Managed detection and response (MDR): symptom or solution?

managed detection and response

· 5 MIN READ · DAVE MERKEL · JAN 11, 2018 · TAGS: Managed security / MDR / Selecting tech / Tools


Managed security service providers (MSSPs), for the most part, kinda suck. They’re really good at taking your money. But, if you’re looking for security operations capability — y’know, like finding bad guys or investigating a breach — your odds are better if you’re looking elsewhere.

“But wait! We do that!” they say.

“Ummm … no. You actually don’t,” say their customers (right before they switch providers … again … repeating the cycle of disillusionment anew).

Customer dissatisfaction with MSSPs has gotten so bad that a whole new “proto-market” has popped up that basically … well … it does the things customers thought they were getting (but ultimately didn’t) when they first signed their MSSP contract. Industry analysts have even anointed it with its own three-letter acronym: Managed Detection and Response (MDR).

The term has been around for a while. In fact, I was a witness to its creation (more on that later). But I still run into lots of folks that don’t necessarily understand what MDRs do. And I don’t hear a lot of people calling it by that name. It could be because we vendors are craptastic at telling people what we do (I’m not sure where we caught that disease… but it’s rampant). But I think there’s a different reason: MDR isn’t really a market. It’s a symptom.

Specifically, MDR is a symptom of MSSPs’ lack of innovation. They whiffed so hard that they let a whole new mini market pop up in their front yard. Full disclosure: Expel is playing in this space, so this is your fair warning that this post is obviously self serving. But, at least I’m being honest about it. And it does reflect my thoughts on the state of the universe, for better or for worse. Read on at your own peril.

So what do I mean when I say that MDR isn’t a market? I’ll tell you what I don’t mean. I don’t mean the capabilities that MDRs provide are useless. If I believed that I wouldn’t have founded Expel. What I mean, is that it’s not a long-term market … at least not in its current form. The emergence of MDRs is a sign that customers want (and need) REAL managed security that … ummmm … manages their security. There’s no doubt that MDRs offer pieces of what companies want … but not (yet) most of what they need: managed security that doesn’t suck.

First, let’s back up and consider how this MDR thing came to pass. It turns out I was there at the beginning. Or, perhaps, more accurately, “a beginning” since new market trends — even ones with an acronym — rarely have a sole genesis. In any case, here’s my specific superhero (villain?) origin story:

Once upon a time … in the old country (a shorthand we use at Expel to refer to places we used to work) we had a really advanced endpoint product. It was ugly from a UX perspective (my fault) but we could make it sing. Sadly, many potential customers couldn’t.

When the evildoers invaded our customers’ networks we used that product to provide incident response services. Once we had banished the villains and solved the customer’s problem we would pack up to leave.

Then it came to pass that the customer would practically tackle us and beg us to stay: “We can’t do what you do … and neither can our MSSP. What you’re doing is *really* valuable. Can I have some more?” they would cry.

They huffed and they puffed and after we were hit in the head enough times with this two-by-four, we finally said “y’know, there might be a business here.” We experimented with a few customers, tailoring a managed threat hunting/investigation offering on top of our endpoint product. We sold a few and decided to make it a business.

It grew … and grew … and grew … and focused primarily on using our own endpoint technology and only on finding truly advanced threats.

And everybody lived happily ever after. We sold a new managed offering which included our product. The customer didn’t have to develop (and … even more difficult … maintain) the expertise to do what we could do.

Since then, other MDR vendors have crafted their own similarly shaped origin stories. Perhaps a specific use case, technology or market shaped their offering. They found a niche and conquered it. There’s nothing wrong with that. These MDRs have made the world a better place. Here are four reasons why:

1. They find bad guys and gals: Huzzah! That’s their reason for being, so this shouldn’t be surprising.

2. They use modern tech: It sounds obvious but it’s super important … and many MSSPs don’t do it. Most MDR providers use technologies built in the current decade. These modern capabilities offer defenders more options for visibility and they can keep you nimble if you use them properly.

3. Better yet … they use endpoint tech: Double clicking (did I just really say that?) on #2 … MDR offerings use endpoint product offerings and data in a completely competent way. This is huge. Endpoint products are often complicated and interpreting the data requires a fair degree of sophistication … but the results are key to modern threat detection and response.

4. They’re adversary oriented: Some MDR offerings raise awareness of how capable the adversary actually is. This can impact spending and how the business views security. Again, that’s a good thing.

Still … all of ^these^ things fall under the category of “stuff MSSPs should have been doing all along, but aren’t.” But the reason why I don’t think MDR is a market … or at least not the end state of the managed security market is that there are some big things that MDRs (as currently defined) don’t do. And the fact that they don’t do them limits the value pure-play MDRs can deliver. Here are a few examples:

  • They don’t use your existing tech: Often, MDR vendors bring some of their own security products to the proverbial table. This can force you to ditch (or ignore) something you already paid for (a network sensor, a SIEM or endpoint tool) regardless of whether or not your existing product is capable. Not awesome.
  • They’re threat snobs: Frequently, MDR providers focus on “advanced” threats. Chasing super-elite bad guys makes for great war stories. But less sophisticated individuals acting of their own accord could cripple your business. The time it takes advanced tactics to trickle down to these types of threat actors continues to shrink. Can you afford to be snooty about the threats your solutions providers pay attention to?
  • Compliance … huh? MDRs are often less interested in compliance use cases. While I’d never argue that compliance=security, that doesn’t eliminate the need to be compliant — particularly in more heavily regulated businesses.
  • Security operations: Ultimately, most organizations need a solid, functioning security operations capability. MDRs aren’t that. They’re expensive, almost “professional services” shaped offerings that are good at finding shiny things, but not so much at addressing your security operations gap.
  • They’re not transparent: For all the things MDRs are doing that are an improvement on the legacy MSSP market, they still suffer from the black box approach that has frustrated so many MSSP customers.
  • Their value stops when the alerts stop: What did you pay for? What did they do? If there weren’t bad guys attacking you on a random Tuesday, what value did they provide? If the bad guys stayed home (and no alerts fired) how will you defend your spend to the business? How did they make you better?

MDRs should be sucking the air out of the MSSP balloon. But they’re not (yet). Instead, I’ve seen scenarios where customers are paying twice, either stitching together multiple MSSPs or layering an MDR on top of an MSSP. Or … perhaps the most troubling scenario I’ve seen … a company with two MSSPs who hired a third consulting company to manage their MSSPs. It’s kinda like what you find with network or endpoint security technologies — “Defense (aka expense) in depth.”

Why is this happening? Well … MDRs still need to close the gaps I highlighted above. Customers aren’t looking for an acronym and they don’t care much about your origin story. They just want someone to solve their problem. MDRs do some of that today … but they still have some ground to cover starting with using the security investments you’ve already made. Wouldn’t that be great? Yeah, we think so too. Someone should do something about that one of these days.