FireEye Stories

What to Know When Navigating the Crowded Managed Detection and Response Space

In 2004 Mandiant made a bold claim that "Breaches are inevitable." At the time, security vendors and service providers were convinced that they could block all malicious activity and keep evil out of customers’ networks. But at Mandiant, responding to the most sophisticated attacks meant we had direct visibility into how attackers bypass technology, so we were aware that even the most mature security organizations had trouble keeping adversaries out.

We knew we had to approach security differently, so we operated under the assumption that threat actors were already active in organizations, and we focused on detecting and disrupting them before they were able to complete their mission.

With that in mind, Mandiant developed two solutions to help organizations detect and stop attacks in progress. In 2007 we introduced Mandiant Incident Response (MIR), the first forensics tool and the first offering in a market that’s now known as Endpoint Detection and Response (EDR). Informed by Mandiant expertise, MIR was the most sophisticated way to detect the artifacts of an attack and track attacker activities.

But going up against an experienced adversary isn’t for everyone, so in 2011 we introduced FireEye Managed Defense. This turnkey service combined the expertise of a Mandiant incident responder with the vigilance of ongoing threat hunting.  

A lot has changed since 2004. The rest of the industry has come around to the fact that breaches are inevitable and now there’s a "new" category of security service called Managed Detection and Response (MDR). Gartner formally defined MDR services in 2016, and they predict that "by 2020, 15% of organizations will be using MDR services, up from less than 5% today."  

"Managed detection and response services allow organizations to add 24/7 dedicated threat monitoring, detection and response capabilities via a turnkey approach."

-Gartner, Market Guide for Managed Detection and Response Services, June 2018

Accordingly, the number of providers claiming to offer MDR services has increased dramatically due to acquisitions, investments, and managed security service providers actively attempting to compete.

From modest beginnings as Managed Defense in 2011, our MDR service now operates to the fullest by combining frontline security expertise, the latest FireEye technology, and unparalleled knowledge of attackers to quickly identify threats and reduce the consequences of a breach.

For an organization looking to add MDR services, navigating the space can be a challenge. Not all providers are equal or offer the same depth of services. Organizations need to ensure they pick a provider that helps strengthen their internal security resources and expertise, and one that helps to address detection, response and 24/7 monitoring gaps.

Gartner’s Key Recommendations

Gartner recently released its 2018 Market Guide for Managed Detection and Response Services.

In the report, Gartner highlights some recommendations for IT security and risk management leaders responsible for security monitoring and operations:

  • Use MDR services to add threat detection, lightweight incident response, and 24/7 monitoring capabilities when they don't exist or are immature within an organization. Incident response retainers will still be required when significant support for large incidents and recovery is required.
  • Use MDR services offering a turnkey technology approach so that your organization can focus on the outcomes delivered by a provider.
  • Scrutinize how providers deliver services to ensure the technology stack fits well with existing security technology investments and the entire IT environment, from on-premises to cloud.
  • Embrace threat disruption and containment as an incident response feature of MDR service providers, particularly where you do not have 24/7 operations to respond to threats that require immediate attention.

Also in the report, Gartner states: “Do not assume that all MDR providers are the same.”

This is a good point. On the surface, every MDR service may sound the same, with each provider simply repeating Gartner’s list of critical capabililites or SKU’ing together an MDR bundle. Yet, when digging a little deeper, it should become apparent that true managed detection and response solutions are purpose-built.

FireEye recommends looking into the experience and intelligence of an MDR provider. We believe an effective MDR provider should be:

  • Proactive: They don’t wait for product alerts; rather, they proactively hunt for evidence of attacker activity.
  • Attack Focused: They don’t solely look for malware; instead, they look for malicious attacker behaviors, regardless of motivation.
  • Expert Driven: They leverage frontline expertise from hundreds of thousands of hours of incident response experience per year, and from the most impactful breaches, in order to continually refine hunting and investigation methodologies.
  • Providing Answers, Not Alerts: They provide in-depth investigation reports and response recommendations that enable organizations to quickly assess risk and take action.

To anticipate and respond to today’s increasingly sophisticated and targeted cyber attacks, organizations need to understand attacker motivations, intentions, characteristics, and methods. There is no other MDR provider with more frontline experience or intelligence than FireEye Managed Defense.

Check out our eBook, Buyer’s Guide for Managed Detection and Response Services, and our webinar, Evaluating Managed Detection and Response (MDR) Vendors, for more help navigating the MDR space.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.