MDRs Fill A Void Left by MSSPs

You know cyber security is critical for your business, but just in case the alphabet soup of technology acronyms (like MDRs and MSSPs) is making your head swim, here’s a quick runthrough:

• MDR means managed detection and response.
• MSSP stands for managed security service provider.
• MSP is the abbreviation for a managed service provider.

Not all MSPs are MSSPs and though some provide MDR ( managed detection and response), most do not do it well, if at all.

MSSPs vs. MDR Service Providers

MSSPs usually focus on basic security functions such as vulnerability management and monitoring standard ingress-egress traffic on products. Meant to provide high-level security coverage for basic and repetitive tasks across an organization’s entire security stack, it is not uncommon to find an MSSP advertising that they use hundreds of security tools. Here’s the part where MSSPs fall short: Usually, if you take a closer look, you will find they employ inexperienced staffers who are only capable of operating a small fraction of those tools. So having them is not much use to you as the client.

Not so with MDR service providers: They specifically focus on improving advanced threat detection, investigation and response as they enlarge and enhance internal capabilities. They will also frequently examine similar data sets as MSSPs, but at a much greater depth. MDR services are tailored to use advanced technologies such as endpoint detection and response (EDR), behavioral analytics, specialized forensics tools and custom security event management platforms. 

MDR Providers Go Deep

The best MDR providers, such as Intrust, use MDR as part of their managed services,  heavily focused on detecting today’s advanced attack threats such as lateral movement, credential theft and credential escalation. Some even operate large software and security engineering teams to design their own detection and response technology. 

Usually built with integration in mind, MDR services can be plugged into a pre-existing security program and workflow sequence. 

Here’s a side-by-side comparison of MSSP and MDR services:

Why Choose MDR Services? 

Small businesses are realizing they want or need the benefits of the most advanced detection technology available today, especially if they don’t have the resources to build their own highly specialized team.

Choosing a managed service provider that also provides MDR service is the first step to detecting previously unseen threats and fixing them. MSPs have endpoint detection and response (EDR), user behavior analytics (UBA), thorough network analysis engines examining full PCAP records, etc. — which requires constant monitoring, tuning and process improvement. 

Advanced detection tools also detect potential threats that generate hundreds to thousands of events per day that need to be investigated. Investments in these advanced tools would be wasted without an advanced security team that knows how to run an in-depth investigation, understands malware analysis and has a sixth sense about how attackers operate.

Businesses are choosing MDR for two primary reasons: 

1. MDR solutions work. They accurately detect threats ranging from malware to advanced attackers and support customers to ensure threats are addressed. 
2. The opportunity costs and the actual costs of acquiring advanced technology and talent and building an operational capability are extremely high and often unrealistic. MDR providers offer organizations a full capability that doesn’t require a dozen individual investments and months to years of implementation. Most MDR providers are priced significantly below what it would cost an organization to build internally. 
3. Organizations that enlist an MDR provider have a reliable partner that stands by their side to defend against the worst types of threats.

Can MSSPs provide MDR?

The answer to this question is typically one of those “yes, buts…” The majority of MSSPs are not offering true MDR capabilities at this time primarily  because the current business model used by traditional MSSPs cannot support a specialty service like MDR.

MSSP infrastructure is designed around signature-based detection and perimeter defense. Generally MSSPs employ Tier 1 security operations center (SOC) analysts who are there to monitor, not  to investigate. 

In order to add MDR services, most MSSPs would need to completely retrofit their SOC architecture and hire veteran security engineers with experience in threat hunting, malware analysis, incident response and data science. Complicating the matter is the fact that the most mature MDR providers are technology companies that run full software development, PM, QA and DevOps teams.

Massive investment and culture shift changes need to be made but most MSSPs cannot make them. The service providers’ inability to deliver MDR services is partially what prompted the rise of MDR.

Look for the Red Flags 

There are many different ways to identify an MSSP that is overselling its detection and response offering. Asking the right questions backed by the technical proof will be helpful.

We’ve made a list of some of those questions to help you  understand the MSSP’s technology, philosophy, detection, response and standard operating procedures.

Questions to Ask MSSPs (and MDR Providers):

What is your team’s expertise across the following disciplines: 

• Threat hunting
• Security research
• Security analysis
• Security operations, security engineering, data science and IT operations
• Advanced detection methodologies
• Incident response
• Forensics

TIP: To really do due diligence, ask to interview specific individuals on the security team. Learn about what they do every day and their areas of expertise.

• What technologies are core to your MDR offering?
• What is your process for detection, investigation and response?
• Can you automatically orchestrate data and suppress events to limit investigation of false positives?
• How do you ensure you always have enough analysts and incident responders in your SOC? 
• How do you maintain a pipeline of recruits?
• How do you train your SOC to ensure proficiency?
• Are you able to provide metrics showing continuous improvements in analysis time?
• Can you detect XYZ activity?

For each scenario you present, ask which things will be collected to enable detection and what aspects of the attack will be detected. 

• What types of threats are you unable to detect?
• What are three new types of threatening behavior you can now identify due to improvements you’ve made in the last three months? (You want a provider that is continually improving their detection.)
• What is your average time to detection? To response?
• What is the false positive rate the provider’s internal SOC reports from its own detection technology on some of your detectors? (The key here is that internal false positives should be okay.)
• What is your customer-reported false positive rate? False negative rate? (Your MDR provider should be examining many different activities, even if they don’t convert to a threat.)

• Have your customers ever been breached? Walk through how that event happened and what your response was. Find out if a conversation with that customer can be arranged.
• Explain your detection and response roadmap. What new techniques and technologies will you incorporate into your offering?
• Who do customers typically interact with when they have questions on detections, response to best practices, implementation of the MDR service, etc.?
• How do customers hold you accountable? (You do not want an MDR provider focused on traditional SLAs. They should be focused on breadth and timeliness of detection and response.)

This line of questioning is useful for assessing all MDR offerings, not just those from MSSPs.

Types of Organizations That Typically Use MDR

Organizations of all sizes across all industries are enlisting MDR solutions to support their detection and response efforts. 

These organizations recognize their existing security program stops a large number of threats but also realize they can never realistically stop every threat. 

Commonly held beliefs by organizations using MDR: 

• Building an internal detection and response capability will be burdensome. There are new advanced services delivering a true capability that can be trusted to help secure an environment.
• Prevention will fail. No matter how many products are put in place, attackers will always find a way in. 
• Detection and response is a capability, not a product. The capability requires equal parts technology, process and expertise.
• Visibility, monitoring, detection and response is the only way to reliably identify attackers within an environment. 
• Satisfying compliance requirements is no longer enough and additional security investments must be made to reduce risk.
• Organizations using MDR might have a security operations center (SOC) with dedicated threat hunters who want a second set of eyes watching their environment. Or, they might have a lean security team managing day-to-day security operations with no extra time to build a full detection and response capability. 
• All are investing in MDR to accomplish one goal: quickly identify new  threats and limit an attacker’s time within their environment.

Can I Replace My MSSP With an MDR?

It depends on how the MSSP is used. Some MDR offerings include more of the services associated with a traditional MSSP. Others are staying focused on detection and response. Make sure you understand what the MDR can support for your company in terms of supplementing internal resources or an MSSP. 

Would I Ever Use MDR and an MSSP?

Yes. It is very common for organizations to use an MSSP in addition to MDR. This common combination has the MSSP handling the basic security functions while the MDR provider is specifically focused on identifying threats. 

It is not uncommon for a business to prefer the simplicity of partnering with only one managed vendor. For organizations that use this strategy, that will mean enlisting an MSSP for MDR, which opens the organization up to a high likelihood of relying on a sub-par MDR offering. As a result, the organization will either be continually disappointed with the MDR offering or disillusioned with its security. 

Many organizations recognize there is great value in partnering with two managed vendors. The vendors can backstop each other, hold each other accountable, and each can focus on their proficiencies. 

How Does Managed Endpoint Detection and Response (MEDR) Fit Into MDR?

Endpoint never lies. Since the onslaught of sophisticated attacks, this has never been more true. We repeat: Endpoint never lies. 

Attackers have gotten smarter and know how to disguise their tactics and techniques. Endpoint detection and response  (EDR) is a solution that can help organizations take control. 

Many internal teams and MSSP staffers come from a network security background so they  lack expertise in the intricacies of endpoint security. Endpoint detection and response requires a dedicated  team that has both the skill set and the time to search for potential threats, efficiently investigate incidents and hunt for previously unknown threats. 

The specialized nature of EDR and the intensive time necessary to use this product makes this a great case for MDR services. Providers delivering MEDR are hyperfocused on the endpoint, deeply analyzing the robust data to detect attackers as they try to “hide” on customers’ laptops and servers.

MDRs and MSSPs Service Questions?

We Can Help We’ve tried to streamline the pros and cons of MDR. We’d be happy to discuss the best solution for your business.  Contact us or book a no-obligation meeting. We’d be happy to help sort things out.