Ever since Managed Detection and Response “MDR” service was created, it has been a hot topic in the security industry. Because of that, many providers are flocking to the solution to provide their own flavor of MDR. Having options is generally a good thing, but the new providers and services are offering options that aren’t always favorable to the customer. Many providers are using legacy services to capitalize on the MDR buzz without really addressing the key services gap that MDR is intended to provide: the response element to the service.
Let’s go back..
While it can be debated why MDR came to fruition, our opinion is that many Managed Security Services Providers (MSSP) were falling short on the response element of their solutions. Many providers at that point (and still today) focused primarily on finding indications of compromise but left most of the heavy lifting to the customer for what to do next. Customers complained that their providers were nothing more than a network alarm clock. The MSSP would monitor logs and messages from the customer’s security devices and forward alerts to the customer. Often, they would provide little further detail than the logs and a blog post for suggested remediation ideas. This was not enough for less mature organizations, organizations with limited resources, and organizations with limited expertise – basically the kind of organizations that need managed services.
Where we are today
Today many providers are offering MDR services to help solve the issues customers faced with traditional MSSPs. MDR providers use their own technology to detect threats and provide the human component to help respond to indications of compromise. They fill a need for customers who lack technology, expertise, and resources.
Many providers got to this point by starting companies focused on MDR services. Others expanded their existing MSS to include MDR services. Others altered existing technologies to provide the capabilities needed for MDR. Because of these different approaches, not all services are the same.
Not all R’s are created equal
Many service differences between providers lies squarely on how they respond. The “R” in MDR isn’t a standard. This is because of the different approaches providers have taken to market, their technologies, or their own resources. The response element is the most costly and difficult. It requires people. Skilled experts who perform the human analytics needed to properly service a customer.
Things to look out for
Because there are many options and a lack of standardization in the offerings, customers need to be careful of how their service is delivered. Because not all “R’s” are created equal, the customer needs to spend time understanding this element of the service. The following are response elements of an MDR service to look out for:
- Limited hours: Some providers will say their service will include a bucket of support hours for response. And then, in small print, explain another bucket available, for an astronomical price. The problem here is a small number of security events could eat up those hours and leave you in need when the next event happens. When a security event is underway, the last thing a customer wants is to get purchasing, budgets, and contracts involved. Make sure when choosing an MDR provider that response and support is unlimited, available when needed, and not an extra charge.
- Limited Scope: Many service providers will default back to the alarm clock service approach, and only take responsibility for detection and alerting on indications of compromise. These companies have mistaken the point of MDR services and are most often using traditional MSS to capitalize on the MDR buzz. When selecting an MDR provider ensure they are providing the response element. An MDR solution should include human expertise, helping resolve, and remediate security incidents.
- Limited visibility: Many providers have taken old tech and rebranded it for MDR. This may be a viable solution but can be limiting to what parts of the network and data can be monitored. A common scenario found in the market is endpoint software providers (traditional AV or EPP) have rebranded their endpoint as MDR. While monitoring the endpoint is certainly important for security monitoring, it is not all encompassing. These solutions may not be able to respond to correlated events, understand network traffic, or events on devices that do not have the agent endpoint agent installed. When selecting a service make sure the MDR provider is suppling technology that can monitor the entire network.
At Nuspire, a veteran in the MSSP industry, we took a client centric approach to MDR offerings. We understand why customers wanted an MDR service. They need the technology, resources, and partnership to combat today’s threat landscape. Nuspire provides multiple options to deploy services to meet the customer requirements, gain visibility, and provide the best risk reduction per dollar spent. The only element that is not customizable is the response. Nuspire provides no cap on response, resources, or access to systems and expertise. As a true partner Nuspire provides the service commitment customers need to address all elements of an MDR solutions, and most importantly: response.