MDR 101 in 2024

The term MDR (Managed Detection and Response) has been around since the early 2000’s, but it’s fair to say the term is one of the most confused in the cyber security market. With vendors and providers using the term to describe an array of different service level offerings it’s no surprise buyers of cyber security services are confused by the industry product offerings.  

In this blog we breakdown what MDR means, debunk some of the myths round MDR and delve into the core benefits of implementing an MDR service into your cyber security portfolio.  

What is MDR? 

MDR services provide customers with remotely delivered, human-led, turnkey, modern SOC functions, ultimately delivering threat disruption and containment and allowing them to focus on business objectives instead of navigating the complexities of cyber security. 

Since its inception, MDR has evolved rapidly in response to the sophistication of cyber security threats. Improvements have included: 

  • Increased automation 
  • Better integration with third-party solutions 
  • More focus on cloud and hybrid environments 
  • Greater emphasis on incident response to help mitigate breaches and minimise impact from security incidents. 

The MDR provider platform operates centrally, benefiting from the speed and scale of detection. They achieve this by running the service over multiple tenants, in different regions, and across verticals – this makes spotting threats early a more achievable outcome. 

The core features of a modern MDR service include: 

  • Centralised Incident ManagementEnsuring a fast response to incidents and potential threats. 
  • Navigating AlertsAdvanced analytics and machine learning find threats quickly and avoid false positives, allowing analysts to focus on high-priority issues. 
  • Threat IntelligenceProtect your digital business with intelligence to gain a foothold against adversaries. 
  • Automated responsePlaybooks and automated security response actions, for example, device quarantine, are agreed upon and coordinated under the SLA. 
  • Technology Integration: Seamlessly integrate with existing technology to optimise cyber security defence and response strategies. 
  • Attack surface coverage: Spot and mitigate threats as far left as possible in the kill chain, with framework visibility, for example, MITREATT&CK. 
  • Flexible offeringWork with a provider in the MDR space who can integrate their technology with the customer’s stack to enhance overall security investments. 

 

MDR MythBusters 

Technology thrives on terminology – computing has more three-letter acronyms and abbreviations than anyone can expect to remember, which often confuses. As the buzzword bingo cards expand, it’s easy to find confusion across offerings. MDR is no different, but the risk of signing up to the wrong service provider is substantial – it could be the difference between a contained and neutralised threat and ransomware running wild across an enterprise. 

Providers with updated existing services. 

Some MSSPs and vendors have offered SOC capabilities over several years and are now re-marketing as a modern MDR service. These services were from traditional SIEM and policy-based management technologies, and although highly customised with detailed reporting, the costs are higher to onboard and manage, and the service is not turnkey, requiring constant input to adapt to changes in the customer security posture. 

Managed (Other) Detection and Response 

MDR is not new to the market, but offerings can be confused. One confusion came with the introduction of MEDR (Managed Extended Detection and Response), which may seem more advanced but is an extension of EDR and not MDR. The critical difference is in the depth of telemetry used in the two platforms – MEDR is broader than EDR, but MDR will ingest data from a more comprehensive range of overall sources.  

Managed Mesh Technology (MMT) 

Some providers layer new options, such as EDR, to modernise an existing service. Because of the additional value added from their SIEM or other technology stacks, and labelled as MDR. It is a functional and detailed service but highly dependent on the technology, not the SOC analysts or responders. This meshed service is less flexible and more complicated to customise for a customer than a pure-play MDR service. 

 

The Core benefits of an MDR service 

When looking across the range of MDR services in the market, it is vital to understand more than just the technical offerings – what a solution delivers is more important to business than functionally how it works. 

This section will overview the core benefits of moving to a managed MDR service and the available integration and management options. 

Automated attack disruption 

Should a ransomware attack occur on your network, it’s not only endpoint devices which are affected – documents are encrypted, systems are forced offline, email services will fail, and more. Attack disruption technology monitors infrastructure to detect signals of a potential, or in-progress, attack and helps the security team respond faster with a mix of automated actions and alerts – this includes isolating devices, disabling identities and enforcing hardening rules. 

Breach attack simulation

Security policies and processes need constant reviewing and updating. Threats evolve, and security must keep pace. Continuous attack simulation validates the resilience of your security infrastructure with recommendations to reduce attack surface and exposure risk; this can highlight gaps (and overlaps) in security measures, which can be closed. Benchmarking cyber security is crucial for remaining secure and provides a demonstrable competitive advantage for prospective customers or supply chain opportunities. 

Management of existing stack investments

Every business is different and has invested in security products and solutions that fit a mix of requirements, budget and availability. The move to MDR means reviewing this stack to decide whether to: 

  1. Use a single technology stack from the service provider, often with limited integration for existing investments and a requirement to redeploy, re-learn and sometimes compromise overall functionality. 
  1. Amalgamate existing investments into the service provider’s solution and create a blended stack. As a solution, this allows for customisable onboarding, more signals for in-depth defence, and a more robust security posture, and it removes the limitations of a single vendor offering. 

Most businesses will prefer to retain and build upon their existing security product investments, making the amalgamated approach the best option for most cases. 

 

Looking to buy or renew an MDR service? 

If you’re looking to add an MDR service to your current cyber protection or frustrated with your current MDR provider, e2e-assure have carefully curated a number of documents to assist you in the analysis and assessment of providers:  

  • MDR Buyers Guide  
  • MDR Buyers Checklist  
  •  7 Questions to Ask Your MDR Provider 

Our team are on hand to discuss how your current businesses needs and assist you in assessing your need for a Threat Detection and Response or MDR service. If you’d like a member of our sales team to get in contact with you feel free to email our team: sales@e2e-assure.com 

Related Posts

UPDATE: CrowdStrike Outage It’s not all bad news The biggest news hitting your inboxes today will undoubtably be the CrowdStrike outage affecting Microsoft Windows users,

In case you haven’t heard, last month, e2e-assure collaborated with Raconteur as part of their annual Cyber Security and Digital Threats report which covers a