Is Managed Detection and Response (MDR) the New Managed Security Service (MSS)?

As architectures move increasingly to the cloud, hybrid environments are harder to keep secure. Nearly nine out of ten (85%) respondent organizations in ESG’s 2019 Public Cloud Computing Trends are currently leveraging at least one of the three public cloud computing service models, with another 11% expressing plans for or interest in using these services.


Cloud service providers (CSPs) are coming down from the heavens to bring native services, infrastructure, and operating models to virtually any data center, co-location space, or on-premises facility, touting ease of management. But we still have our legacy environment that must mature. In the lifecycle of “configure your environment thoughtfully, practice good hygiene, keep up on threat prevention, prepare for the worst, respond to the inevitable, repeat,” prevention probably has the biggest bang for the buck right now in hybrid landscapes.


It’s evident from ESG research that threat prevention is hard enough to do with our old defense in depth strategies. In fact, 76% of those surveyed in a recent threat detection and response (TDR) study state that this aspect of cybersecurity is somewhat to much more difficult than it was two years ago, and the top two reasons for this challenge are volume and/or sophistication of threats and TDR workloads have increased. Security teams need help.

According to our research, most organizations are using or are interested in managed detection and response (MDR) services to improve threat detection and leverage existing MSSP relationships. Many MSSPs have built their own MDR or are partnering with others to provide this capability. Secureworks, for example, launched its first ever product, the Red Cloak Threat Detection and Response (TDR) application, last month.

MDR services and third-party managed security services are primarily used for detecting and responding to suspicious activities or verifiable cyber-attacks. MDR services can include staff augmentation, threat detection, threat hunting, threat response recommendations, and hands-on remediation and response actions. When asked about plans for managed detection and response services, more than half (51%) of respondents reported their organization was already using them, with another 42% indicating either plans for or interest in these services, and 84% stated high satisfaction with their MDR service. 

The reason for adoption is simple: continued cybersecurity staff shortages, a combination of complexity of TDR solutions with the need for rapid deployment, and, in roughly a third of responses, an existing relationship with an MSSP that offers said services. While today most prefer choosing their own MDR technologies and outsourcing the day-to-day management to a service provider in the future, there is a shift toward actively developing/building or purchasing an integrated software architecture for security operations tools to combine siloed security solutions. In other words, future buyers of MDR want a platform option that integrates all their security operations tools. And, our research says that 90% of respondents will be increasing budget on TDR overall in the coming 12-18 months.

This is good news for the 20+ MDR players in North America, which range from home security companies (ADT acquired Datashield in November 2017) through startup endpoint detection and response (EDR) players (like Crowdstrike and Cylance, recently acquired by Blackberry) to the largest consultancies (like Booz Allen Hamilton (BAH), which acquired Morphick in 2017). Why is this market exploding? Some CISOs I’ve chatted with say MDR is cheaper than hiring and retaining SOC analysts (and of course setting up a SOC). Others point to a belief that EDR is a critical box to tick in bringing an MDR player on board. Twenty-three percent of respondents in our research agree with this statement. And still others point to CSP relationships and/or big hosting clients or CSP support.

Technology stacks have been dispersed across our on-premises data centers and multiple cloud providers. It’s not going to get any easier to do threat prevention, and response is just too expensive (more on this shortly). MDR is becoming the new defacto managed security service (MSS) in perception if not reality. Folks need help managing their environment and not always to do config, vulnerability, and patching, but to get right to the heart of the matter: Detect the bad stuff and respond to it. That is MDR.

Topics: Cybersecurity