What is MDR? Before we compare Managed Detection and Response providers, it’s important to fist establish what defines an MDR provider.
In the video below, Mike explains the problems MDR is built to solve, and the different services that MDR providers might offer. With this knowledge, you’ll be much more prepared to compare vendors for your organization.
Want Mike’s recommendations on the best MDR service providers to quote, based on your company’s requirements? Click the button below, to ask him today.
Mike Smith is the Founder and President of AeroCom and has been helping companies with telecom and cloud services since 1999. He has been the recipient of numerous business telecommunications industry awards and in 2011, he was honored as one of the top 40 business people in Orange County, CA., under 40 years old. You can also hear him as the host of the popular Information Technology podcast, ITsmiths with Mike Smith. Follow Mike on YouTube, LinkedIn, Reddit and SpiceWorks.
So your company is interested in cyber security services and maybe outsourcing that, and you’ve heard the term MDR, and you’re wondering, “What is MDR, managed detection and response?”
I wanted to make a quick video kind of explaining my opinion in on what MDR is, and what some of the advantages are, and what problems MDR service providers are supposed to be addressing.
But before I get started, real quick, just as a reminder, if you want my recommendations on the best MDR service providers to quote for your business, don’t just Google it, reach out and contact me. More information on that at the end of the video, but just wanted to mention it briefly.
MDR Solves These Problems
Okay. So what is MDR? What is a managed detection and response service provider?
First and foremost, I would say it’s important to know what problems an MDR solution provider is trying to address.
Lack of Visibility
So first and foremost, the first problem that an MDR service provider is trying to address is lack of visibility.
So a lot of times a mid-sized company, especially or smaller, doesn’t have every single tool available to them. So it’s hard to find threat actors within their environment, whether it’s on network or whether it’s in email and things like that, they just don’t have the right tools available to see every single possibility that’s going on out there. So that’s first, is addressing a lack of visibility.
Lack of Time
The second thing that MDR service providers are trying to address is a lack of time. Mid-sized companies are notoriously thin in terms of their IT staff. I probably don’t have to tell you this. So lack of time.
So even if you could find the threat actors in your environment, do you have time to respond to them appropriately? Do you have time to really dig into what’s going on? If you get an alert, maybe you do have a tool, but you get an alert, do you really have time to dig into if that alert is legitimate or if it’s not, or to compare it across the other things you’re getting across all your platforms?
Time is of the essence, and usually IT departments are doing a million other things, and it’s very hard to find the time to really address alerts appropriately.
Speaking of alerts, another issue that MDR service providers are addressing is alert overload. So even if you have a couple tools out there, just like a firewall or some type of an endpoint protection device, anything, any type of application like that is going to give you so many alerts, it becomes alert overload.
Mid-sized companies can literally get thousands of alerts every single day. Not only are they getting alerts, they’re getting a lot of false positives. So what happens is we all know, it’s the boy who cried wolf, right?
So the more alerts you get, the more false positives you get. You start to ignore all the alerts, hence what ends up happening is a lot of dwell time.
That’s why the average dwell time studies have shown for a threat actor to be sitting in your environment is 100 days. That’s the average. So why is that? Because it’s alert overload and a ton of false positives coming in, so people start ignoring all the alerts coming from their tools. So, that’s another thing that MDR service providers are addressing.
The fourth thing that MDR service are trying to address our expertise gaps. As we all know, the security landscape is changing every single day. Cybersecurity threats are changing every day, and it’s very hard to keep up on all this stuff. You have to really be a security expert, and it’s hard to be a security expert when you are the IT expert of your company and you need to be an expert on all kinds of different stuff.
So even if you went and hire a security professional, it’s super expensive as you guys know. Those salaries are very high and the turnover is very high because those people are in high demand. So even if you do hire one, the chances of them getting offered more jobs or higher salaries, other places are high so they eventually leave and you’ve got to replace that person. Turnover is very, very high. So MDR service providers are really addressing that expertise gap of lack of expertise within your organization on cybersecurity.
Inability to use existing tools
And the last thing MDR service providers are really trying to address is the lack of ability to use the tools you have appropriately. So maybe you have some great tools, but the time it takes to really use those tools appropriately isn’t there.
So you might have a tool that’s really geared for a Fortune 500 company, and it really takes a full time expert to run that tool and to do it all the time. Well, you don’t have that type of personnel. So you’re really not able to utilize the tool that you do have appropriately. And therefore, you’ve spent a lot of money on something, or your company has spent a lot of money on something that you’re really not even using. So an MDR service provider also addresses that. They can come in and do that type of stuff and help you utilize the tools that you have today.
So those are the issues that MDR service providers come into your company and address. They can address all of them or they can address some of them.
What can an MDR provider do?
So what can an MDR service provider do? Well, I like to kind of categorize it into the different areas that a managed detection and response provider can help you.
Number one is your network. They can do a full packet capture of all the traffic on your network. So that’s something they can address is network security.
They can also address your SIEM or your logs. So all the different logs that we talked about coming in from all the different tools you have everywhere, they can take all those logs and put them into their own tools. So they can filter all the alerts coming in, then all the false positives, and they use things like machine learning and AI to really narrow down the alerts and get a streamlined bunch of alerts that are sent to them.
Well, they usually have some type of software program where they’re consolidating all the logs from all of your different tools into one pane of glass that they can look at. So that’s something else they can address. Also, endpoint security. So they can do that for you.
They can handle endpoint security, whether you have your own endpoint security solution today, they can help you with that solution, or they can provide you with an endpoint security solution and manage that for you.
Cloud Security, Email, and Identity Management
Cloud applications is something else they can address as well as things like email and identity and a few other things as well.
So those are all the different areas that an MDR service provider can come in and help you with. So what do they do with those areas?
Well, as I said, they can get alerts into a log system for you. They can basically create a SIEM where it’s sending all of those alerts to some type of a security operation center analyst. So they can either send the alerts to you and you can see them on your software, or you can have them do it and have all those alerts go to a SOC analyst that is looking at all that stuff and is this security expert for your company.
So they know what alerts to really be watching out for, and they can also compare alerts coming from different areas. Like they can kind of cross compare an alert coming from your network and compare it to something else that’s coming in on a server. And maybe something else that’s coming in on email and kind of compare those different things and create conclusions based on that. So they can do a lot of stuff.
These are security professionals who all they do all day long is security and they see all the stuff that’s going on. Not only with your company, but all the other customers that they have. So they really are able to get the alerts and know what they should look at right away. Then based on those alerts, they can either handle it themselves, they can quarantine the issue.
If there’s an incident coming up, they can shut down something. Maybe an employee downloaded something they shouldn’t have, they can immediately be notified of that and shut that laptop down, or that device down, like a phone or something like that.
Or they can let you know, and maybe you want to be able to shut it down yourself and you don’t want them to do it, but they can give you choices when it comes to things like that. They can also have full incident response. So if there’s some type of a lateral incident where maybe one machine gets affected and it creates multiple things throughout your network, they can start hunting that down, fixing it, quarantining it, all that type of stuff.
So they can go as far as you want, it’s just a matter of your preference. So that’s what an MDR service provider does, managed detection and response. They can cover all those different areas, address those problems that we talked about and response to them.
So again, I hope that helps a little bit. If you want my recommendations on the best MDR companies to quote for those services, don’t Google it, just contact me via email or phone (714.593.0011).
I’m a broker for all the major MDR companies out there, and they actually pay our broker fee, so you don’t have to pay us at all. So there’s no excuse not to use me. Just give me a call, give me a little bit of information about your company’s needs, and I’m happy to give you some great recommendations. I’ve been doing this for 18 years, so I know a lot of the service providers in the marketplace. I know them inside and out, and my job is to help you find the right companies to quote a lot faster than you’d be able to do it on your own.
So again, hope that helps a little bit. Don’t forget to subscribe to the channel, so we can get rid of all those commercials that you have to see prior to all the videos. And also, like the video. That would help me out a lot. I hope you enjoyed it and I’ll catch you on the next one.