What is driving MDR into the mainstream?

Managed Detection and Response (MDR) is one of the biggest growth trends to hit cybersecurity for years. The security industry has seen big-digit growth rates in the past but almost exclusively for technologies. MDR, by contrast, is an integrated service, a format that has always been limited to big organizations with deep pockets.

So, what is driving MDR into the mainstream? The idea that cybersecurity should be deployed as a service isn’t new, with the Managed Security Service Provider (MSSP) sector growing rapidly over the last decade in lock step with the dramatic increase in cybercrime. But in the last five years, a new breed of MDR vendor has emerged that takes the MSSP model beyond simple detection by offering threat hunting, remediation, and more sophisticated incident response. It is this response element that defines MDR for organizations that need more than passive alerting.  

The question, then, is why organizations have become more inclined to trust a third-party with response when the security industry has been built on a DIY approach for decades. The answer to this varies a lot by sector and business size, but several factors have been influential.

Source

The ransomware puzzle

Ransomware has claimed a lot of big-name victims, many of whom have had to shut down at huge expense for days or weeks. Just as significant, away from the headlines, the same misery has been inflicted on many smaller organizations, including SMEs that might previously have seen themselves as too small to attack. Suddenly, everyone has the same problem and an organization’s size and industry sector are no defense. For smaller organizations, simply buying more detection technology isn’t an option even if they had any confidence it would work. For them, the real battle is response and having the expertise on hand to counter attacks as they unfold. In this context, turning ransomware defense into a service using MDR makes complete sense. Larger organizations, meanwhile, are replicating the same model inhouse in the form of dedicated Security Operations Centers (SoCs).

Pandemic working from home

The pandemic accelerated a long-term trend for employees to work from home. It now seems likely that some of this change in working patterns is here to stay. This has implications for security which becomes more demanding in a remote environment in which visibility and response times are less certain. At the core of defending employees at home is Endpoint Detection and Response (EDR) –protecting laptops, PCs, and other endpoint devices – which is offered as a module in most MDR services. The protections offered by this go beyond traditional anti-malware software, integrating context-aware security with a level of containment and security orchestration that would be impossible for SMEs outside of a MDR environment.

Complexity and Capex

For the longest time, the prevailing IT philosophy was to add features, make networks bigger by supporting more devices, and plug security holes with independent security layers or ‘point solutions.’ This led to IT sprawl and left organizations with the job of managing and securing multiple generations of technology, much of which had weak security design and a lengthening list of CVE-level vulnerabilities. Poorly integrated, it’s also an approach that eats money and demands hard-to-get skills. In contrast, MDR promises to simplify this, imposing a single service-level view of security over the network and its devices which doesn’t require constant upgrades or impose unknown costs.  Organizations get security and expertise at an agreed price that comes out of Opex rather than Capex.

A growing ‘attack surface’ 

In the past, organizations worried about defending PCs and servers. Today, this has expanded to include new assets such as cloud infrastructure, Operational Technology (OT), Internet of Things (IoT), and a web of cloud infrastructure (IaaS, PaaS, AWS, Azure/Microsoft365). Gathering and processing log data from so many additional sources in real time has become a huge undertaking. MDR cloud monitoring can do it all, maintaining detection without adding unnecessary complexity. 

Are there any drawbacks?

If the principle behind using MDR via an MSSP sounds simple, in an increasingly crowded market choosing a service is not always straightforward. Every MSSP and MDR can look similar. The first important differentiator is the size of organization and the sector an MDR vendor specializes in serving. Today, enterprise customers have a wide choice; smaller organizations face a more limited choice and might find the number of services on offer and the terms of service more restricting. Nevertheless, Gartner’s optimistic predictions for market growth suggest that MDR aimed at SMEs will be a big growth area. 

A second differentiator is the nature of the monitoring and incident response on offer.  This will only be a fit and forget service if the vendor has full access to an organization’s systems, which in medium and enterprise customers is unlikely to be unlimited for a variety of reasons, including compliance. Finally, organizations should assess the MDR vendor’s level of experience at coping with real-world incident response and their processes for communicating and supporting clients. Should disaster strike, the relationship between the inhouse team and the MDR team will depend on this relationship.