) services provide remotely delivered security operations capabilities to quickly detect, investigate and respond to threats. This is far more than the EDR or SIEM technologies of the past. EDR monitors endpoints, such as workstations or laptops, for suspicious behavior. SIEM collects, analyzes and stores data from EDR and log data from across an organization. But what was lacking was an effective way to make use of the overwhelming amount of data and alerts that came from EDR and SIEM. MDR takes this chaos and brings order, visibility and direct action to detect, mitigate and remediate security threats.
“Managed detection and response services provide customers with remotely delivered modern security operations center (MSOC) functions. These functions allow organizations to rapidly detect, analyze, investigate and actively respond through threat mitigation and containment. MDR service providers offer a turnkey experience, using a predefined technology stack (covering areas such as endpoint, network and cloud services) to collect relevant logs, data and contextual information. This telemetry is analyzed within the provider’s platform using a range of techniques. This process allows for investigation by experts skilled in threat hunting and incident management, who deliver actionable outcomes.”
Why is Managed Detection and Response important?
In the 2021 Cost of a Data Breach Report, IBM and the Ponemon Institute announced that 2021 had the highest average total cost of data breaches in 17 years, rising to $4.24 million. But the same report also found that the average cost of a breach was USD 1.76 million less at organizations with a mature zero trust approach, compared to organizations without zero trust. But what does it cost an organization to take a zero trust position in dealing with security alerts? On average, a single endpoint will generate 5,000 alerts annually. If a hypothetical business has 2,000 endpoints, it will translate into 10,000,000 alerts per year that security analysts will need to investigate.
This example is based on an assumption of 8-hr shifts. But an attack rarely comes when it’s convenient. To provide 24×7 protection will require a minimum of 10 individuals, regardless of the size of the organization or the number of alerts generated. With an average annual cost of $75,000 per analyst, that’s a minimum of $750,000 per year.
Many companies may attempt to control costs by only investigating critical- or high-priority alerts. But this can be an expensive mistake as many of today’s ransomware attacks start as attacks that are only detected through medium or low-priority alerts, and by the time they become high-priority alerts, the attacker’s damage is already done.
Providers that offer services like Managed Detection and Response (MDR) can help you take advantage of economies of scale to shrink total cost of ownership while increasing the expertise and resources you have at your disposal. The analysts provided by an MDR provider work across a variety of industries, enabling you to capitalize on their expertise while taking advantage of the cost efficiencies of not shouldering the entire burden of bringing these individuals on as full-time employees. This type of partner will already have the real estate, technology, and expertise to integrate efficiently with your current environment. Software license costs can be significantly reduced, since an MDR vendor can purchase licenses at scale, distributed across their entire client base.
Once you decide to work with a partner in deploying managed detection and response to your organization, you need to know what to look for in selecting the right vendor. The simple truth is that not all are created equal. Consider asking a potential vendor the following questions as indicators of how they will perform when your organization is facing a threat:
The last two questions are particularly important, as they can determine what kind of control and visibility you will have in determining the direction of your new security environment. Information on alerts needs to be accessible from one device and one platform, and it should be accessible at any time and place to ensure critical threat and response information is always available as it happens.
Our MOBILESOC® application enables you to access our Zero-Trust Analytics Platform® (ZTAP®) right from your phone. You can take action or communicate directly with Critical Start analysts from anywhere.
As you’re evaluating solutions, it’s important to determine if what you’re evaluating is a Managed Security Service Provider (MSSP) or true MDR. An MSSP takes incident and event data and monitors it 24 x 7. But an MSSP can be overly broad and does not dive deeply into the underlying causes of alerts. MDR providers use their own SOC, security processes and infrastructure to investigate alerts and uncover the hidden reasons behind them. Effective MDRs also have a much deeper and more sophisticated response plan in place to identify both vulnerabilities and threats, and then they move forward with an active, dynamic response to resolving those issues.
Exactly what information should be fed into an MDR process is an interesting question. Many providers simply ingest data from Endpoint Detection and Response tools. These tools primarily search for advanced threats on endpoints, with activities such as registry monitoring, searching for modifications to file structures and validating signatures. The behavioral analysis ability of these tools also provides a capability for forensics during incident response.
But to be truly effective, MDR must process more. Data from Security Incident and Event Management (SIEM) tools is also essential, as it can identify, monitor, record and analyze security events in real-time. It provides a comprehensive and centralized view of the entire security scenario of an IT infrastructure. It can provide correlation to offer context on data and to create relationships based on predefined rules, architecture or alerts. It’s also adaptable to different vendors, sources of information and data formats. While many companies neglect SIEM, or relegate it to log collection and compliance needs, any MDR approach must be comprehensive enough to make use of all the robust capabilities that SIEM has to offer.
And this comprehensive approach also means using XDR to take the information coming out of EDR and SIEM to the next level. XDR provides something that is missing from both EDR and even SIEM platforms. That something is context. XDR joins related alerts together into security incidents to tell a story. These incidents provide clarity into what’s really happening in an environment while requiring fewer resources to make an actual threat determination. Combining MDR with XDR is the key to helping you operationalize your security investment and reduce risk acceptance.
The most essential component of any successful MDR provider is that every alert collected must be treated equally. With thousands of alerts pouring in from EDR, SIEM and XDR tools, many vendors will actually disable detection logic to prevent alerts that they feel do not require attention. Others may rank alerts by categories such as critical, high, medium, low or informational, and only focus on the alerts that appear critical, (or maybe high if they have the time.)
The problem is that attackers are increasingly being detected through a SIEM platform appearing through medium, low and even informational alerts. A top-down approach to dealing with alerts is simply not sufficient in today’s threat environment.
A far more effective strategy is to use a trust-oriented approach to handling alerts at scale. An MDR vendor should work with their client to determine which alerts indicate normal behavior and can be trusted. Resources can then focus on suspicious alerts, regardless of how threatening they may appear at first, to ensure every alert has the attention it deserves.
When working with an MDR firm, if they have the right team, tools, methodology and process to protect your organization, then over 99 percent of security alerts should be resolved effectively.
We’ve also found that many companies accept dwell times, or the time from when an incident is first detected to the final resolution, of 100 days or more. With the right MDR in place, we’ve found that dwell time should be 22 minutes on average.
The Critical Start approach to MDR follows all of the highly-successful strategies outlined here and through an industry-first combination of the following:
Once you have selected an MDR partner, there’s several things to keep in mind to ensure a successful relationship. Your new partner must be willing to work with you to develop a registry of known-good and safely trusted alerts so that the MDR team knows exactly where to focus their attention. They need to clearly define roles and processes to help you understand the relationship so that both partner and internal teams can maximize their performance. They need to provide thorough training and a constant point of contact so that everyone within your organization feels comfortable with the level of provided protection. And you partner must be ready to constantly evolve to help you stay ahead of a shifting threat matrix.
At Critical Start, we believe a highly effective implementation methodology looks something like this:
©2023 CRITICALSTART. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
CRITICALSTART®, MOBILESOC®, and ZTAP® are federally registered trademarks owned by Critical Start. Critical Start also claims trademark rights in the following: Zero-Trust Analytics Platform®, and Trusted Behavior Registry®. Any unauthorized use is expressly prohibited.