Just as I expected, my conversations at BlackHat 2019 mostly centered on how to define MDR, whether MDR will replace MSS, and which vendors are really MDR and which are not. Oh, and xDR was discussed too.
Here’s the net-net:
A critical evolution of the outsourced services is in play and these three terms are interwoven and creating confusion in the market:
- MDR = managed detection and response, which in my mind categorically falls into the managed services arena.
- MSS = managed security service, which includes both management and monitoring of security devices and environment.
- xDR = [name the environment, or “x”] detection and response.
Let me start with market evolution first: I see MDR becoming ubiquitous within MSS and also a standalone offering outside of MSS. (See my blog post “Is MDR the next MSS?”) Why? Because security’s mission is to find and thwart the adversary. MDR is outcome-based and strives to detect the adversary through the use of algorithms and machine learning (ML) and to respond with a definitive action.
Endpoint detection and response technologies first birthed MDR because while the product alone was great and a huge step forward in detection, it still wasn’t enough. The fact of the matter is that we can’t mathematically search for an unknown adversary until we know what to look for. We can certainly look for anomalous behavior and correlate that to known malware, communication with command and control (C&C) servers, etc., but we can’t find what we don’t know to look for. ML can only learn what has been seen before. So, yes xDR technologies are an advancement in the industry, but MSSPs discovered, in the early days of MDR, that vulnerabilities and even breaches got through the wall of these touted “prevention-only” technologies. Hence, even the initial EDR vendors began to offer services, as well they should.
Next the taxonomical question: Where do these fit?
Other analyst firms have stated that MDR is a market and it’s growing rapidly. I believe it’s a feature of the broader outsourcing or managed security services (MSS) market. And, yes, it’s growing rapidly. Outsourcing management and monitoring of security devices has been around for several decades at least. IT outsourcing (ITO), even longer. Because security was highly specialized and not understood in the day-to-day IT shop, configuration, vulnerability scanning, and patch management were necessary ills to separate from IT. MSSPs offered “your mess for less” services to free up IT staff, bring security acumen and staff augmentation, and take on the depreciable costs for security assets thereby offsetting client cost to operational expense (or OpEx).
There is a bifurcation occurring in this hotcakes-growth market that will ultimately parse out the management piece of MSS (and perhaps send it back to ITO), leaving the sexier and less commoditized pieces on the monitoring side as the growth engine. For the last several years, MSSPs have added threat intelligence, threat hunting, advanced analytics, and incident response in order to give the end-user what they needed most: actionable detection and faster response. The management piece, while necessary, is becoming too low margin for many MSSPs to continue offering. And, ultimately as we move to cloudier and “SaaSier” environments, cloud providers will offer more and more controls and management of security within their infrastructure. SOAPA continues to grow as an architectural approach to automating and orchestrating threat detection, response, and analytics, and fits snuggly along with MDR on the monitoring cool-kid side.
In order to be an MDR provider, the firm must have a “managed” piece replete with human analysts and a SOC. Firms which boast their presence in the MDR arena but offer only the xDR portion—no doubt, a necessary and superb technology to detect and automate response via algorithms and ML—are not MDR providers in my opinion. If, on the other hand, the provider has SOC analysts which monitor the client xDR technology in play and work in tandem with threat hunters, advanced threat analysis, incident responders, and in some cases, log management or SIEM capabilities, they win the right to be an MDR. I also believe that more is better: Looking only at endpoints or the network has limitations and a combination of those plus email, cloud, and servers is best. But ultimately to play in a managed or outsourced space, these tools must have people and process wrapped around them to be an MDR.
And, interestingly, ESG research data fresh off the press shows that buyers believe that MDR is more effective than MSS.