Managed Detection and Response (MDR) is a key element of operational security excellence. It provides organizations with scalable security resources and product expertise, enabling optimal performance against a wide range of threats.
However, every MDR vendor is different. Not all MDR solutions include the same features. Even among those that do, seemingly minor differences in approach can significantly impact security event outcomes. Choosing the right type of MDR vendor for your use case is vital.
MDR started when Endpoint Detection and Response (EDR) vendors realized that their customers were having trouble optimizing the use of their tools. Most organizations don’t have the internal security resources necessary to make full use of advanced security technologies in a self-sustaining way.
As a result, EDR vendors began to offer their technology to customers as a managed service. Over time, other security providers stepped in and expanded the service offering to include technologies like Security Information and Event Management (SIEM), Network Detection and Response (NDR). Some also began offering valuable services like proactive threat hunting, 24x7 monitoring and incident response, and the custom detection rule creation.
Today, modern MDR vendors combine technology implementation and management with in-depth product expertise and incident response. Your MDR vendor should act as an extension of your security team, providing three core services to your organization:
There is a great deal of variety in the MDR marketplace. Many providers evolved from different backgrounds, giving them varying strengths and weaknesses. Knowing how different types of MDR work can help you choose the right type for your organization.
1. MDR SaaS Providers
These are essentially software vendors that offer managed services on top of their primary offering, a Software-as-a-Service (SaaS) technology. Many of the best-known technology vendors in today’s market also offer MDR services that make their products more accessible to a wider customer base.
This approach has its benefits. You are likely to get high quality product expertise when purchasing MDR services directly from the SaaS provider who developed the product in the first place.
However, you may have to take on many of the daily operational responsibilities your vendor doesn’t cover. That might mean dedicating talent and resources to monitoring, detecting, and responding to threats instead of focusing on higher-impact strategic initiatives. Also, they may not offer deep expertise for technologies and platforms provided by other vendors.
2. Managed Service Providers (MSPs) with 3rd Party MDR
In this case, you’re working with a managed IT service provider who subcontracts some of their security processes to a third party MDR vendor. They may have experience deploying and leveraging the MDR services they integrate, but they are not directly responsible for them.
This can be attractive to smaller organizations that already outsource IT capabilities to an MSP. If your MSP can integrate threat detection and response into its suite of services, you can quickly improve security performance without taking on much additional risk. It can also make achieving regulatory compliance much easier.
The main drawback is that you don’t have much agency over your MSP’s choice of MDR vendors. You may find that they don’t have the specific features or expertise you’re looking for. There is also the risk of vendor lock-in, where your MSP ends up controlling most of your IT infrastructure.
3. Complete MDR Providers
These service providers focus exclusively on threat detection and response. That includes related services like 24x7 monitoring, proactive threat hunting, and incident response support. Instead of limiting you to using specific tools or technologies, your MDR partner empowers you to make better use of the tools you already have.
This scenario puts great responsibility on the MDR vendor and its Security Operations Center (SOC). It essentially acts as an extension of your team, providing 24x7 incident response and on-demand product expertise to your organization. You can scale your detection and response needs as your organization grows without having to add in-house talent to an internal team.
That means that a trustworthy MDR vendor staffed with diligent product experts can substantially improve your security posture at a fraction of the cost of adding in-house talent. Your in-house IT team can focus on the work it does best.
Security leaders can only implement MDR after successfully arguing the case to senior leadership. A major part of evaluating MDR vendors involves demonstrating the efficiencies they can enable in your specific business context.
This is where vendor-agnostic MDR providers have a significant advantage. Because they aren’t limited to using particular tools or platforms, they can focus on managing integrations in the most efficient way possible. Instead of suggesting expensive rip-and-replace implementations, they can help you make the most of legacy solutions without compromising on security or usability.
A complete MDR provider may also help you reduce costs associated with best-of-breed technology implementations. For example, instead of overpaying to store security logs directly in Exabeam, you could deploy an observability solution like Cribl to keep data in secure low-cost storage and deliver it to your SIEM on an as-needed basis.
Lumifi provides comprehensive detection and response services to organizations that need 24x7 monitoring powered by best-of-breed technology. We combine human expertise with a proprietary SOC automation platform called ShieldVision to enrich and contextualize security event data in near real-time. Speak to an expert to learn more about how we can help you gain visibility and control over your security posture.
We’ve expanded our MDR capabilities with enhanced incident response and security services to better protect against evolving cyber threats.