Mon, Oct 31, 2022

Managed Detection and Response (MDR) Buyer’s Guide

/en/our-team/marc-brawner

Marc Brawner

What is Managed Detection and Response (MDR)?

In this video, Michael Cowley, head of solutions engineering for Cyber Risk, shares key takeaways for organizations looking for the right MDR solution.

What is Managed Detection and Response (MDR)?

All organizations should have access to the skills needed to detect and contain threats. But, typically, only the very largest enterprises can afford the millions in annual staff and infrastructure investments required to maintain a Security Operations Center (SOC).

Even then, large in-house teams often only see their own environments and may not have frontline visibility to the latest threat tactics and techniques, leading to gaps in incident response (IR) and containment capability. Small and midsized businesses often struggle to recruit and retain enough experienced analysts to keep their small workday teams at full strength. These issues are exacerbated by the ongoing global talent shortage, alert fatigue, and the relentless pressure to secure an expanding attack surface rife with newly discovered vulnerabilities for threat actors to exploit.

Managed Detection and Response (MDR) services can help ameliorate these challenges by providing the people, processes, and technologies in a turn-key way to strengthen an organization’s security posture and reduce its risk exposure. This buyer’s guide assesses today’s MDR market space and the key criteria for selecting a suitable MDR partner.

Focusing on MDR Outcomes;

Your MDR provider search should begin with a disciplined self-assessment of the outcomes you want to achieve with an MDR service. In addition to preventing breaches, what other specific outcomes should you hope to achieve? Here are the key outcomes that justify the need for MDR:

High-Fidelity Detection

One drawback of the defense-in-depth approach to security has been the rapid proliferation of stove-piped security tools ingesting billions of events and churning out thousands of alerts daily. Many are false positives, which must still be triaged, investigated, and resolved by over-burdened security teams.

An MDR partner should be able to minimize this noise by continuously tuning and updating detection analytics and rulesets so that only true positive alerts are prioritized for investigation. They can also help identify and close gaps in your security architecture by correlating detection events to events reported in threat intelligence feeds or mapped to tactics, techniques, and procedures (TTPs) cataloged in the MITRE ATT&CK framework.

Minimizing Dwell Time

An MDR provider should help minimize attacker dwell time by rapidly identifying threats and indicators of compromise (IoCs) concealed within your endpoint, network, and cloud system telemetry. As evidence, they should convincingly demonstrate their ability to optimize metrics such as Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) through multiple methods such as ongoing threat research, detection engineering, automation, and analyst training.

Remote Remediation

An MDR provider should also help prevent an initial intrusion from escalating into a catastrophic breach by moving swiftly to contain and remediate threats. This may include such tasks as terminating malicious processes, removing persistence mechanisms from the file system or Windows registry, and isolating compromised systems from the network.

Incident Response Support

Often organizations mistakenly wait until a breach is discovered to bring in IR experts. By this time, business interruption may have already occurred, and the goal is simply to understand what happened and limit further damage. If an intrusion is suspected, bringing in this expertise as quickly as possible can get you ahead of the game to contain the threat and identify related malicious activity in other systems. Having an IR team working hand-in-hand with the SOC team streamlines the threat investigation, remediation and recovery processes. However, most MDR providers today subcontract IR support to a third party, which can introduce unacceptable delays in response and remediation and can result in finger-pointing between the MDR vendor and its sub-contractor. Common causes for critical delays in these scenarios involve getting the IR team up to speed and having to deploy a new set of agents capable of running adequate remote live forensics.

Types of MDR Providers

MDR is a growth market that many security firms are attempting to enter, so it’s often helpful to consider how well a company’s core business competencies align with its MDR claims.

Managed Security Service Providers (MSSPs)

MSSPs have traditionally focused on monitoring and managing firewalls, virtual private networks (VPNs), endpoints, and other devices. By outsourcing these functions, clients can deploy a baseline security infrastructure without adding headcount. The cost avoidance benefits are somewhat offset by a shared security model that requires clients to manage and investigate the resulting alerts. Some mature MSSPs have accepted responsibility for alert management and orchestration in recent years. However, very few provide a comprehensive MDR solution that includes threat hunting, incident response, and remediation. Consequently, most MSSPs remain poorly positioned to deploy and manage a complex, multi-layered security stack that provides the enterprise-wide visibility necessary for effective detection and response.

Product Vendors

In this model, clients outsource management and maintenance of the vendor’s security products to their implementation and support teams. Products are often supplied on a subscription basis, enabling the client to avoid capital expenditures. Vendors of security information and event management (SIEM) platforms and endpoint detection and response (EDR) systems often promote their ability to develop and deploy customized detection and response rulesets to complement default “out-of-the-box” features. Others offer ancillary services to expand their reach by ingesting and correlating telemetry from other vendors’ security tools. However, the intrinsic limitations of the product-centric approach impair their ability to detect and trace a kill chain across the enterprise attack surface or provide the proactive threat hunting, incident response, and remediation services required to meaningfully reduce a client’s risk exposure. Over time, changes in the competitive product landscape may leave an organization stuck with an outdated or inferior solution without an easy migration path and continuity of services over the long term.

MDR Providers

MDR is a natural evolution away from the historical focus on throwing alerts ‘over the fence’ for the customer’s team to deal with. MDR service providers should act as a partner, working as an extension of your in-house security team, reducing or eliminating the operational workload of monitoring alerts around the clock and adding threat detection, investigation, hunting and response expertise so you can focus on other strategic aspects of your security program or business. MDR providers should be flexible enough to scale the detection and response work as your maturity evolves and needs change, while being transparent with their detections and response processes. Leading providers are technology agnostic, leveraging both proprietary methods and the native capabilities of each security tool to collect, correlate, and investigate alerts and telemetry from across the enterprise. Clients benefit from a multi-disciplinary approach to MDR that is inherently flexible, scalable, efficient, and effective for the long run.

Evaluating MDR Providers

It's important to evaluate MDR service providers based on their maturity, scope of services, and alignment with the outcomes identified.

Key Questions for MDR Service Providers

It takes years to develop the people, processes, and technologies required to provide clients with a comprehensive MDR service. The answer will help you distinguish MSSPs and product vendors from pure-play MDR providers with mature offerings and reputations for proven performance.

It’s important to distinguish early between those with a MSSP history and those with an actual MDR history. Providers with an MSSP history have had to move away from the typical approaches of “ticket counting”, service level-driven monitoring and black-box approach. It’s less throwing opaque alerts over the fence to the inhouse team and more about delivering key security outcomes.

MDR Providers should be poised to respond no matter what, all day every day. This shift in mindset means many MSSPs are behind pure play MDR providers in their ability to deliver high-touch engagement, high-fidelity threat detection across all areas of the environment (endpoint, network and cloud), and effective incident response.

Related Questions

In addition to SOC analysts, what other professionals are on staff to enhance the scope and quality of MDR service delivery? For example, does the vendor have malware engineers deconstructing zero-day malware? Are dedicated detection engineers available to update and refine rulesets based on changes to the threat landscape?

You can distinguish those that have really invested in their services by seeing if they have diverse skills sets across highly integrated teams.

Key Takeaways

Choosing an MDR partner begins with objectively defining what you want to achieve from the service. What gaps exist in your security program and skill sets? What outcomes are you hoping to realize?

Having defined these expectations, you can begin assessing potential MDR partners. The questions above will help you distinguish candidates by type, service maturity, expected outcomes, global footprint, and much more. Once you have a short list, consider intangibles, such as the vendor’s reputation in the industry, ancillary and related services, and degree of alignment with your business culture.

Kroll leverages its unrivaled IR experience and frontline intelligence to run a round-the-clock global MDR service providing active response using seasoned incident responders, not just monitoring analysts. In 2014, Redscan, now a part of Kroll, became one of the first full-service MDR providers, pioneering the approach of layering custom detection analytics and hunting procedures over the security tooling (EDR, SIEM, NDR etc.), investigating the threats and responding on behalf of the customer. Today, Kroll Responder is now one of the only solutions in the market that delivers MDR with what we call “Complete Response”.

At Kroll, we believe the ‘Response’ aspect of MDR shouldn’t leave you hanging. Our response goes as far as you need it to, closing the gap between merely containing the threat to actively removing it across all affected systems and quickly understanding the root cause, to ensure it doesn’t happen again. Our Responder MDR service is backed by the same Kroll IR experts that handle thousands of high-profile breach investigations annually. We extend that service to our customers, which means they get the value of remote digital forensics and incident response without the additional cost.

Download the Guide

Kroll Responder MDR for Microsoft: Threat Detection and Complete Response on Microsoft's Ecosystem

Kroll Responder MDR for Microsoft: Threat Detection and Complete Response on Microsoft's Ecosystem

In this video, Kroll Managing Director Pierson Clair explains how Kroll Responder, our managed detection and response solution, seamlessly integrates with Microsoft Sentinel, Microsoft 365 Defender and Microsoft Defender for Cloud to deliver continuous threat visibility, hunting and Complete Response across their Microsoft and third-party environments.

Want to see Kroll Responder in action?

Get in touch with one of our experts here.

Stay Ahead with Kroll

Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Kroll Responder MDR

Cloud Security Services

Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.

Cloud Security Services