What is managed detection and response (MDR)? - Red Canary (2024)

The threat landscape is constantly changing—shifting and adapting with the rise of hybrid work environments, the rapid rate of technological advancement, and the explosion of artificial intelligence (AI). To see, forecast, and better navigate through today’s security challenges, organizations need proactive, intelligence-led solutions like managed detection and response (MDR).

In this article, we’ll define managed detection and response, explain its core functionalities, and highlight its crucial role in protecting your organization. We’ll also answer some crucial questions, including:

• How do you go about choosing an MDR provider?
• What are some of the business challenges for MDR adoption?
• How does MDR differ from SIEM?
• What’s an MSSP? And how’s that different from MDR?
• What’s the difference between EDR, XDR, MXDR, and MDR?

MDR is a cybersecurity service that helps organizations rapidly detect, analyze, and mitigate cyber threats. It goes beyond simple monitoring, taking that extra step to investigate and remediate threats before they can have a negative impact.

As a managed service, also referred to as a “security-as-a-service” offering, MDR helps organizations augment their security operations center (SOC) capabilities by collecting logs, data, and contextual information from a wide range of sources, such as cloud workloads, identities, SaaS applications, networks, and endpoints. This telemetry is then used to aid investigation by experts in threat hunting and incident response.

When a potential threat is identified, the MDR provider’s expert team will investigate the nature and scope of the risk. Depending on their findings, they’ll take appropriate actions, such as isolating affected systems and containing the threat. MDR teams continuously learn from these incidents, enhancing their detection capabilities and providing you with recommendations to strengthen your security posture over time.

MDR services offer a wide range of features that go beyond basic threat detection. Here are some key functionalities you can expect from MDR:

Detection and monitoring

• 24×7 monitoring: MDR providers have experts who keep their eyes on your environment day and night, holidays and weekends. They look for suspicious activity through a combination of security tools and intelligence, seeking to identify potential threats.
• Continuous threat hunting: Some threats are highly visible. Others lurk in the shadows. MDR finds both. Highly skilled and trained threat hunters actively search for threats and vulnerabilities that attackers might exploit.
• Analysis: MDR aggregates telemetry across your IT infrastructure and then applies custom analytics to identify patterns that might indicate a security incident.

Investigation

• 24×7 investigation: MDR providers continuously monitor your environment, ensuring a rapid response to critical threats around the clock.
• Incident prioritization: When threats are detected, MDR providers will triage them and determine their severity and potential impact. This helps their experts, as well as your internal staff, prioritize which threats to investigate first.
• Threat intelligence: To understand the motivations, tactics, and techniques of adversaries, MDR providers gather intelligence from multiple sources and use that information to better respond to threats.

Response and remediation

• Automation: MDR services can typically take actions on your behalf. These actions can include isolating endpoints or sending notifications when a threat is detected.
• Remediation: Some MDR providers go beyond investigation with hands-on-keyboard response, or active remediation. This gives them the ability to remotely contain and remediate threats on your behalf.
• Reporting: MDR provides detailed reports on various metrics, such as mean time to respond (MTTR) and return on investment (ROI).

It’s important to note that different MDR providers offer varying features and functionalities. We’ll delve into research methodologies for selecting the right MDR provider later in this article.

Now that we’ve established the core features of MDR, let’s explore some of its top benefits:

• 24/7/365 monitoring: MDR providers keep their eyes on your environment around the clock, eliminating the need for dedicated internal personnel to monitor your environment at all times.
• Proactive threat hunting: Going beyond traditional security measures, MDR products actively search for hidden threats and vulnerabilities before they can be exploited.
• Faster response times: Thanks to automation capabilities and 24×7 investigations, MDR services boast rapid response times, allowing for quicker containment and mitigation of security incidents and minimizing potential damage and downtime.
• Access to cybersecurity professionals: With MDR, you gain access to a team of cybersecurity professionals, helping bridge the gap in expertise.
• Tailored to your specific needs and budget: Scale your security posture as your organization grows with the flexibility and customization MDR providers offer.
• Improved compliance: MDR can help you adhere to specific security regulations by providing tools and expertise to meet compliance requirements.
• Reduced costs: When compared to building and maintaining a full-fledged SOC internally, MDR can be a cost-effective solution.
• Enhanced security resilience: By proactively managing security risks, MDR helps you build a more robust security posture against known and emerging threats.

It’s important to note that not all MDR offerings are created equal, and some of the benefits highlighted above do not apply to all vendors. We’ll cover how to find the right solution for your organization in the next section.

When evaluating MDR vendors, you should consider several elements, from the provider’s investigation and response capabilities to their depth of detection and beyond. Here are some key aspects to consider:

Detection and investigation capabilities

Don’t settle for basic data analysis. Look for providers that ingest both raw telemetry and alerts. This allows them to gain a deeper understanding of your environment and provide richer context. Also, be aware that not all vendors create their own detections. Look for MDR vendors that build their own detection capabilities with a team of experts in-house. By translating threat intelligence into actionable detection methods, these providers are better equipped to identify and stop the most sophisticated attacks while minimizing false positives.

When it comes to investigation, some MDR providers have minimal threat hunting coverage, which can translate to a higher amount of false positives that your team will be responsible for investigating. If you don’t have the resources to look into each and every alert, you need an MDR vendor whose detection coverage and investigation processes go deeper.

Response capabilities

Choosing the right MDR provider hinges not just on detection, but also on robust response capabilities. To ensure you’re partnering with a provider who can effectively neutralize threats, here are three key questions to ask:

1. Does the provider utilize a security orchestration, automation, and response (SOAR) platform? Or at the very least, do they integrate with one? SOAR offers myriad benefits, including, but not limited to: driving down MTTR, minimizing human error, collecting data from different sources for more flexibility, and automating tasks for rapid containment and remediation.
2. Does the provider offer human-led incident response? Not all MDR vendors actively respond to threats or provide guidance on how to respond during an incident. Instead, containment activities fall on the shoulders of the customer. If you’re looking for an MDR vendor to take some response actions off your plate, ensure they offer human-led response capabilities. Not only can this make up for resource and experience gaps, it can increase the response speed when time is of the essence.
3. Does the provider offer hands-on-keyboard response? Although it’s not typically performed by MDR providers, vendors are increasingly adding the option of hands-on-keyboard response, also known as “active remediation,” to their service suite. With active remediation, MDR vendors are able to remotely contain and remediate those threats—all on the customer’s behalf.

Depth and breadth of MDR coverage

Traditional MDR vendors use endpoint detection and response (EDR) tools as their primary data source. This is true for vendor-neutral “pure play” MDR providers, as well as EDR vendors that have added a service component over time on top of their own endpoint product. However, as the security landscape evolves, more MDR providers have started collecting log data from non-endpoint sources, such as network, cloud, identity, and software-as-a-service (SaaS) applications. But while integrating with a wide variety of security tools is certainly important, not all integrations are created equal. Many MDR providers will claim they work with a security tool but do not deliver any real security value from that integration. Rather than only focus on the breadth of integrations, you should explore the depth of those integrations as well.

If you’re looking for the added benefit of a unified timeline, cross-product correlation, and broader context, make sure your MDR provider is more than a managed point solution and has extended detection and response (XDR) capabilities included. XDR (discussed below) consolidates events from multiple security tools into one unified timeline and correlates data across your tech stack, allowing you to detect threats earlier in the attack chain. It also provides the additional context you need to understand the scope and impact of an attack.

Service

When choosing a vendor, make it a point to understand how they integrate operationally with your current workflow. In addition to understanding the types of communication you’ll have with your MDR team, you should also inquire about support hours. Incidents don’t always happen between the hours of 9 a.m. and 5 p.m. A vendor that offers 24×7 support (not just 24×7 coverage) means help is available when you need it most.

In addition, an MDR vendor should always provide you with actionable advice, so you can address each incident with confidence. A great MDR vendor will work with you and address your security needs from the very beginning, helping you create a more mature security operations program. They’ll also help you understand the costs of scaling your MDR service, supporting you every step of the way as your organization grows and your IT environment evolves.

Feeling overwhelmed by the MDR selection process? Don’t sweat it.

We’ve created a comprehensive guide that covers the top 15 questions you should be asking when evaluating solutions—there’s even a handy checklist to help define your unique security needs. You can access our MDR Buyer’s Guide here.

MDR sits at the intersection of technology and human expertise. And so, MDR services offer a range of core capabilities designed to detect, investigate, and respond to security threats in your environment. These capabilities include, but are not limited to:

1. Threat detection and prioritization: MDR leverages tools and technologies like EDR to continuously monitor your environment for suspicious behavior. These systems generate a lot of alerts. MDR’s job is to weed through the noise and help you prioritize threats that actually matter.
2. Threat hunting: Going beyond passive monitoring, MDR encompasses active monitoring via human experts. These security analysts seek out threats that might evade traditional detection techniques.
3. Investigation: When a potential threat is identified, MDR providers conduct a thorough investigation to understand its scope, nature, and potential impact. They leverage threat intelligence, logs, and forensic data to get the whole picture.
4. Response and remediation: Once a threat is confirmed, MDR providers typically offer guided response recommendations. Some do this through automated response actions. Others give you access to their security experts. Even rarer, MDR providers may provide active remediation services where they work to neutralize threats as fast as possible, even when you’re not available.
5. Reporting: MDR providers give you access to reporting on various aspects of your security such as specific security incidents, identified threats, or overall security posture. This helps you gain valuable insights into your environment, identify areas for improvement, and quantify the effectiveness of your security spend.

By combining these capabilities into one service, MDR providers offer a comprehensive and proactive approach to security, helping you effectively manage and mitigate threats before they cause harm.

Key challenges MDR (managed detection and response) MDR solves

MDR addresses many key challenges organizations face in securing their IT environments, including:

1. Lack of security expertise: Finding and retaining qualified cybersecurity professionals continues to be a challenge for most organizations. MDR services provide access to a team of experts with specialized knowledge and experience in threat detection, threat hunting, and response, helping you overcome this critical skill gap.
2. Resource constraints: The rate and costs of data breaches are increasing. Budgets, on the other hand, are oftentimes not. Building and maintaining a full-fledged SOC with in-house personnel can be costly and resource-intensive. MDR presents a cost-effective alternative, requiring less internal resources and headcount while providing the same level of security.
3. Evolving threat landscape: New and sophisticated threats are constantly emerging. MDR providers have what it takes to combat these threats by leveraging proprietary threat intelligence and having hyper-specialized experts ready to apply their expertise to new challenges.
4. Alert fatigue: Security tools, including EDR, are notoriously noisy. MDR takes in high volumes of alerts and telemetry and filters through the noise, so you stay focused on the most relevant security events.
5. Compliance requirements: Many industries face compliance regulations with strict requirements. MDR services can help you meet these requirements through their services, including ongoing monitoring, reporting, and documentation.
6. 24/7 staffing: Incidents don’t just happen during business hours. But it can be hard to staff around the clock. MDR alleviates this burden by handling security operations 24/7, so your team can rest easy.

Business challenges for MDR adoption

While MDR offers significant benefits and solves many of the challenges modern security operations programs face, there are also some key business challenges that can hinder its adoption:

1. Cost: All security tools come at a cost, and MDR is no exception. However, it’s important to remember that MDR can be cost-effective compared to building an internal SOC. Still, the upfront investment can be a challenge for some organizations, especially small businesses with limited budgets.
2. Visibility: Handing over monitoring and response functions to a third-party vendor may raise concerns about data privacy. However, by evaluating the provider’s security practices and data handling procedures ahead of time, you can feel more comfortable that your data is in good hands.
3. Integrations: Successful MDR implementation relies on seamless integration with your existing IT infrastructure and security tools. This process can vary in complexity depending on your environment’s specific configuration. Before choosing an MDR provider, it’s crucial to understand the supported integrations and the typical integration timeframe in order to make an informed decision.
4. Vendor selection: We covered this above, but it’s worth noting again that vendor selection can be tough. It’s vital that you take your time to thoroughly vet options to make sure your provider aligns with your needs and security goals.
5. Internal resistance: Internal teams are often hesitant about new security solutions. They may perceive MDR as a threat to their expertise and workload. Make sure to address these concerns and ensure clear communication about the benefits. If anything, MDR will free them up to work on internal projects that make the most impact instead of chasing down false positives.
6. Lack of awareness: Securing buy-in for MDR services can be a struggle, especially when key stakeholders don’t fully understand the benefits. To ensure successful adoption, it’s important to raise awareness and educate your colleagues about the value MDR brings—not only to your security program, but the entire organization.

Security information and event management (SIEM) technologies are an important part of many security programs as they provide valuable functions like central log repository, security event detection, and compliance requirements. MDR services provide expert security analysis, adding a human factor for less noise and more context and responsiveness. Both SIEM technology and MDR services can be important tools in the dynamic security landscape.

Since we’ve already covered MDR, let’s dive into the strengths and weaknesses of SIEM technologies.

SIEM: the pros and cons

SIEM solutions are often implemented as part of a larger security and compliance strategy, and brought in to act as a central repository for information from other technologies. Primary SIEM benefits include:

• Centralized data collection and analysis
• Compliance and regulatory adherence
• Single pane of glass (SPOG) view into environment
• Automated response
• Real-time monitoring

However, there are also limitations of using SIEM. Some cons include:

• SIEMs require intense training, large crews, and expertise for implementation.
• Beyond the initial investment, SIEMs incur substantial ongoing expenses for maintenance, updates, monitoring, and effectiveness.
• Using a SIEM as your only tool makes your team reliant on a single vendor—if the SIEM does not have all of the functionality you need, you must request and wait for feature updates.

The perfect blend: MDR + SIEM

As aforementioned, MDR services are designed to provide a more proactive and comprehensive approach to threat detection and response. They use automation and machine learning to identify and respond to threats in real time. They also provide 24/7 monitoring and expert human security analysis and response, which can help organizations detect and respond to threats more quickly and effectively.

If you’re trying to decide between MDR and SIEM, the ideal solution may just lie in the combination of the two. By integrating SIEM technology with an MDR service, organizations can leverage the strengths of both solutions to balance business risk and cost.

Check out this chart to see the strengths of both SIEM and MDR:

In summary, SIEM technology enhances the value of security programs by collecting and analyzing massive amounts of alert data from various sources. To further bolster your security operations, the integration of MDR services provides 24×7 monitoring with expert-led advanced threat detection and response capabilities. By working in tandem, SIEM and MDR provide a comprehensive defense against the constantly evolving and increasingly sophisticated threat landscape.

Now that you understand the differences between SIEM and MDR, what about the differences between a managed security service provider (MSSP) and an MDR provider?

MSSPs typically focus on basic security tasks like monitoring standard ingress-egress traffic on perimeter products and vulnerability management. They provide high-level security coverage for basic and repetitive tasks across an organization’s entire security stack. It is not uncommon to find an MSSP advertising that they use hundreds of security tools. A detailed look will often show that they employ inexperienced staffers trained to capably operate only a small fraction of those.

MSSPs mostly rely on signatures and rule-based detection and frequently miss advanced threats (and increasingly even basic attack tactics). When incidents are discovered, many MSSP customers are still responsible for managing containment and mitigation unless they pay the provider’s incident response team extra for help. Even then, the MSSP’s staff may not be specifically trained to effectively respond to an incident.

Conversely, MDR services focus specifically on improving an organization’s advanced threat detection, investigation, and response. They are used to augment and enhance internal capabilities. They frequently examine similar data sets as MSSPs, such as network logs or endpoint telemetry, but at a much greater depth. They are specifically tailored to use advanced technologies such as EDR, behavioral analytics, specialized forensics tools, and custom security event management platforms. The most sophisticated MDR providers focus heavily on detecting behaviors like lateral movement, credential theft, and privilege escalation, all behaviors of today’s advanced attacks. Some even operate large software and security engineering teams to design their own detection and response technology.

By now, you probably have a firm grasp on what an MDR is. Now let’s talk about EDR (endpoint detection and response).

EDR focuses on securing individual endpoints within your network. Endpoints include devices like laptops, desktops, and mobile phones, as well as servers, workstations, Internet-of-things (IoT) devices, and virtual machines (VM). EDR leverages software agents installed on these endpoints to monitor activity, detect suspicious behavior, and provide tools for investigation and response.
MDR, on the other hand, is a managed service that provides detection and response across your entire IT infrastructure, encompassing endpoints as well as network devices, cloud workloads, identity services, and software-as-a-service (SaaS) applications. In addition, MDR brings a human element into the mix. With EDR, internal teams are responsible for investigating and responding to alerts. MDR, conversely, includes a team of security experts who not only monitor your environment and analyze alerts, but identify and prioritize threats and offer guidance or even take action in response to incidents.

Think of the two services like this: EDR is just one small piece of your larger security posture puzzle. MDR takes each piece, puts them together, and creates a single cohesive picture.

In most cases, you won’t be choosing between MDR and EDR—it’s likely that you’ll need both, depending on your specific needs and resources. If you have a robust security team with the expertise and capacity to manage endpoint security in-house, EDR may be sufficient. However, if you lack these resources or expertise, require monitoring across your entire IT environment, or want to free up time to focus on more strategic tasks, MDR can be a valuable solution on top of an EDR.

MDR, XDR, MXDR—these acronyms can make navigating cybersecurity feel like deciphering alphabet soup. And without standardized definitions, even seasoned folks (like us) can struggle to make sense of the nuances of each service. Let’s demystify these terms, starting with the basics:

• MDR stands for managed detection and response.
• XDR stands for extended detection and response.
• MXDR stands for managed extended detection and response.

Now that we’ve decoded each acronym, let’s break down their different approaches to security:

• MDR is a managed service that offers comprehensive detection and response across an organization’s IT infrastructure. Some MDR providers only cover endpoints, while others also provide security for networks, cloud workloads, identity, and SaaS apps. MDR delivers SOC functions, allowing organizations to detect, investigate, and actively respond to threats while receiving guidance from security experts.
• XDR is a security technology that ingests and analyzes data from multiple security tools across various IT domains. This type of platform automatically collects and correlates data and alerts, providing a consolidated view of activity for more accurate detections.
• MXDR combines the benefits of both MDR and XDR by blending security technology and human expertise to detect threats earlier and stop them faster across an organization’s entire IT infrastructure.

Remember, the label itself matters less than the actual service provided. For example, Red Canary offers a solution that we consider MDR, while others call it MXDR. In the words of Shakespeare, “A rose by any other name would smell as sweet.” When evaluating solutions, focus on the capabilities and value each solution brings to your specific security needs, not the acronym used to describe it.