What Is Managed Detection and Response? Guide to MDR

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Managed detection and response (MDR) goes beyond other managed security services by essentially giving organizations their own expert security analyst team to help identify and respond to cyber threats.

The emergence of MDR was in many ways inevitable. Security has become so time-consuming and complex that many organizations have realized, vital though the function is, that it lies well beyond their core competency and has become a distraction to their regular business model. And the cost of starting their own security operations center (SOC) is so daunting that the thought of outsourcing the function to a managed security services provider (MSSP) has become increasingly attractive.

Given the nearly impossibly job of staying on top of cyber threats, it’s not surprising that security services now comprise 45% of the $188 billion security and risk management market, according to Gartner. And leading the way with the fastest growth rate is MDR.

Combine EDR and security training with Huntress Managed Security PlatformSPONSORED

  • Monitor your Microsoft 365 environments and detect suspicious account activity
  • Take advantage of 24/7 security operations and one-click remediation 
  • Deploy employee cybersecurity training rapidly and give teams engaging lessons
  • Free trial with full functionality

What is MDR?

MDR offers the functions of a security operations center (SOC) — monitoring, detecting, analyzing, investigating, and leading the response to cyber threats in order to mitigate and contain them — except they do it via remote monitoring of logs, endpoint agents and other means.

MDR services gather data from logs and other sources of contextual information, and skilled experts analyze it as part of incident management. MDR providers utilize a range of advanced technologies like behavior analytics, AI and machine learning to stay on top of threats. These services can cover on-premises environments, remote assets, cloud assets, and industrial control and operational technology environments.

MDR providers offer a range of technology, staff and services, such as:

  • 24/7 SOC coverage and analytics
  • A service provider owned and managed technology stack
  • Real-time threat monitoring, detection, investigation and mitigation
  • Staff that engage with customer data and intervene as needed
  • Orchestration and centralization of threat detection and response
  • Monitoring of cloud infrastructure and SaaS applications such as Microsoft 365, Google Workspace, Workday, Salesforce, and Box
  • Routine threat hunting of customer environments

How Managed Detection and Response Works

MDR gives organizations the ability to set up a security operations center (SOC) function to stay on top of threats around the clock, something even large enterprises struggle to do.

When a threat is detected, MDR analysts offer remediation guidance to the customer and conduct an extensive investigation and analysis to identify the extent of the threat. Ideally, dedicated MDR analysts develop a deep understanding of the customer’s environment, in essence giving the customer its own SOC without the 7-figure startup cost.

“MDR blends the necessary people, expertise, processes, and technology to rapidly detect, analyze, investigate, validate, and respond to threats across the modern environment – endpoint, network, application, and cloud services layers,” said Jeremiah Dewey, Rapid7’s Senior Vice President for Managed Services Delivery.

MDR, Dewey added, is a partnership that strengthens an organization’s security posture by addressing three core approaches to security: Proactive, reactive, and strategic. This partnership aligns MDR teams where they can have the most impact and helps internal teams focus on other vital security and business priorities. Rapid7 offers an MDR buyer’s guide (gated) looking at critical considerations, common RFP questions, and more.

The InsightIDR XDR platform is at the heart of Rapid7’s MDR service

Jeff Pollard, an analyst at Forrester Research, adds that skill in threat hunting has become more important than ever. He said many service providers say they offer threat hunting as part of MDR, but a large number only provide automated systems that do a light form of threat hunting. Certainly, automation and AI play an important part in the best systems. But what differentiates the top-notch ones from the rest is the human touch.

“MDR vendors emerge from plenty of different backgrounds,” said Pollard. “Threat hunting, performed by humans, is a must-have for any MDR provider.”

Top 4 Benefits of MDR

MDR has many benefits. But the most important involve adding critical security analyst capabilities to your team.

  • You engage a team of security intelligence experts who are experienced at dealing with the latest attack vectors across hundreds of different customer sites and environments.
  • You fill gaps in security coverage across nights and weekends in addition to adding greater security during business hours.
  • You have access to the latest tools and technologies, and the confidence that they’re up to date.
  • You can free your IT staff from security worries and duties that they may not be fully equipped for so they concentrate on projects that have strategic importance to the business.

The Two Common Problems MDR Addresses

Modern businesses are under assault on all fronts by cyber attackers who live and breathe the latest tactics, techniques and procedures (TTPs) that give them an advantage in their efforts to breach enterprise and SMB defenses. Few businesses can match that with the same level of dedication and resources on the defensive side. Businesses want their IT personnel adding value, not putting out security fires. MDR providers solve those problems by offering a team of security pros dedicated to defenses and threat hunting, giving you instant SOC capabilities.

The other common problem managed detection and response addresses is the cybersecurity skills gap. There are huge numbers of unfilled security positions across the IT and enterprise landscape. To find the best talent, you have to be willing to pay top dollar. Many businesses can’t afford that, and those that can must compete against the likes of Silicon Valley titans and financial services giants. Those that do manage to lure great security resources have to work overtime to try to retain them. Headhunters are always on the prowl with lucrative offers for cybersecurity stars. MDR solves these personnel headaches by paying for the talent as a service, leaving the hiring headaches to the service provider.

And managed security service providers seem to do a good job with all those challenges: The majority of MSSPs that participated in MITRE’s first-ever MSSP security evaluations last year posted strong results.

See the Top Managed Detection and Response (MDR) Services

MDR vs. Other Types of Security

MDR is one way to augment cybersecurity resources, but it’s not the only one. Here are a few of the services it competes with.

What Is the Difference Between MDR & MSSP?

An MSSP is a blanket term for a cybersecurity services provider that can offer a range of specialized services, such as SOC-as-a-Service (SOCaaS), MDR, or management of various security tools. MDR is a specific service – often considered a targeted subset of an MSSP offering – that in-house security teams may leverage to help detect and respond to threats and breaches.

MDR, then, is one service that an MSSP can offer, albeit one that offers security at a deeper level than most MSSPs. Not all MDR or MSSP services are created equal, however. There are differences in a service provider’s ability to effectively detect, investigate, respond, and collaborate with the end customer.

“Generally speaking, legacy MSSPs manage multiple security technologies and relay alerts or notifications to the customer,” said Rapid7’s Dewey. “It is up to that organization to take those notifications to the next step of response.” 

In recent years, though, some MSSPs have evolved their services by incorporating more elements of MDR to take on triaging, response, and mitigation of threats. At the high end, MDR supplies a dedicated, deep level of threat detection and response expertise and service depth that can only be provided by expert specialists.

See the Top Managed Security Services Providers (MSSPs)

What Is the Difference Between MDR & Managed SIEM?

Security Information and Event Management (SIEM) is a centralized security management system that ingests log data from a wide range of network hardware and software systems and analyzes that data in real time. A SIEM’s purpose is to correlate events and spot anomalies or patterns of behavior that may indicate a security breach – using intelligence feeds to ensure that it is aware of new threats as they emerge – and to present that log data in a manageable and easily understood form so that it can be interpreted effectively by security staff. They are also used to collect log information from security and other systems to generate reports for compliance purposes.

But SIEM management demands expertise, such as the ability to correlate data across systems and recognize when an alert should be acted on immediately. Thus, managed SIEM services take care of the management of that technology for customers. Some providers also deliver MDR services using SIEM technology. For example, Rapid7’s MDR service leverages XDR as well as SIEM technology (InsightIDR) to aggregate data and use it to drive detection and response outcomes.

“An MDR service should be focused on the outcome – rapid detection, investigation, and response to threats in the environment – not just keeping a technology stack running,” said Dewey.

Managed security services can also address smaller but still important tasks such as managed firewalls or patch management services.

Also read:

What Is the Difference Between EDR, MDR, and XDR?

Don’t be fooled by the “DR.” Despite similar acronyms, MDR, EDR and XDR are quite different.

Endpoint detection and response (EDR) is a technology solution aimed at securing and centrally managing endpoints across a network, something like antivirus software on steroids for enterprises.

Extended detection and response (XDR) platforms tied together a range of security tools to effectively work across the modern IT environment – endpoints, networks, applications, users, and the cloud.

EDR and XDR are both tools, and tools require people to manage them and make them effective.

MDR, on the other hand, is a service that combines technology (often with EDR and XDR solutions as core components) with security experts and processes to deliver outcomes that go beyond the capabilities of a single tool.

The best approach is one that uses comprehensive detection and response visibility, with layers of security to increase the depth of defenses. Even if you already have tools like EDR, XDR, SIEM and firewalls, an MDR service can help you get the most of them while augmenting your IT staff.

“By using an MDR service as a partner in security operations, customers can realize the benefits of EDR or XDR while having that team of experts to better detect and respond to threats that can come from an endpoint, as well as network, user, and cloud threats,” said Dewey.

Who Should Use an MDR Solution?

There are many types of buyers of MDR services. But a common thread among them is that security teams often find it difficult to fully operationalize their security programs. The costs to stand up a SOC, implement the right technology, and drive an effective security process can be daunting. Keeping up with a rapidly changing threat landscape only grows more difficult as the cybersecurity landscape morphs in ever-more malicious directions.

“Use MDR services to obtain 24/7, remotely delivered, modern security operations center capabilities when there are no existing internal capabilities, or when the organization needs to accelerate or augment existing security operations capabilities,” said Gartner analyst Peter Shoard.

MDR providers help organizations face these challenges by bridging the security achievement gap and operationalizing the program. Even large internal operations teams use MDR as a second set of eyes. As MDR service providers often see hundreds, if not thousands of customer environments, that scale can be useful for those wanting to stay on top of what is happening across the threat landscape.

MDR offerings differ from provider to provider. They are not one-size-fits-all services. Some offer only basic MDR functions. Others may want a provider to take on management of other technologies such as firewall management or IT management and administration or break/fix capabilities. In the latter case, they should seek out an MDR provider that can proficiently, and cost effectively, provide deep expertise across detection and response along with other security and IT disciplines.

Care should be taken in selecting MDR providers. As their numbers increase, so do the range of styles of services they offer. Gartner recommends that users assess how the provider’s containment approach integrates with existing organizational policies and procedures. Further tips include investigating whether the provider’s technology stack or supported set of technologies are a good fit with existing security technologies and controls as well as the on-premises and cloud environments in use. Some vendor MDR offerings are more suited to certain platforms than others. Similarly, certain providers have a firm focus and experience in specific verticals.

MDR may not be for everyone. Those lucky enough to possess a large, skilled cybersecurity team with the bandwidth to stay on top of every aspect of security can perform the services of MDR or an MSSP as well, and depending on the team and the organization’s commitment, possibly better.

Bottom Line: Managed Detection & Response

There is no doubt that MDR will be adopted by many more organizations in the near future. According to Shoard, half of all organizations will be using MDR services for threat containment and mitigation within two years. By then, the market will be worth more than $2 billion annually, up from $1 billion in 2021. Other analysts say the MDR market is as big as $5 billion. Whatever the source, it’s growing significantly faster than the cybersecurity market as a whole.

Any business struggling to keep its head above the dangerous waters of cyber threats should seriously consider handing over security duties to an MDR provider. With the right provider in place, the organization is freed to focus on what it does best – provide products and services to its clientele.

Read next: Managed SIEM: A Faster Way to Great Security

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Drew Robb Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis