The short answer is that every company does not have its SOC. Not everyone is looking at MDR services for the same reason, though, so it’s not that simple to answer. Overall, companies look towards MDR for some of the following reasons:
They do not have a security operations team and, as such, want to outsource security monitoring operations to a 3rd party specializing in that field.
They have a limited security operations team, but using an MDR provider will ensure that team remains more focused on service output than having to do most of the frontline workload (as well as numerous other security operations tasks).
They have a security operations team and could (or perhaps already) do the 24×7 monitoring themselves. Still, they would like to offload the frontline threat detection to a company specializing in doing just that. Issues regarding staff retention often drive this. Finding security analysts is hard, and keeping them is even more challenging. So, when they can be doing more diverse and exciting work (such as Threat Hunting or Incident Response), their job becomes more attractive and fulfilling, and they are more likely to stay.
Some companies have their SOC and are perfectly happy with that solution. But for others, it’s not possible to provide an equivalent function themselves, for the reasons we mentioned earlier: time, skills, money. When we look at small companies, for example, and let’s take the UK market – the average cost of a security analyst is somewhere in the region of £50k per year[i]. To deliver 24×7 you will, need at least 5 or 6 analysts on shift, so already (without recruitment, training, benefits, etc.) that is £250-300k per year. And of course, you need to go and find those people. That’s without considering the necessary tools that they need, the processes that need to be developed, and the time it takes to be operational.
An MDR provider will have resources. They will have a dedicated function just for Managed Detection and Response (often including a team that will run the MDR tooling as well, which is less work for businesses).
Caution: some non-specialist Managed Security Services (or even Managed Services) generalists are trying to get into Managed Detection and Response having seen the growing market. It’s not easy to deliver good Service on MDR. It’s far from a commodity so, if you choose this option, pay attention to the experience and the focus that the MDR provider brings to the function (and therefore to you, as a customer).
Analysts’ reports can be innovative tools to help you choose the best MDR provider for your business. The last one in date, Gartner’s Market Guide for Managed Detection and Response Services, was published in August 2020 and lists Orange Cyberdefense as a Representative Vendor for MDR services.
MDR providers have many customers from whom they can glean global threat intelligence. Something that is challenging to recreate in a SOC running inside a single business. It’s not just a case of having the data but knowing how to analyze it. Research and Development functions are crucial to unlocking the potential of threat intelligence.
Any MDR provider of a mature state will have 24×7 resources, fully staffed with security analysts. This is a real advantage for any business, because the MDR provider can share those 24×7 resources across customers, thus bringing down the cost of such a function.
Stay vigilant and be careful of providers that use automation or non-security analyst shift workers. This can make for an inconsistent experience outside office hours.
Our analysis would not be fair if we were only focused on the positive side of MDR. With any service, there are things you need to know as a client:
An MDR provider will never have the same deep-level business understanding as… you. And this is why coordination between your MDR provider and your staff is critical. A right MDR provider will have dedicated experts. They act in a Technical Account Management capacity or Consultant capacity to collaborate with the Security and IT team to bring that business context into the Service and customize it over time, again and again.
Also, an MDR provider often does not have the same level of access to IT systems as internal staff and, as such, may not be able to respond to an incident as quickly as the internal team would. This needs to be addressed at the beginning of the collaboration, to find ways to shorten the response time if an attack were to occur. An example is to have at least the capability to provide the MDR contributor with the ability to isolate endpoints or lockdown accounts used to perpetrate attacks (or take this function and the accompanying tools to do so as part of the Service).
As in any business, not all MSSPs are equal. There are many different ways to produce a Managed Detection and Response service. And the outcome can be very, very different. Some MSSPs do not provide enough value. They just send alerts that businesses still need to do a lot of investigation on themselves and, as such, are not lightening the load on the company which procured their services.
Some companies find themselves disappointed in the Service, only receiving emails like this: “There is a critical alert on your firewall, you should investigate this further.” It’s just one example of MDR at its worst. The good thing is that as time moves on and the market space is more crowded, MDR providers have to do better and provide a greater depth and range of services and outcomes for their customers.
When talking to customers, one of the first things we usually get asked is: “What can we do to make sure this is a success?“.
Without customer collaboration, MDR does not work. You get a service that is not customized, nor engaging and does not solve any problem. So, the first thing to do when you start with MDR is to work closely with the MDR provider. Remember – the one thing you will never outsource is in-depth knowledge of your business that only you have, and this is what your MDR provider needs.
The next step is really to look at where to begin. Many companies still ask for a traditional, Managed SOC/SIEM combination.
This used to be a natural pairing – if you want proactive security analysis of events from your IT environment, then yes, you need a SIEM and a SOC team to manage it. This is no longer the case. In introducing the SOC Nuclear Triad[ii] as a concept, Gartner shared new ideas (back in 2015) that to achieve full visibility and maturity in security operations, SIEM was not enough anymore. In more recent times, has not only this idea developed but also the concept that sometimes SIEM is not even the starting point.
If we go back to COVID-19, for example, and the risk profile for most companies right now, securing the endpoint is hugely important. So Endpoint Detection and Response (EDR) solutions, with MDR services, become much more attractive (especially given their time-to-deploy/time-to-value compared with SIEM). We also see an uptake in Network Detection and Response – what some might say is the modern-day version of intrusion detection systems – in response to more diverse, cloud-computing driven networks.
Having matured our services to the point where we can offer all three of these options – either individually or, more powerfully, together as a full MDR proposition – Orange Cyberdefense has developed our Threat Detection Framework to help customers visualize what deployment of different service options looks like.
Explicitly modeled to their environment and the type of data they can provide us with, we work with customers to set target visibility across the critical phases of the kill chain and look at ways to help them achieve that.
Figure 1: Threat Detection Framework example visualization; source: Orange Cyberdefense
This framework aims to:
Ensure the customer understands our coverage and where we may lack visibility currently.
Identify opportunities to increase visibility – by adding additional logs, by placing new network sensors in their network or rolling out EDR agents.
Visualize and model the impact of adding a new service or helping to convince the business stakeholders to provide additional log data (where sometimes there are internal challenges to do so)
The framework is developed and actively used by our 11 CyberSOCs distributed worldwide (UK, Sweden, Poland, Russia, China, India, France, Netherlands, and Germany), and sales and services support in 160 countries. We offer global protection with local expertise.
If you want to know more, please use the contact form right here.