The constant threat of data breach has organizations scrutinizing their ability to protect the business from the next big attack. But technology alone won’t reduce your mean-time-to-detect and respond. According to Craig Robinson, Program Director within IDC’s Security Services research practice and author of the latest IDC MarketScape study in U.S. Managed Detection and Response (MDR) Services, “there is going to be more and more of a need for MDR Services in the future.” On the heels of the IDC MarketScape publication, I sat down with Craig to discover what customers and vendors are seeing as the real power behind MDR.
Mandiant: Based on both your discussions with customers and outlook on the marketplace, what do you see as the most important aspects of MDR?
Craig Robinson: When you are talking about MDR, you are talking about two things: technology and a service. In our viewpoint MDR without the human aspects is essentially XDR. When you layer on that human aspect of human led threat hunting and the experience of interacting with security analysts on a regular basis, that is when you realize how important that human experience is and how important it is to work with a provider that understands your technology and business. You realize you need a provider that you can put your trust in.
Mandiant: What did customers say during your research that surprised you?
Craig Robinson: I was surprised at how many security leaders still want that 2 a.m. phone call. They want to be alerted. Technology and MDR services capabilities have evolved to allow security leaders to work out the containment strategies and use cases with their MDR providers and then let their provider do his job.
Mandiant: Are you finding that after years of purchasing best-of-breed technologies, that organizations are looking for MDR providers who can support their existing technology stack?
Craig Robinson: There is still the adage that says complexity is the enemy of security. Even beyond MDR, the trend has been to have deeper, stronger relationships rather than a breadth of tools. The more tools you utilize to do your security functions, the more tools will need to be updated which means more training for your staff, and more vendor relationships. It grows exponentially.
Additionally, in pre-pandemic, rip and replace was more readily undertaken. Never enjoyed but done. We are just coming out of the COVID 19 pandemic, and, while we are blessed to generally see rising budgets; it gets expensive to have to say, “I’ve got to replace my EDR platform because the MDR provider does not support this technology.” CFO’s are not very happy when they find out you have to get rid of licenses prior to expiration because you didn’t make the right decision before, or maybe you didn’t just have the full information. So, rip and replace is not as easily done now as it was in 2019.
Mandiant: What capabilities are the difference makers that set one vendor apart from any other?
Craig Robinson: Threat hunting is a differentiator. Threat hunting means different things to different people. The traditional approach to threat hunting has always been a reactive approach. Now, we are seeing proactive threat hunting that is the human analyst-led approach in which you formulate a hypothesis from intel feeds to look for areas of attack that may have been missed because we now have different information, or threat intelligence, and we can look in our client environments and do a hunt based upon that.
I would make the argument that the companies with a global presence are able to provide a more capable SOC team. I imagine most people providing security protection and response are usually better at it if they are working the day shift. Therefore, those providers that offer 24/7/365 support in a follow-the-sun model are likely to have an advantage over those providers that do not.
Mandiant: What did you find most interesting and forward thinking among the use cases that vendors are offering, or customers are requesting?
Craig Robinson: The various telemetry being ingested has really expanded visibility. If you want to label MDR from several years ago it was more like EDR Plus than a full detection and response. Now, we are seeing use cases that ingest telemetry from Cloud, the edge, and IOT/OT. This is a good thing to see in terms of expanded use cases.
Mandiant: We’ve talked a lot about the technology MDR service providers use to ingest alerts and telemetry, but what is the state of response?
Craig Robinson: I think that we don’t do a good enough job as an industry to build up trust quickly. Several vendors don’t provide full response capabilities. Still, some firms are more likely to throw the ticket over the fence offering advice rather than doing the actual remediation that needs to occur. MDR Services providers need to provide this capability.
Mandiant: Providing remediation and response previously set MDR vendors apart from Managed Security Service Providers (MSSP). Are we seeing a lot of confusion between MSSPs and MDRs among customers?
Craig Robinson: As we prepared this study, we defined MDR as MSSP 3.0 with full featured capabilities of detection and response. Traditional MSSPs were not as clean. Today, machine learning is in place enabling better alert triage, which is becoming more and more important to MDR.
Mandiant: What are some of the concerns customers voiced with the state of MDR services?
Craig Robinson: Cost is always a concern, however, this year it wasn’t the biggest concern. This goes back to prior research. There does not appear to be a lot of lateral movement. You are probably still seeing more customers coming on board that have not used MDR before, than those coming from another MDR provider. It doesn’t mean it doesn’t happen.
Going back to our IDC Infobrief, sponsored by FireEye, The Voice of the Analyst: Improving Security Operations Center Processes Through Advanced Technologies, from January of 2021, the number of false positives is always a concern. Alert fatigue among analysts is a huge unwritten story. When you start looking at reasons why analysts leave firms, this is up there. Analysts like to put on their Superman capes, rescue the world, and stop bad guys. Their frustration rises when they are stopping someone who just happened to run power shell because they opened a spreadsheet that had a macro in it.
Mandiant: What does the future of MDR Services look like?
Craig Robinson: I think there is going to be more and more of a need for MDR. Here’s what MDR does; it provides the blocking and tackling for a full threat detection and response capability. This allows firms to focus that scarce resource, the security analyst, to be able to work with the business on strategic initiatives like regulatory compliance or pay more attention to areas like DevSecOps.
What does the next iteration of MDR look like? The automation piece still has a way to go. I think we need tighter integration between the providers and customers to get more granular on containment and response actions. I think there is going to be a tighter integration with IR retainers that are often provided with MDR. Finally, I think threat hunting still has some potential to improve mean-time-to-detect (MTTD). We are still measuring MTTD in months. The momentum is there to get this down. Certainly, the technology is there, but it must be applied.
A special thanks to the Craig Robinson for his time discussing the state of MDR. FireEye was recognized as a Leader among U.S. MDR providers in the IDC MarketScape study. A key criterion of the IDC MarketScape analysis is how customers view a vendor’s managed detection and response capabilities. Managed Defense customers commented positively that “24x7 support is ‘beyond expectations’,” and further recognized our:
- Integration of threat intelligence,
- Ease of implementation,
- Proactive threat hunting, and
- Dedicated threat consultants
View the interactive excerpt to read IDC MarketScape’s overall assessment of the U.S. MDR Services market and its detailed FireEye profile.