How MSSPs can Beat MDRs at their Own Game

Hand holding trophy cup tophy form lines, triangles and particle style design. Illustration vector

The managed detection and response (MDR) market is exploding, and much of that growth is coming at the expense of managed security service providers (MSSPs), D3 Security asserts. We don’t have exact numbers on how many companies have replaced their MSSPs with MDRs, but the growth of MDRs is staggering on its own.

Depending on what report you cite, the MDR market has a compound annual growth rate (CAGR) of between 16% and 20%. In its 2020 Market Guide for Managed Detection and Response Services, Gartner estimated that 50% of organizations will use MDR services by 2025.

This type of growth raises some questions: what about MDRs is appealing to clients, and what can MSSPs do to not lose market share?

The Challenge Posed by MDR

MDR emerged out of the ascension of endpoint detection and response (EDR) tools. As EDR tools became more and more powerful, security vendors started to expand those offerings into extended detection and response (XDR). XDR is, generally speaking, a solution built around a single vendor’s tools that combines EDR, network detection and response (NDR), numerous telemetry sources, and some incident response functionality, among other elements.

EDR and XDR are challenging for security teams to manage internally, especially in any organization below enterprise scale. So, EDR and XDR vendors began offering managed services along with their software, and the money started flowing in. This is why MSSPs are in a challenging situation. If an MSSP’s client buys a major EDR tool, you can be sure that vendor’s sales reps are pushing hard to sell them services that could displace the MSSP.

MSSPs need the technology to keep pace, but building their own solutions like many MDRs do isn’t feasible. The solution is security orchestration, automation, and response (SOAR), which allows MSSPs to bypass expensive development work and add MDR functionality. In fact, the services MSSPs can provide using SOAR have several advantages over the MDR/XDR approach, giving MSSPs an opportunity to beat MDRs at their own game.

How SOAR Enables MSSPs to Perform Better Detection and Analysis

MDRs that come out of an EDR or XDR background are a step ahead because they already have some or all of the software they need to drive detection for clients. SOAR helps MSSPs close this gap. With SOAR, MSSPs can apply their managed service expertise through a solution that can plug into any stack. Instead of building a one-size-fits-all solution to sell to clients, they can integrate the client’s tools through the SOAR platform. This eliminates the need to rip and replace clients’ tools or lock them in with one specific vendor.

For MSSPs with limited resources, effectively filtering alerts is a must-have in order to support detection at the level of an MDR. With next-generation SOAR, MSSPs can turn a flood of low-fidelity alerts into a qualified queue of high-fidelity of alerts. The smaller number of high-context alerts means that MSSPs have the information, and the time, to properly investigate important alerts.

Here’s how it works. MSSPs use SOAR as a multi-tenant solution that plugs into each client’s security stack, as well as any third-party threat intelligence sources, and even the client’s configuration management database (CMDB). The SOAR tool becomes the single queue for alerts from all of the client’s detection tools. With the SOAR tool’s integrations, an incoming alert can be rapidly correlated and enriched.

For example, an alert from an EDR tool could be ingested into the SOAR tool, where the elements would be parsed and correlated against data from the NDR, email server, threat intelligence, and other tools and data sources. That information might reveal more about the event, so the SOAR might query the EDR tool for more information, and so on, expanding the understanding of the event with each correlation.

Then, the alert is enriched with additional threat intelligence, such as reputation scores for any IOCs, and information from the client’s CMDB. The result of this process is that lots of alerts can be quickly dismissed as false positives, leaving a small number of high-fidelity alerts that each contain the entire picture of an incident.

How SOAR Unlocks Response Capabilities for MSSPs

Of course, detection is just one part of what MDRs offer. To beat MDRs at their own game, MSSPs need to be able to respond to—not just detect and analyze—alerts. SOAR provides the functionality for this as well, enabling efficient incident response that doesn’t require a huge workforce.

The high-fidelity incidents that result from the detection and analysis process described in the previous section allow MSSPs to focus their resources on thorough investigation of genuine incidents. SOAR platforms come with out-of-the-box playbooks for common incident types and playbook editors for fully customized workflows. Using any fully multi-tenant SOAR tool, MSSPs can deploy these playbooks at scale across their client base, and simply make adjustments as needed, such as swapping out one tool for another. MSSPs can eliminate duplicated work and improve their efficiency through building a core offering of playbooks for their most important incident types.

Because vendor-agnostic SOAR tools will integrate with hundreds of other tools and systems, MSSPs can automate and orchestrate the majority of response workflows for their clients. Based on high-fidelity incident correlation and enrichment, the MSSP analyst can trigger automated remediation for the threat, or even run automated threat hunting to find further traces of attacks.

The best SOAR tools support full-lifecycle incident response playbooks, so MSSPs can ‘close the loop’ on complex incidents. MDRs with offerings based on EDR and XDR will generally only support simple orchestrated actions or resource-intensive manual processes, not sophisticated automated sequences.

The Opportunity for MSSPs

MSSPs are faced with a choice: keep providing the same services, and risk seeing their client base shrink, or take steps to evolve. Armed with SOAR, MSSPs have the opportunity to present clients with an alternative to the EDR/XDR-based services that major MDRs are promoting. Using SOAR to upgrade your services has several advantages, including:

  • No vendor lock-in. Adding a vendor-centric solution like XDR isn’t the answer for MSSPs. That will limit you to the clients who use that vendors’ tools. With SOAR, your clients can use whatever tools they want.
  • End-to-end, fully configurable playbooks. Not just simple automated actions.
  • Go beyond EDR and NDR. With SOAR integrations, you can ingest data from, and orchestrate actions across, cloud systems, SIEM, email servers, and more.
  • Efficient use of limited resources. With automation, adding new services isn’t an impossible task for MSSPs. You don’t need to add more staff or learn several new tools. SOAR provides a single interface from which to orchestrate detection and response.

The Next Generation of MSSPs Needs NextGen SOAR

D3 supports MSSPs in every corner of the globe and enables high-value, highly differentiated MDR services with our next-generation SOAR platform. D3 Security’s SOAR platform supports full multi-tenancy, so you can keep client sites, data, and playbooks completely segregated. Importantly, we’re vendor-neutral, so no matter what tools your clients use, our 500+ integrations will meet their needs. And finally, innovations like our Event Pipeline—which reduces alert volume by 90% or more—provide massive value to MSSPs that monitor a lot of alerts for clients.

Blog courtesy of D3 Security. Read more D3 Security guest blogs hereRegularly contributed guest blogs are part of MSSP Alert’s sponsorship program.