Just like any other tech innovation of the last 30 years, sorting through all the noise about Managed Detection and Response (MDR) to understand what you need and don’t need is difficult. Independent third party opinions are invaluable.
Another reason: “By 2025, 50% of organizations will be using Managed Detection and Response services for threat monitoring, detection and response functions that offer threat containment capabilities”, according to the strategic planning assumption in the 2020 Gartner MDR Services Market Guide.
That’s why we’re sharing the full Gartner 2020 Market Guide to Managed Detection and Response Services* as a complimentary download. This document is helpful for organizations considering an MDR service. It helps do several things:
Cut through the noise about MDR and assists with the process of evaluating vendors. We believe, the Market Guide clearly articulates what features and capabilities a vendor must have to be an effective provider – we’re big fans of high fidelity detection, for example, something that gave us an advantage in the latest MITRE ATT&CK evaluation. Slight caveat: The most proficient tooling in the world is nothing without the right people, both in the end user security team and at the provider end.
Response capability – and speed – is fundamental. We’ve been banging the drum about this for a long time. Reducing this response gap is fundamental to defending the enterprise, and we think you must measure the viability of an MDR service on its ability to respond. It’s recommended that you couple MDR with an IR retainer. We’d go one step further and say IR is a core part of the Managed Detection and Response value proposition.
Why? Response included in your MDR service must do more than just tackle commodity malware. It needs to be able to contain and stop attacks (like human-driven ransomware) before they become serious problems.
Secondly, you want to make sure the IR and MDR resources work really well together, so there’s no gap when handing any incident off. A key message we’ve seen in the Market Guide chimes with our experience: MDR should be measured by ability to respond. Detection is important, but it’s nothing without an even better response capability.
This is a significant departure: look at traditional models like Managed Security Service Providers (MSSP) and Endpoint Detection and Response (EDR), and they’re often tuned to alerting in a timely fashion before calling in IR. It’s better to hear from your provider that they’ve stopped an attack in the early stages than to hear that they’ve seen signs an attack is underway and hey, you might want to bring in the Incident Response team.
Coupled to this: Trust is everything – and it’s growing. Organizations that take on an effective MDR service are increasingly willing to adopt a position that pre-authorizes their MDR provider to perform the action AND then discuss it, containing live attacks as soon as they’re spotted. This is something our Detection and Response Team (DRT) do to as part of our service, saving customers the cost and delay of wheeling out the big IR guns for every single incident – even if it’sContinue reading