What is MDR?
Managed Detection & Response is a proactive service. With MDR, the analyst is actively looking for evidence of compromise. Analysts spend time collecting threat intelligence from various sources. They identify key indicators of compromise and use their tools to respond to identified threats.
MDR is also often called Managed Threat Hunting. Threat hunting is the process of proactively, and iteratively, searching networks to detect and isolate advanced threats that evade existing security solutions.
Typically, threat hunting uses already existing tools such as log management solutions (SIEMs), endpoint protection & network monitoring.
What is A SIEM MANAGED SECURITY SERVICE
Managed SIEM is a reactive service. With a SIEM, you wait for correlation rules to trigger before you can initiate the response process. Analysts will then spend their time investigating those alerts.
Because SIEM is machine-driven, the SIEM allows us to potentially discover more items that match a specific, known heuristic. These items are typically less sophisticated, and the attacks are easier to detect.
MDR SHOULD NOT REPLACE SIEM
Rather, like Threat Intelligence, MDR works symbiotically with managed SIEM. There is no advantage of choosing one over the other.
While overlap exists between MDR and managed SIEM, both security services provide different functionalities. While some vendors advocate ditching SIEM for MDR, an organization’s security model would be poorly served doing so.
Instead, using both services could offer the best level of protection. If an organization lacks the budget for both, our recommendation is to start with a SIEM.
The SIEM identifies the attacks that organizations will be seeing most regularly.
Some MDR vendors utilize a black box SIEM to help conduct their managed service; however, depending on the service, that may not allow the ability to run your own reports, validate the service provider is doing the job properly, or even have access to the SIEM itself. By choosing an MDR service that ignores the holistic nature of security, valuable insight is lost that would normally be provided with a properly managed SIEM.
We depend on higher-level intelligence to discover patterns that the SIEM may not recognize. While we won’t get as many results using MDR as we would a SIEM, the information discovered will generally be of a more dangerous and sophisticated attack type.
RedLegg’s SIEM service overlaps with the services of some MDR-specific vendors. RedLegg utilizes industry-leading SIEMs that automate many of the MDR services, such as incident containment on discovered events.
While we feel that both services provide value, we recommend using a SIEM before using an MDR service, unless both can be implemented simultaneously.
SIEM will discover more issues that commonly plague organizations and will offer you the best return of investment. Once a managed SIEM is properly running, you can look to implement MDR or augment your managed SIEM service with Endpoint Detection and Response capabilities, Threat Intelligence, and Incident Response.