Managed Discovery and Response (MDR) is a service that makes use of network-based, host-based, and endpoint security technologies. These technologies are managed by a third-party provider and configured by the client. Providers typically distribute security technology to customer organizations, deploying it locally, and providing automation and support services remotely.
MDR improves network and endpoint security by detecting threats and responding to them, faster and more effectively than the organization could have done with in-house resources. It is ideal for companies that do not have a dedicated incident response team. Clients can also leverage the MDR provider’s security experts to complement and improve existing in-house security skills.
MDR is becoming a popular model due to the global cybersecurity skills shortage, which is making it difficult for companies to fill in-house security roles.
Many organizations are finding that traditional managed security service providers (MSSPs) are not enough to protect against today’s cyber threats. MSSPs offer basic alerting, passing threats to the client, without providing prioritization and context needed to deal with them effectively.
MDR, by contrast, provides a more focused solution that promises to detect and eradicate threats. It provides technological solutions that can help achieve this, such as security orchestration, endpoint detection and response (EDR), and threat hunting capabilities.
According to Gartner, by 2024, 25% of organizations will use MDR services, and 40% of midsize enterprises will end up with MDR as their only managed security service.
What Challenges Does MDR Solve?
Here are a few challenges faced by security organizations, which MDR services can help resolve:
Manpower constraints—the cybersecurity industry faces a severe talent shortage. This makes it difficult for organizations to fill critical security roles internally. MDR allows organizations to bridge this gap using external security experts, and in the case of smaller organizations, adding security expertise to a small team.
Limited access to expertise—specialized roles with expertise in fields like incident response, threat hunting, or cloud security, are even more difficult to find given the skills shortage. With MDR, an organization receives immediate access to cybersecurity expertise with multiple specialties, without needing to retain these talents internally.
Dealing with advanced persistent threats (APT)—APTs are cybercriminal groups with advanced tools and techniques, which in many cases make them undetectable by existing cybersecurity solutions. MDR gives the organization access to equally advanced security tooling and threat hunting expertise, which can help detect and recover from these threats.
Reducing dwell time—many network security incidents remain undetected for a significant period of time, increasing damage and impacting the targeted organization. Many MDR providers offer service level agreements (SLAs) that can guarantee incidents are handled quickly, minimizing cost and damage due to cyber breaches.
Ramp up time—building an effective cybersecurity program can be costly and time consuming, due to the need to implement tools, hire personnel and build an operational structure. MDR allows organizations to quickly deploy a complete security program with 24/7 threat detection and response capabilities
Cost savings—because MDR clients share many of the costs among the customer base of the MDR provider, they reduce the total cost of ownership (TCO) of cybersecurity. In many scenarios MDR providers will be less expensive than setting up an in-house security operation.
How Does MDR Security Work?
MDR services can remotely monitor, detect and respond to threats detected within an organization. MDR providers commonly use endpoint detection and response (EDR) tools to gain visibility into endpoint security incidents.
Relevant threat intelligence data and forensic data are passed on to human analysts employed by the MDR provider. Analysts classify alerts, determine appropriate responses, and mitigate the impact and risk of security incidents. Finally, combining work by human security experts and automated tools, the MDR provider removes the threat and restores the infected endpoints to their pre-infection state.
Below we go into more detail about the main capabilities of an MDR service.
MDR can help organizations prioritize security issues, by reviewing a large number of alerts, many more than can be feasibly managed in house. They use rules, behavioral analysis, and manual review to remove false positives and identify real threats. MDR systems, including EDR and threat intelligence platforms, are used to add context to the alerts, and they are disseminated as a high-quality alert feed.
Advanced threats have sophisticated ways to evade security controls. It takes human analysis to correlate elements and events in a way that automated systems cannot do. MDRs employ human threat hunters with extensive skills and expertise, who can identify even the most concealed and evasive threats, to make up for what automated security tools miss.
Managed investigation services can help organizations better understand threats by enhancing security alerts with additional information. Organizations have a better understanding of what happened, when it happened, who was affected, and how far the attacker went. You can use this information to plan an effective response, notify stakeholders, and understand compliance implications.
Guided response provides actionable recommendations on how to control and address specific threats after a breach has occurred. Organizations are encouraged to perform basic activities, such as how to remove threats from affected systems, whether to isolate systems from the network, and how to gradually recover from attacks.
After a confirmed security incident, the final step is recovery. If this step is not done correctly, the previous steps may be rendered useless. Managed remediation restores the system to its pre-attack state through malware deletion, registry cleaning, intruder removal, and deletion of persistence mechanisms—doing this across all affected endpoints. Managed recovery restores the network to a known good condition and prevents further damage.
MDR is a new take on a well known security model known as Managed Security Service Provider (MSSP). MDR and MSSPs both perform the same general functions—providing cybersecurity services remotely. However, there are some key differences between the MDR service and the traditional MSSP.
Log format—MSSPs can generally handle a variety of event logs and contexts. On the other hand, MDR mainly uses logs provided by the EDR platform.
Service format—MSSPs handle communication with providers through online portals and a ticket system. MDR has a team of experts that can be reached in real time through multiple channels, which may include phone and video conferences.
Detection methods—MDR can apply more detailed analysis to alerts to detect new threats. MSSPs are less involved in analytics, and typically use a rule-based system to focus on known and frequent threats.
Network visibility—MDR can detect events and movements inside the corporate network, while MSSP is mainly focused on breaches of the network perimeter.
Threat hunting—MSSPs typically do not provide active threat hunting services, while MDRs do, leveraging their endpoint security infrastructure.
Managed Detection and Response with Cynet
Cynet 360 is an autonomous breach protection platform that works in three levels, providing XDR, Response Automation, and 24/7 MDR in one unified solution. Cynet natively integrates these three services into an end to end, fully-automated breach protection platform.
Cynet’s intelligent technologies can help you detect attacks by correlating information from endpoints, network analytics and behavioral analytics with almost no false positives.
With Cynet, you can proactively monitor entire internal environments, including endpoints, network, files, and hosts. This can help you reduce attack surfaces and the likelihood of multiple attacks.
Cynet provides expert monitoring and oversight, which includes the following features:
Alert monitoring – First line of defense against incoming alerts, prioritizing and notifying customer on critical events
Attack investigation – Detailed analysis reports on the attacks that targeted the customer
Proactive threat hunting – Search for malicious artifacts and IoC within the customer’s environment
Incident response guidance – Remote assistance in isolation and removal of malicious infrastructure, presence and activity