For most organisations, cyber security is a secondary function. It’s essential but can feel like a distraction from their true business.
Trying to build and maintain a cutting-edge cyber security program—including real-time threat detection and response capabilities—is typically expensive, time-consuming, and frustratingly ineffective for these organisations.
Thankfully, there’s an alternative: MDR.
MDR stands for Managed Detection and Response—a catch-all term for managed security services related to security operations and incident response. Provided by a Managed Security Services Provider (MSSP), MDR services can extend an organisation’s in-house security or IT capabilities or complement an existing outsourced IT provider.
A quality MDR service combines cyber security technology, expertise, and architecture to maximise the efficiency of the customer’s IT infrastructure and provide thorough protection across the full attack surface. Precise implementations vary depending on the customer’s needs.
For example, an SME likely has very different needs than a much larger organisation in terms of the IT infrastructure to be protected and the level of support required. Similarly, an MSSP would provide a different level of MDR service for a business that already has some full-time security personnel compared to a company that outsources IT altogether and has minimal security.
While there is no standard framework for MDR services, most quality implementations include the following:
Technology and processes designed to detect, investigate, and contain security incidents on endpoint devices, e.g., laptops, smartphones, servers, etc. This generally involves an EDR solution to identify possible incidents and create alerts, and a human analyst to investigate, triage, and remediate.
Like EDR, it aims to detect suspicious and malicious behaviours at the network layer. This usually combines an NDR solution to monitor and analyse raw network traffic with a human analyst to further triage, investigate, and respond to alerts.
A team of experienced analysts dedicated to detecting, assessing, and preventing cyber threats. Typically, an SOC team operates 24/7/365 by rotating team members during shifts. In addition to EDR and NDR, an effective SOC is armed with various monitoring, analytics, and intelligence tools to support incident detection, investigation, and response.
By combining these capabilities—plus others required to meet a customer’s specific needs—an MDR provider has everything in place to detect, investigate, and respond to threats arising anywhere in the customer’s IT environment.
While each provider naturally has its operating protocols, most MDR services follow an incident workflow that roughly resembles the following:
While many threats are prevented at their source by protective solutions like firewalls, many more evade these controls. The MDR provider detects these threats by collecting activity logs and telemetry from across the entire IT environment and using a combination of automation and expert human analysis to distinguish between legitimate usage and suspicious or malicious activity.
When an incident is identified, the next step is determining its severity. MDR providers use a combination of human expertise, real-time threat intelligence, advanced data analytics, and a detailed understanding of the customer’s environment to identify the highest-priority threats for immediate attention.
Once prioritised, an experienced human analyst thoroughly investigates each incident to eliminate false positives and identify any steps needed to remediate threats. This step relies on a combination of analyst expertise and security tooling.
Many security incidents require prompt, accurate remediation steps to avoid damaging the customer’s environment or data. In most cases, it’s impractical (or undesirable) for MDR providers to have full administrator access to a customer’s IT environment. Instead, providers typically identify the correct steps and guide the customer’s IT, security personnel, or outsourced provider to ensure full remediation.
An expert MDR provider continuously learns from the incidents and activity observed in a customer’s IT environment, guiding and preventing similar incidents from occurring again.
MDR providers should support customers in continuously tightening their security programs by redesigning systems, technology stacks, and processes to minimise cyber risk and protect key assets and data from evolving threats.
Should your organisation work with an MDR provider?
An MDR provider can deliver 24/7/365 coverage at a fraction of the cost of building the same capabilities in-house. For most SMEs—and even some larger organisations—the cost of developing serious threat protection capabilities is prohibitive, while working with an MDR provider is much more realistic.
Like Security Operations Centres (SOC), scaling is one of the toughest parts of building in-house threat prevention capabilities. However, this consideration is avoided when working with an MDR provider—the provider can instantly scale the service to fit the customer’s changing needs.
The threat landscape constantly evolves, necessitating a continual investment in training, tooling, and process redesign to protect an organisation against the latest threats. An MDR provider can easily absorb this cost, as these services are core business functions.
For some organisations, it’s worthwhile to invest in building and maintaining world-class cyber security capabilities even though their core business lies elsewhere. However, managed alternatives like MDR are more cost-effective for many and provide a greater security ROI.
Want to see how MDR could protect your organisation from evolving cyber threats at a substantially lower cost than developing the same capabilities in-house? CyberOne provides the UK’s most advanced MDR service, delivered from our award-winning Cyber Defence Centre in Milton Keynes.
Contact us today to learn how CyberOne can help protect your business.