Is an MDR Solution or an MSSP Partnership Better for Your Organization?
In this blog post, we want to analyze the differences between a Managed Detection and Response (MDR) solution and a Managed Security Services Provider (MSSP) partnership and how organizations can differentiate between the two and choose which one or both to improve their security defenses. Let’s start with a clear definition of both because as you know, in cybersecurity many of the tools and solutions overlap and often have muddled or vague definitions.
It is critical that we make clear that an MSSP is an organization that has a variety of services including Pen Testing, Vulnerability Management, Security Posture Assessments, and many, many more. What we are really talking about here is the SOC elements that an MSSP delivers…only; and how the outsourced SOC handles threats in comparison to an MDR solution…only that comparison.
What is Managed Detection & Response?
Let’s start with a brief definition of MDR; Managed detection and response (MDR) is a cybersecurity service that combines technology and human expertise to perform threat hunting, monitoring, and response. The main benefit of MDR is that it helps rapidly identify and limit the impact of threats without the need for additional staffing. We’ll dig into the “additional staffing” piece in just a minute as that is a critical difference between MDR and MSSP solutions.
MDR is intended to detect intrusions, malware, and malicious activity in your network and assists in rapid response to eliminate and mitigate those threats. Quality MDR services have a very light footprint on your network and use a combination of human analysts and technology to eliminate false positives, identify real security threats, and develop incident responses in real-time.
MDR remotely monitors, detects, and responds to threats detected within your organization. An endpoint detection and response (EDR) tool typically provides the necessary visibility into security events on the endpoint.
Relevant threat intelligence, advanced analytics, and forensic data are passed to human analysts, who perform triage on alerts and determine the appropriate response to reduce the impact and risk of positive incidents. Finally, through a combination of human and machine capabilities, the threat is removed, and the affected endpoint is restored to its pre-infected state.
While the average time across industries to detect a compromised asset is close to 198 days, MDR typically reduces that to hours and therefore minimizes the impact of a security event. Some MDR providers also offer remediation solutions, to manage all aspects of incident response when a security incident occurs.
What are Managed Security Services?
A Managed Security Services Provider (MSSP) who delivers Managed Security Services (MSS) – you can’t believe how many folks outside the industry are confused by the two acronyms – provides outsourced monitoring and management of security devices and systems. Gartner suggests, “common services include managed firewall, intrusion detection, virtual private network, vulnerability scanning and anti-viral services. MSSPs use high-availability security operation centers (either from their own facilities or from other data center providers) to provide 24/7 services designed to reduce the number of operational security personnel an enterprise needs to hire, train and retain to maintain an acceptable security posture.”
Here at SecureOps, we do lots, lots more than what Gartner describes above primary functions of an MSSP. I took the liberty of providing previous blog posts on the benefits of an MSSP and how you can empower your SOC employees with the people, processes, and technology of an MSSP.
The 5 Benefits of an MSSP
The REAL Benefits of an MSSP
How to Improve Your SOCs Effectiveness – Part 1
How to Improve Your SOCs Effectiveness – Part 2
The Benefits of a Managed Detection & Response Solution?
To pick up where we left off in the introduction, MDR services provide an alternative to enterprises chasing the latest in advanced security products by integrating Endpoint Detection and Response or EDR tools that become a challenge for security operations teams to learn and maintain. As a result, an enterprise’s level of threat monitoring, detection, and analysis is improved without the challenge and expense required to keep an internal security team fully staffed and up to date with the latest threat data.
Managed detection and response (MDR) solutions identify active threats and quickly respond to either eliminate, investigate, or contain them. These solutions use a combination of technology and human expertise to monitor your environment, catch emerging and active threats and respond accordingly.
MDR significantly reduces the time it takes for companies to detect compromised assets. To put this in perspective, a recent Ponemon study found that while most companies take up to 206 days to identify a security breach, MDR solutions can do it in mere hours.
The clearest need for MDR is among organizations that have a regulatory requirement to provide effective detection and response (healthcare, financial services, etc.), yet have no fully-staffed Security Operations Center (SOC). These organizations frequently struggle to recruit and retain in-demand IT security professionals. At the same time, these are the organizations with the high-value targets for cybercriminals, making effective, auditable responses that much more critical.
What is Endpoint Detection & Response?
EDR is a type of MDR-lite that focuses on endpoints or hosts. Unlike CI Security’s Managed Detection and Response, endpoint threat detection and response (EDRs) services typically utilize a software agent installed on endpoints that send information to a centralized database for analysis. In general, this “analysis” is limited to matching a signature of a pattern that indicates a security event is in progress, however, some use statistical baselining and even artificial intelligence to make that determination.
What are the Benefits of Managed Security Solutions Provider?
MSSP is the predecessor to MDR – well sort of. Managed security service providers (MSSPs) to monitor network security events and send alerts when anomalies are identified. One MDR vendor suggests, “MSSPs do not investigate the anomalies to eliminate false positives, nor do they actively respond to security threats. Some MSSPs also provide a variety of other network services such as virus protection and firewall management.” To be clear, MSSPs do investigate events, incidents, and breaches – that is their primary value to many organizations. MDR solutions are technology-based and provide more automation, information, and response tools to deal with threats; frankly, MDR can be compared to EDRs or SIEM, or Firewalls more appropriately than to MSSPs, but we’ll go on.
MSSPs are best suited for organizations that do not have sensitive data (payment records, health records, intellectual property, etc.) and want the basics of their detective controls handled by a third party. MSSPs can help focus investigation efforts but leave it up to you to perform the actual investigations, eliminate false positives, and prepare incident responses.
Managed security service providers (MSSPs) monitor security networks and send alerts when an anomaly is detected.
As we said, considering that MDR is often considered a subset of MSSP, you may be wondering how this comparison between the two levels out. While one may be the parent solution, and not necessarily on the same playing field as MDR, the two are brought head-to-head in the industry when comparing security solutions.
In actuality, either one can be effective — the choice depends on the organization and the needs to be met. MSSPs are widespread and offer a bird’s eye view of your security posture. MDR, on the other hand, goes deeper, leveraging the human expertise required to best detect and analyze any threats and respond to vulnerabilities.
Although MSSPs will encompass MDR work, MSSPs alone do not work to eliminate threats — this solution is much more focused on prevention, with the response element left up to the customer. In fact, it’s common for MSSPs to acquire other services to take on that missing, but critical, response element.
Comparing MDR & MSSP – How are they Different?
While MDR and MSSP can both be beneficial, there are a few key differences in their functionality that should influence your decision. To start, it’s important that you understand the concept of Left of Boom (LoB) and Right of Boom (RoB). Boom indicates a successful attack on your systems; LoB speaks to the time prior to the breach, or the prevention period; RoB speaks to the period post-breach or the response period.
Keeping that in mind, let’s jump into the key differences between MDR and MSSP:
- MSSPs focus on prevention. MSSP solutions often include firewalls, web gateways, intrusion prevention systems, and a host of other antivirus tools that keep threats out of your network. This is LoB territory, where MSSPs place focus and help to manage your prevention tools.
- MDR is driven by intelligence from data AND humans. With a team of cybersecurity professionals at the ready in 24/7 global security operations centers (SOCs), MDR services focus on both detection and response (addressing both sides of boom) and have the ability to actively monitor your network and act when needed. MSSPs rely more on automation to monitor networks and often exclude the response element of cybersecurity — you would only be notified that the threat exists.
- MDR works around the clock. Most MDR solutions function in a 24/7 capacity thanks to a well-staffed Security Operations Center (SOC). This way, you can be alerted to new threats and respond to them almost instantaneously. MSSPs usually have much more limited monitoring capabilities.
- MDR offers more forensics tools. MSSPs have a basic level of security forensics, adequate for small and mid-sized companies, but MDR often includes forensic tools that can reveal problems hiding in the darkest corners of your network.
- MSSPs are cheaper. Since MSSPs offer fewer services than most MDR solutions, they will usually come with a smaller price tag.
When to Choose Managed Detection & Response?
MDR offers advanced monitoring and threat resolution. This solution is best suited for you if:
- Your company has a regulatory requirement to uphold a high level of security
- You want to upgrade your current outsourced cybersecurity tools to include 24/7 monitoring and intelligent response, but you are resource-constrained
MDR companies are dedicated to researching, analyzing, and detecting threats to be able to address them quickly and efficiently. Although there aren’t as many broad services offered by an MDR company when being compared to MSSPs, they are more heavily focused on keeping everything current and working as it should. MDR has been tried and tested as one of the most effective solutions within the umbrella of MSSP.
When to Choose a Managed Security Service Provider?
While MSSPs may not offer services as extensive as MDR, you should still consider this solution if:
- You lack a cybersecurity monitoring system
- You lack a patching program
- You have the skillset within your company to manage the tools that you have purchased
MSSPs contain a wide range of services that touch a lot of aspects of cybersecurity but only at a high level. For instance, they may focus on one set of activities or things, such as web content filtering, patching systems, managing firewall settings, etc. However, these things do not require deep security expertise, nor do they deliver on detection and response. MSSPs seem to find the most success when they can utilize and integrate 3rd party tools for security management and response.
The benchmark Global Corporate IT Security Risks Survey found that approximately 70% of the organization’s plan to outsource security to an MSSP or an MSP during the next 12 months. The report is the fourth in a series on IT security economics from security provider Kaspersky. Nearly 75% of those companies turning to MSSPs or MSPs said that outsourcing would likely reduce their security-related costs. In addition, 22 percent of small-to-medium-sized businesses and 26 percent of large organizations pointed to outsourcing as a top reason for reducing their IT security budgets.
These MSSPs, however, focus primarily on remote device management (configuring firewalls, intrusion detection and prevention systems, etc.) and spend less time on continuous threat detection and response. This means that by outsourcing the remote device management to third-party providers, organizations are obstructed from monitoring their own security posture and lose understanding of how best to respond to threats.
Managed detection and response (MDR) services arose to solve this problem. To some extent, MDRs supply a cost-effective managed security operation center (SOC) to the midmarket. Theoretically, MDR providers part with the traditional MSSP model by providing a greater focus on threat detection and response; though MSSPs like SecureOps would disagree as we focus on threat detection and response aggressively. MDR solutions recommend actionable responses to customers whenever remediation/mitigation actions need to be taken.
According to Gartner, fewer than 1% of organizations outsourced security services to MDR providers in 2017. Today, nearly 15% of organizations are using MDR services, and 80% of worldwide MSSPs will offer MDR-type services.
To Learn More About How MDR Services Can Help Your Organization Protect Against Threats, Please Call Us – as Always, We Are Happy to Help – 1 (888) 982-0678.
You Can Also Fill Out Our Contact Us Form to Talk with a Security Specialist – https://www.secureops.com/contact-us/