The less time an attacker spends in an environment, the less damage that attacker does, a recent Forrester Now Tech report asserts, in obvious fashion. Any business hit with a cyber attack and any managed security services provider (MSSP) tending to the victim is well aware of that.
There are, however, increasingly important modifications to the equation emerging, which is Forrester’s ultimate point: It’s managed detection and response (MDR) services that “give security teams the ability to find, investigate, and remove attackers from the environment long before traditional security tools' alarm bells ring,” the analyst said. The report is aimed specifically at security and risk professionals.
Owing to the changing cyber threat landscape and an incessant shortage of skilled security professionals, businesses accustomed to working with traditional MSSPs steeped in responding to security alerts will need to adjust their thinking a bit to embrace MDR services. Forrester calls it a “philosophical change,” meaning that technically speaking, MDR capabilities are another form of managed service but they’re more specialized than MSSP offerings.
Since last year, the MDR market has boomed and with good reason, the researcher said. It’s a more proactive, automated approach to security, one that a growing number of MSSPs are embracing. Forrester defines MDR as the “application of advanced analytical techniques, proactive threat hunting, and automated response based on escalation workflows predefined by a managed security services provider.” How good is the quality of MDR services depends on endpoint detection and response (EDR) software, network analysis and visibility (NAV) tools, and analysis of security log data.
“The combination of hunting, attributing, and removing an attacker changes the dynamics of security operations for the organization,” Forrester said. “Finding the right people, tools, and time to perform these activities internally is tough, but partnering with an MDR provider renders those concerns moot.”
While businesses can use MDR services to be certain their organizations aren’t already compromised, to turn internal investigations over to MSSPs and for incident response, selecting a vendor is quite another matter. Customers have to choose an MDR provider and assess its potential value based on factors such as size, functionality, geography and vertical market focus, Forrester said.
Managed Detection and Response (MDR): Key Capabilities
In the researcher's view, the best providers offer:
- Assurance. MDR teams perform regular, customized hunts to seek out attacker tools, techniques, and procedures, offering security leaders a level of assurance previously unattainable.
- Speed. They can complete investigations in hours or even minutes. Because they already have access to relevant IT assets and data, MDR providers can complete multiple investigations in the time it used to take for incident response consultants to arrive at a client's site.
- Immediacy. Incident response personnel are hard to retain for most companies, because people with IR expertise find it more exciting to work for a services firm that does hundreds of investigations per year rather than an internal team that only does a few. MDR providers offer immediate access to experts without the challenges of finding, hiring, and retaining them.
Additionally, Forrester predicted that as more and more companies enter the MDR ring, consolidation is virtually guaranteed. The larger firms will be the more compelling long-term partners, the researcher said. And, in choosing an MDR-capable partner, security teams will need to evaluate how the provider’ technology stack maps to their own internal expertise to set the proper expectations.
In its report, Forrester listed key MDR vendors segmented by revenue, with large firms generating more than $50 million annually in MDR related sales, mid-size providers with MDR-associated revenue of $10 million to $50 million, and smaller outfits of less than $10 million from MDR engagements.
In the large firm category, Forrester lists Accenture, IBM, Secureworks, Symantec and Trustwave as key players. In the mid-size class, the researcher has BAE, Booz, Allen, Hamilton, Crowdstrike, Expel, Maservy, Optiv and Rackspace. And, in the small space it lists Arctic Wolf Networks, eSentire, Infosys, Paladion, Rook Security and West Monroe Partners.
All the above vendors were identified by Forrester for their MDR capabilities to one degree or another in full-scale forensics, investigation and response, and endpoint analytics. For example, Accenture’s primary functionality is in investigation and response, as are Symantec's and Trustwave's, while IBM and Secureworks mainly engage in forensics. Mid-sized and smaller MDR providers are similarly classified.
MDR: What to Look For
Forrester has offered up a set of recommendations to help businesses find the right MDR provider to suit their security needs:
Start by assessing each firm's EDR tool. Many providers use the same endpoint technology, so once you've established an EDR preference, the next step is evaluating each firm's expertise, service-level agreements and cultural fit.
Choose an incident response pedigree over a managed service background. It's better to have a skilled, experienced team that understands the legal, regulatory, and corporate requirements of incident response matters than one with experience delivering multi-tenant managed services.
Prioritize providers that own their MDR intellectual property. Firms that build their MDR tool set from the ground up on top of their own endpoint security solutions can evolve the technology to fit the services they provide, so clients don't have to wait while a service provider fights for a spot on a tech partner's product road map priority list.
Expel has made the full report, entitled Now Tech: Managed Detection and Response (MDR) Services, Q2 2018, accessible through its website.