MDR, also known as Managed Detection and Response, can be termed as Managed Threat Hunting. Threat hunting is the process of proactively, and iteratively, searching through networks to detect and isolate advanced threats that evade existing security solutions. Typically, threat hunting involves using already existing tools such as log management solutions (SIEMs), endpoint protection, and network monitoring.
There are publications out there with comparisons of MDR vs MSS, which is a confusing since MDR IS a managed service. MSS would be the general category, with MDR a subsection, much like managed SIEM is a subsection of MSS. Replace MDR vs MSS with MDR vs Managed SIEM.
MDR should NOT be used in place of SIEM
The most important takeaway is that MDR should NOT be used in place of SIEM. Rather, like Threat Intelligence, MDR works symbiotically with SIEM. There is no advantage of choosing one over the other. Observe the following:
Managed SIEM is a reactive service. With a SIEM, you must wait for correlation rules to trigger before you can initiate the response process. An analyst will then spend their time investigating those alerts. A good metaphor for Managed SIEM is fishing using a net. We throw our net into the ocean to see what gets caught up. Since it is machine driven, the SIEM will allow us to potentially discover more items, especially less sophisticated/easier to detect attacks that match a specific, known heuristic.
MDR is a proactive service. With MDR, the analyst is actively looking for evidence of compromise. They spend their time taking in threat intelligence from various sources, identifying key indicators of compromise, and using their tools to respond to identified threats. A good metaphor for MDR is spear fishing. We identify a specific fish we wish to catch and target it. We depend on higher level intelligence to discover patterns that the SIEM may not recognize. While we won’t get as many results as a SIEM, the information discovered will generally be of a more dangerous and sophisticated attack type.
Nuts and Bolts
While some overlap exists between MDR and managed SIEM, both services provide different functionalities. While some vendors advocate ditching SIEM for MDR, an organization’s security model would be poorly served doing this. Instead, using both services would offer the best level of protection. If a client lacks the budget for both, our recommendation would always be the managed SIEM. It identifies the attacks that most organizations will be seeing regularly.
Based on our research, some MDR vendors actually utilize a black box SIEM to help conduct their service. However, depending on the service, we may not be able to run our own reports, validate the provider is doing the job properly, or even have access to the SIEM itself. By going with an MDR service that ignores the holistic nature of security, we lose valuable insight provided with a proper SIEM.
RedLegg’s Manged SIEM offering has a good amount of overlap with the services provided by some vendors that only specialize in MDR. RedLegg’s Managed SIEM offering utilizes industry leading SIEMs that automate many of the MDR services, such as incident containment on discovered events.
While we feel that both services provide value, we would recommend using a managed SIEM before the MDR service (unless both can be implemented simultaneously). Our opinion is that the managed SIEM will discover more issues that commonly plague organizations and offer the best ROI for the client. Once a managed SIEM is properly running, then a client can look to implement MDR or better yet, augment their RedLegg provided managed SIEM service with Endpoint Detect and Response capabilities, Threat Intelligence, and Incident Response.