If you have been keeping up with your security reading recently, you might have noticed an uptick in the ‘noise’ level about MDR. A) Is that true? B) If so (true), then why?
It is in fact true, that there has been an increase in the level of ‘noise’ about MDR. If 2017 was the year of AI, then 2018 is arguably shaping up as the year of MDR. And, there are good reasons why this uptick in the ‘noise’ level. A) Customers are demanding it, and B) vendors are eager to provide such, for their own business reasons.
SOAR v. MDR
While you might be familiar with the term SOAR (security orchestration & automated response), SOAR is not the same as MDR - though they are related. Essentially, both market segments (MDR and SOAR) are responding to the same CISO customer frustration about security vendors: don’t just tell me I have a security problem; do something about it!
SOAR is a much larger vision of re-mediating that customer frustration, doing so across numerous disparate security and operational systems & devices within an organization. A worthy goal, but we’re not there yet, as far as our technical maturity, and more importantly, the robustness of our internal processes.
MDR on the other hand, is the younger brother of SOAR. MDR says, at least much more quickly detect security problems on my (user) endpoints, and respond to such accordingly. The goal of both MDR and SOAR is much faster and better (fewer false positives, and fewer false negatives) detection, and the automated, coordinated response to an identified security problem(s). The faster that I can detect, then the faster that I can respond, and the less time for damage / exploitation that a malicious actor has. It is not enough anymore to simply cut down on dwell (compromise) time. A lot of damage can be done in a very short period of time. Just ask Sony Pictures. By the time the company became aware of the attack, by way of a release from the hackers themselves on November 24th, 2014, it was already practically game over. They were about as pwned as any organization ever has been.
Fast forward to 2018. How do I not become Sony Pictures - or Equifax? Well, how about much better detection, and near real-time detection (without a human analyst in the loop)? And, importantly to MDR, that is continuous monitoring not only of my network devices, but of my much more numerous end user systems. That endpoint user system monitoring is even more important, because those devices leave my facilities often every night - unlike my network devices.
MSSP to MDR
For traditional MSSPs, their move (some of them) to also providing MDR capabilities is not only a challenge to provide a quality new service, but also a huge business opportunity - thousands of new devices to monitor, per customer. And that means (potentially) increased revenue. But providing a quality MDR service, which your customers value and are willing to pay more for is much more complex than merely adding an acronym and some sales collateral to the Web site.
Next week, I discuss what potential MDR customers should be looking for from prospective MDR providers. (Hint: less reliance on human analysts, far greater reliance on sophisticated analytics delivered by machine learning, and very mature incident response expertise.)
Interested in finding out more about sophisticated detection tools to support MDR? Contact PatternEx.