The Art of Delivering Managed Detection and Response (MDR) Services

By Heather Hixon

Heather Hixon

When it comes to providing managed detection and response (MDR), service providers face a number of challenges, both technical and human. As is often the case in IT security, the source of the many obstacles stems from trying to combat increasingly intelligent threats with aging, inefficient technology.

Many managed security services providers (MSSPs) rely on outdated alerting solutions which rely on static signature and pattern matching. Such technology is incapable of detecting and responding to many of today’s advanced threats.

To improve their detection and response capabilities, many MSSPs are embracing some form of Security Orchestration, Automation and Response (SOAR) technology, which automates security operations processes.

Research firm Gartner defines SOAR as “a technology that enables organizations to collect security threat data and alerts from different sources where incident analysis and triage can be performed, leveraging a combination of human and machine power to help define, prioritize and drive standardized incident response activities according to a standardized workflow.”

Technical MDR Hurdles

To address the flood of threats targeting their customers’ networks and devices, MSSPs must manage feeds and alerts from a cacophony of security products. This diversity of tools can create major gaps in detection and response efforts.

With multiple products and dashboards to monitor and use, managing workflows in order to gather all the data needed to properly investigate incidents is time-consuming, and prone to errors that can result in serious mistakes.

In addition, the multiplicity of products required to provide MDR services makes it difficult for MSSPs to scale the number of clients they can service with their existing resources. For example, the manual effort required to manage the mix and match functions, overlapping capabilities, different data sources and metrics, and so on, not only reduces efficiency, but also eats into margins and profitability.

A Better Way to Deliver MDR

SOAR technology provides five clear benefits for delivering MDR services.

First, it integrates with existing security technologies and processes to address scalability problems. SOAR’s ability to orchestrate actions taken by security products, and to automate actions without the need for any human intervention, is one of its greatest strengths. This allows SOAR to integrate with just about any security process or tool already in use — and to enhance the performance and usefulness of each.

This integration improves the ability of MSSPs to detect and neutralize threats and attacks. It provides a single “pane of glass” to unify asset databases, help-desk systems, configuration management systems and other IT management tools.

SOAR also accelerates responsiveness to events by arming MSSPs with the visibility and ability to react decisively to new threats or attacks; for example, SOAR automates workflows that span threat intelligence management all the way through to case and ticket management.

MSSPs waste an inordinate amount of time dealing with false positives, because there are just too many of them each day. SOAR automates the handling of low-level alerts, freeing staff to focus their attention on where it is really needed.

Typically, security staff spend much of their day on manual tasks such as updating firewall rules, adding new users to the network, and removing those who have left the company. SOAR virtually eliminates such time-consuming, repetitive tasks.

Although saving money is rarely a major factor in adopting SOAR, it can be a surprising bonus to MSSPs and their customers. By helping improve staff efficiency, SOAR allows MSSPs to increase their value to their clients by improving SLAs, providing advanced services – such as MDR – and frequently slashes operational costs. For MSSPs, this can directly increase margins.

Heather Hixon is a senior solutions architect for security orchestration, automation and response vendor DFLabs. She has been a SOC team leader, SOC analyst and SIEM engineer with NTT Security, and served in IT management roles with several other organizations. Heather is CompTIA Security+, SANS GSEC and GCIA certified. Follow her on LinkedIn or on Twitter.