A visit to major security conferences, such as RSA and Black Hat, quickly demonstrates the industry’s love of hyperbolic rhetoric and absolutist promises of pan-threat protection. Of course, once the hype is replaced with deployments, real world delivery falls short of visionary promises. It’s a cycle of holy grail to fail.
Recently, Gartner released the third edition of its Market Guide for Managed Detection and Response (MDR) Services. Enter the new disruptor. The vendor list has doubled from the original fourteen. The list contains new vendors to the stage, and the group of usual suspects, who up until last year, were in other vendor categories. The optimist will say these vendors are adopting a better approach; the cynic will say it’s more marketing sizzle than product steak, and a way of riding the hype wave. Either way, it leaves the industry confused wondering if the sheep or the wolf is wearing the other’s clothes.
The MDR guide certainly acknowledges this ambiguity, arguing that MDR vendors provide turnkey solutions that detect threats and respond with a mix of reporting, disruption, or containment actions, wrapped in a 245;7 service. Fractured from the traditional MSSP category, MDR brings near real-time threat management to smaller and medium companies that cannot afford to build their own in-house SOC and security team, the way larger firms, such as banks and insurances companies do. What sets MDR apart from its MSSP genres, is lightweight incident response as an intentional focus on threat management, rather than device or alert management. It’s a clever approach, and certainly gets the point of security: Find attacks and stop them before they metastasize and become a business disrupting event.
In terms of disruption, it moves companies closer to the goal line. Considering MDR on an evolutionary line, it pushes the industry away from an instrumental approach of managing devices towards an intrinsic mindset determined to protect the firm, its investors, employees, and clients. We can now see the forest instead of worrying about the trees.
One way to classify this change is to think of three levels of advancement in risk management. The first stage is device-focused, moving through to alert-focused, to threat focus. In other words, we are moving from a reactionary response to attacks by deploying prevention technology through an era of log and alert mania driven by compliance requirements, to a later stage of self-actualized threat management.
For decades the industry focused on prevention technology designed to stop various attacks from hitting their mark, but woefully inadequately. As the number of devices grew in number and complexity, and few replaced their predecessor, the demand on security teams increased in terms of patch and policy management. This friction created the demand for outsourced management and log aggregation, and managed security services was born. In most cases, the MSSP approach was more about devices and post-event aggregation of logs and reports.
Heavily regulated industries also grappled with compliance requirements which created the first generation of log management tools, such as SIEM (Security Information and Event Management). This compliance 1.0 stage advanced the industry from device-centric thinking to a focus on logs and alert management. But, as many heavily regulated businesses will tell you, you can be 100 percent compliant, but also 100 percent owned by cyber criminals. Compliance and security are not synonymous; they are related but do overlap somewhat.
Managed SIEM goes some way to better securing companies, but it relies on logs generated by prevention technology. Thus, if one of these systems does not detect a potential threat, then the logging system is blind. Enter MDR. Through a combination of user behavior analytics, deep network traffic analysis (full packet capture and analysis), endpoint protection, cloud-services protection, and lightweight incident response, MDR builds on managed SIEM to catch what evades other systems, but leaves breadcrumbs picked up by other approaches. Often called threat hunting, companies, especially smaller businesses, could meet more stringent compliance standards that include 24×7 monitoring (compliance 2.0), and better protect their business. Let’s call this MDR 1.0. The hope is that artificial intelligence, machine learning, and other technology to come will finally move the security industry from a reactive mode to a predictive model (MDR 2.0?).
In the meantime, MDR comes in many flavors, with varying heritages of MSSP, risk management, managed SIEM, or in some cases, pure-play. Luckily, Gartner recognizes this and suggests that when selecting an MDR vendor, you align your needs to their services, examine response capabilities closely, and determine whether you need a vendor with experience in regulated markets.
In the end, if you want to know whether MDR disrupts your security approach, make the vendor prove what they claim through a comprehensive proof of concept evaluation. The only way to determine if you are selecting a wolf or a sheep, is to watch them hunt. Their true nature will come out, and you will know which beast you are selecting.
This article is published as part of the IDG Contributor Network. Want to Join?