MDR-as-a-Service — Is it the Holy Grail as Some Say?
David Barton, Stellar Cyber CISO
Every few months it seems there is another wave of new ideas, and with it the need to sift out which are worth taking a closer look at versus those that are just hype. Security leaders must be careful in all ways, first and foremost as they listen to their teams, who will always be challenging them with new ideas and the latest cool ‘tool.’ And on the other side of the coin, they need to protect their business from technology that is not matched to the company’s risk factors. Either way, finding balance is key and is the right answer.
So I chose MDR (Managed Detection and Response)-as-a-Service. There is a lot of hype out there about it**,** helping organizations find value in managed offerings versus build it and maintain it in house. Managed services are growing 6 to 10 percent annually1, 2. That said, MDR-as-a-Service is growing even faster3. With growth seemingly baked in, you can see why so many managed providers are looking at it and why so many vendors say they do it well.
MDR in short is advanced threat detection and response. Think of a multi-faceted attack throughout the kill chain, something most mid-sized companies struggle with, and most of them have no protection in place whatsoever. With attacks increasing in sophistication, MDR is timely.
Many organizations are evaluating outsourced MDR and endpoint security due in part to a lack of in-house cybersecurity experts, according to the “2019 Managed Detection and Response Report” from ControlScan that I read in MSSP Alerts from September.
Here is what struck me as interesting as I read through the study.
- Only 33 percent use a security operations center (SOC) to orchestrate threat analysis and response. Bringing in your own detection and response with a SOC philosophy in place first is key, and with this response being so low, it shows why the managed segment is seeing growth. Getting value from DR-like applications without a SOC framework will fail as point solutions lead to siloed data, which means you will miss the real alerts. The antithesis is true for managed providers — package your company as providing a SOC-as-a-Service and offering select services such as MDR. Help customers see you have already transformed your security infrastructure into the platform they could only dream of.
- 70 percent of organizations prioritize 24×7 security coverage relative to MDR services. This again shows why there is demand. A SOC brings in methodologies for response and triage, and by design 24x7x365 thinking. Point solutions bring in pager thinking. Managed providers can highlight the fact that their business is always on and always there to protect the client.
- The last survey response I share is a bit puzzling. Respondents also evaluate MDR services based on their ability to integrate and leverage the services into an existing security stack (56 percent) and their cost (54 percent). Now if 70 percent of respondents don’t have a SOC yet, I would have guessed the integration needs to be lower, but it shows the cost-consciousness of clients. They may not want to build it or manage it, but when they trust an MSSP to provide the service, they still want a good deal.
To close this out, what every MSP is chasing long term is stable, predictable and manageable growth, and with the idea that the service is sticky. I think those ideals are always true. What MDR signals is a narrower, more specific type of managed service, not as narrow as firewall services, but not as broad as SOC-as-a-Service either. MDR is complex enough that MSSPs can differentiate and show expertise related to verticals like finance and healthcare. And as the survey data suggest, there will be differentiation based on real-time, always-on support as well.
Exciting times ahead to see where the real adoption is!