Many publications compare Managed Detection and Response (MDR) to Managed Security Services (MSS), but this premise may set you up for false thinking.
What we may actually be discussing is the difference between MDR and managed Security Information and Event Management, or managed SIEM. MDR is categorized as a subset of MSS, similar to managed SIEM.
What is MDR?
MDR is a proactive service. With MDR, the analyst is actively looking for evidence of compromise. Analysts spend time collecting threat intelligence from various sources, identifying key indicators of compromise, and using their tools to respond to identified threats.
MDR is similar to spear fishing. We identify a specific fish we want to catch and target it.
MDR is also often called Managed Threat Hunting. Threat hunting is the process of proactively, and iteratively, searching networks to detect and isolate advanced threats that evade existing security solutions. Typically, threat hunting uses already existing tools such as log management solutions (SIEMs), endpoint protection, and network monitoring.
We depend on higher-level intelligence to discover patterns that the SIEM may not recognize. While we won’t get as many results using MDR as we would a SIEM, the information discovered will generally be of a more dangerous and sophisticated attack type.
What is Managed SIEM?
Managed SIEM is a reactive service. With a SIEM, you wait for correlation rules to trigger before you can initiate the response process. Analysts will then spend their time investigating those alerts.
Managed SIEM is similar to fishing with a net. We throw our net into the ocean to see what we catch.
Because SIEM is machine driven, the SIEM will allow us to potentially discover more items that match a specific, known heuristic. These items are typically less sophisticated, and the attacks are easier to detect.
The Best MSS Solution
Let’s be clear: MDR should NOT replace managed SIEM.
Rather, like Threat Intelligence, MDR works symbiotically with managed SIEM. There is no advantage of choosing one over the other.
While overlap exists between MDR and managed SIEM, both security services provide different functionalities. While some vendors advocate ditching managed or co-managed SIEM for MDR, an organization’s security model would be poorly served doing so. Instead, using both services could offer the best level of protection. If a client lacks the budget for both, our recommendation would always be managed or co-managed SIEM. The SIEM identifies the attacks that organizations will be seeing most regularly.
Based on our research, some MDR vendors utilize a black box SIEM to help conduct their managed service; however, depending on the service, we may not have the ability to run our own reports, validate the service provider is doing the job properly, or even have access to the SIEM itself. By choosing an MDR service that ignores the holistic nature of security, we lose valuable insight provided with a proper managed SIEM.
RedLegg’s Co-Managed SIEM service overlaps with the services of some MDR-specific vendors. RedLegg utilizes industry leading SIEMs that automate many of the MDR services, such as incident containment on discovered events.
While we feel that both services provide value, we recommend using a managed or co-managed SIEM before using the MDR service, unless both can be implemented simultaneously.
In our opinion, managed and co-managed SIEM will discover more issues that commonly plague organizations and will offer the best ROI for the client. Once a managed SIEM is properly running, the client can look to implement MDR or augment their managed SIEM service with Endpoint Detection and Response capabilities, Threat Intelligence, and Incident Response.