Why Use an MDR Provider? Forrester’s Key Findings about the MDR Market

Leading technology research firm Forrester released an infographic summarizing the key data collected from customers and vendors about the Managed Detection & Response (MDR) market.

The infographic provides insights into key trends and findings in the MDR industry – such as popular technologies being supported by MDR providers, time savings customers experience with their MDR providers, and the primary outcomes customers should expect.

Forrester’s infographic provides insights into key findings in the MDR industry – popular technologies supported by MDR providers, time savings, and primary outcomes customers should expect.

Enabling Extended Visibility

Forrester highlights the evolution of Managed Security Service Providers (MSSPs) to MDR. It explores how adopting Endpoint Detection & Response (EDR) to the MSSP toolkit enabled faster detection & response at the endpoint – particularly as attacks were using this as a key entry point.

Although this is certainly true, CyberProof has found that this is only part of the story. Our experience in the MDR space has revealed that extended visibility across not just the endpoint but also network, cloud, identities, and increasingly OT and IoT enables faster investigations across the attacker path and faster response.

In essence, an advanced MDR provider should have the ability to provide a Managed Extended Detection & Response (XDR) offering that integrates and correlates data from numerous sources. But how can an organization collect all this data without creating more work, to make sense of it?

Collecting and Analyzing Data

The answer starts with the data collection layer – creating a scalable mechanism of capturing, filtering, parsing and tagging event data from any source before it’s ingested into the security analytics platform. This enables you to route only use case-driven data that needs to be investigated in real-time. Less relevant data can be stored in a cloud data lake for compliance and hunting activities.

Building this type of capability is no easy task, which is why we recommend using an MDR provider like CyberProof who has it built-in to their offering. Without this capability, ingestion costs and time spent on weeding out false positives could increase.

The analysis layer is also part of the solution. Advanced MDR providers should have experience in integrating with cloud-native security analytics technologies such as Microsoft Sentinel, which introduce scalability, automation and flexibility in integrating with multiple sources – without the need to invest in additional infrastructure costs. Having an MDR provider that can bring their own log collection capability helps augment this technology with the ability to ingest, parse and tag logs from customized sources.

Customers Want to Be Involved in Response

The Forrester research mentions that customers tend to prefer owning many of the response actions. This highlights the need for MDR providers to collaborate with customers when responding to threats.

More specifically, providing Managed Response as part of the MDR service shouldn’t mean carrying out all response actions for the customer but rather, enabling them to confidently respond themselves by providing the right level of expertise, guidance, and technology enablement.

Forrester’s research mentions that customers tend to prefer owning many of the response actions. This highlights the need for MDR providers to collaborate with customers when responding to threats.

Response is a critical control that needs to be collaborative. The customer should feel empowered to make the right response that will reduce the risk for the business. At the same time, MDR providers feed into this. For example, a couple of the key capabilities that our clients tell us enables them to respond confidently include:

  • A well-defined process for managing use cases – Security analytics tools are only as good as the use cases you define and manage. Customers will want to ensure they input the right detection & response content related to their threat landscape based on their actual coverage gaps. At CyberProof, we use a mechanism we call the Use Case Factory – an agile model for continuously reviewing, defining, deploying, and optimizing Use Case content (containing detection rules, response playbooks and third-party technology integrations) in line with their changing threat landscape.
  • Collaboration in incident handling – The ability to bring in and chat with the provider’s team during an incident as quickly as possible and access the skills they need quickly. At CyberProof, we provide customers with our CyberProof Defense Center (CDC) platform for collaborative incident management. This includes a ChatOps function where customers can share information or ask for help from one of our analysts on a particular incident.

Response is a ritical control that needs to be collaborative.

How MDR Enables Speed and Efficiency

One of the key insights from Forrester’s infographic shows where MDR providers can save time with specific activities such as performing root cause analysis and identifying suspicious/malicious activity. With root cause analysis, MDR providers can save time by detecting behavioral anomalies and correlating disparate alerts under a single incident. Enriching these alerts with contextual data such as host and user information, vulnerability data, threat intelligence, and insights from hunting exercises means clients can focus their time on responding to validated incidents, not correlating alerts.

But what is the key ingredient for enabling this speed and efficiency? On top of the ability of advanced MDR providers to augment your team with specialist expertise, it’s important to understand what technology the MDR provider is bringing to the table themselves that makes your investments work harder. For example, an advanced MDR provider would use their own service delivery platform to:

  • Orchestrate the customer’s existing technology stack
  • Centralize incident management in a transparent way so activities can be tracked
  • Enable the customer to automate certain response actions
  • Provide meaningful KPI-driven reporting and governance
  • Facilitate team collaboration across both provider and customer

In addition to this, think about how the MDR provider is enabling cloud-native security architectures. Organizations are requiring speed, scalability and adaptability in their security as they migrate to the cloud, and this requires the MDR provider to operate a cloud-native architecture that includes:

  • DevOps deployment – deploying everything as code such as infrastructure, connectors, detection rules, playbooks, analytics and more
  • Cloud-native data collection – using scripting and container tools to collect and filter unstructured data
  • Cloud data lakes – for cost-effective and fast storage, archival and querying
  • Cloud-native security analytics – SIEM technologies that were built in the cloud, for the cloud with no additional infrastructure costs

Want to learn more about how an MDR provider can help protect your organization from cyber attack? Contact us today!