Cipher Podcast: What’s the Deal With MDR?
No doubt you have heard the term MDR (Managed Detection and Response), but what exactly is it? Gartner said that “The marketing around MDR is increasingly confusing for buyers.” Separating the hype and buzz from the reality is what this podcast will do. We will compare MDR vs. MSS, look at deployment options and more.
Visit the podcast page for all episodes or listen on the platforms below.
Podcast Episode Transcript
Pete: Welcome everyone, my name is Peter Hackett. I am the Global Program Director for Cipher. For today’s podcast we are going to discuss the differences between Traditional Managed Security Services and Managed Detection and Response. I am joined by my colleague Scott Croskey, the Global Chief Information Security Officer for Cipher. Scott and I are recording this session today from our New York City metropolitan office… working from home, of course.
Scott, how are you?
Scott: I’m great, thanks Pete!
Pete: No doubt you have heard the term MDR (which stands for Managed Detection and Response), but what exactly is it? Gartner originally coined the term in 2016 and has recently said that “The marketing around MDR is increasingly confusing for buyers.” In today’s podcast, we will look to separate the hype and buzz from the reality of MDR. For those of you who don’t know, Cipher has both an MDR and MSS service offering. CipherBox is the name of our MDR solution.
Scott, at a high level, what is MDR?
Scott: MDR is a service that quickly provides an organization with the technology, skills, and resources to monitor for cybersecurity risk and triage security alerts. It removes a company’s burden to organically manage this activity by turning Threat Detection into an outsourced service with a service level delivery agreement independent current own staffing levels. It is all provided at a predictable cost that is a fraction of the price of managing the service internally.
Pete: At its basic definition, MDR is a managed service that combines many different security services into one. As you hinted at Scott, MDR is designed to augment the existing capabilities and budgets of an organization to protect its business. MDR services are typically installed and operational within a couple of weeks, providing an almost instant time to value. When repetitive assessment, discovery & threat detections are outsourced to a service provider, your company’s time is re-earned. This makes it possible to use your security teams more strategically and effectively, minimizing time spent on initial triage and security analysis. Scott, what are the typical components to an MDR service?
Scott: Well Pete, an MDR service provider should have a few core components as part of their service. First and foremost is management of a Security Information and Event Management system (also typically referred to as a SIEM). A SIEM is a technology that matches events from different systems within a computer network that combines and compares security relevant data. This data is analyzed for patterns of behavior that may not be detected by individual devices, providing you a wholistic detection and alerting capability to quickly identify security risks within your network. That’s the first component.
The second component to an MDR service is Threat Intelligence which is typically integrated into the SIEM. Through Threat Intelligence, the service is transformed in such a way that it can provide actionable intelligence from reported threats. The intelligence a vendor uses might be proprietary, third party, or based on publicly available sources. Often, the intelligence sources are a combination of two or three of these sources. For CipherBox, we use both commercial sources as well as our own internally developed threat intelligence. We even offer some cyber intelligence services through our Cyber Intelligence Orchestration Platform called Portolan. If you want to learn more about Portolan, check out a recent podcast we did on this topic a few weeks ago.
Pete: And Scott, looking at our podcast statistics, the Cyber Intelligence Podcast seems to have been one of our most popular topics since it has the highest number of downloads compared to our other podcast episodes. I definitely recommend checking that out if you haven’t listened to it yet.
Ok Scott so there is the SIEM component and threat intelligence component. We also include cyber intelligence in CipherBox. What other components are typically in an MDR service?
Scott: Another major component to an MDR service is endpoint detection and response, also known as EDR. This is security software that is deployed to critical systems designed to centralize and automate alerting and threat hunting on endpoints across your cloud and on-premises environments. With EDR agents being deployed within your environment, it allows the SOC to gain telemetry on endpoints which is especially important now with laptops and other workstations being operated outside of your network environment with people working from home.
Another important part of an MDR service is both asset discovery and periodic vulnerability assessments. Asset discovery is an automated process that discovers systems in your environment, and can detect changes in systems as well as discover potentially malicious assets in the network. After all, you cannot secure what you cannot see. And looking at the NIST Cybersecurity Framework, Asset Discovery falls under the Identify category and is the first thing that mature organizations must do.
Taking asset discovery to the next level is Vulnerability Assessments. Vulnerability Assessments are so vital for an organization to conduct on a periodic basis because it identifies vulnerabilities within your network by comparing your installed software with a database of known vulnerabilities and reporting to you for efficient patching, configuration changes, or recommendations for mitigating risk through other measures. This allows your organization to harden your environment and protect from potential future exploitation by an adversary.
Pete, you are studying for your CISSP still, correct?
Scott: I want to put you on the spot, and don’t edit this part of the podcast either. So do you know the difference between authenticated scanning and unauthenticated scanning?
Pete: Actually, I do! Unauthenticated scanning is sometimes referred to as Black Box scanning. Basically it’s an assessment where little information is known about the target environment, other than maybe an IP address or possibly a URL. You run a scan on a target network without any credentials and the results show you what can be seen by someone on your network that does not have access to log-in to the systems that were scanned. An authenticated scan is one that uses login credentials to gain access to the targeted system and examine what vulnerabilities exist. You can get much more thorough results with an authenticated scan.
Scott: Exactly and we can see what could potentially be exploited by a malicious insider, malware, or an adversary that had gained initial access to a computer system. We run authenticated vulnerability assessments with our CipherBox MDR service to provide the best possible visibility into the security posture of our customer networks.
Moving on to the last component of an MDR service is Reporting. An MDR service provider MUST be able to provide a comprehensive library of predefined report templates for PCI DSS, NIST CSF, and ISO 27001, so you can accelerate your security and compliance programs and be audit-ready faster. With CipherBox, this can be done through our Cipher Portal.
Pete: Thanks, Scott. Before we compare MDR to MSS, let’s first look at the Economics of an MDR service. One of the first questions a potential buyer typically asks is how an MDR solution can benefit their company’s security budget. MDR pricing varies by company, of course. The function that determines the price also varies. Most pricing models seek to correlate the value a customer is getting from MDR into the price-point. Different inputs into the price formula could be:
- Logs Size Sent
- Events per Second
- Users (Concurrent or Named)
- Number of Devices
- Number of locations (e.g. number of on-premise and/or cloud environments)
- Expected data consumed by the solution per month
CipherBox is priced via this last category… data consumed per month.
On average, a medium sized company can expect to invest between $5,000 and $10,000 each month into an MDR solution. Compared with traditional MSS solutions, MDR is usually less expensive. The overall investment in cybersecurity might be more than just the MDR investment if there are use-cases that require specialized software or management.
The pricing might also be dependent on contract length. Since there is a large amount of initial work for the provide to do, contracts are often used to ensure companies do not lose out. Contract length can range from one year to three or even more.
Scott: And Pete, Gartner has bold predictions about the adoption of MDR in the future. In their 2019 report, they predict: “By 2024, 25% of organizations will be using MDR services, up from less than 5% today. By 2024, 40% of midsize enterprises will use MDR as their only managed security service.”
Pete I think it’s a good time to talk about our free thirty-day trail were are conducting for North America and the United Kingdom.
Pete: Sure thing Scott. Due to some of the uncertainties in company budget forecasting in the age of coronavirus, we are offering a 30-day free trail of CipherBox for new customers. There are no obligations to continue with the service after the 30-days.
Pete: Ok let’s switch gears now and compare MDR to MSS. The first question someone looking at MDR might have is how it compares to traditional Managed Security Services. There are different use-cases for each. Both give access to 24×7 cybersecurity support and dedicated monitoring. Both options rely on external resources and knowledge to augment the security of a company. The scope of each is different. An MDR service provides coverage for a fixed area. While an MSS could be used to monitor anything. The scope of the software used for monitoring has the same dynamic. An MDR is a set solution, whereas an MSS is customized to the customers. For example, a company might use an MSS solution to manage their firewalls end-to-end. This not only includes managing the security features in the firewall, but also manage the licenses, etc. The question of MSS or MDR is not black and white. A company might use an MDR as their core monitoring function and then employ the MSS technique for endpoints. Every company is different and as such, their cybersecurity landscape is as well.
Scott: Great overview Pete! One other thing to add from MSS is Managed Application Security. We provide Application Security Testing as a Service which includes various test approaches from dynamic to static and it is capable of integration into a Secure Software Development Lifecycle.
So to wrap things up, MDR is geared toward providing a standard service catalog whereas MSS is tailored to the specific needs of a company. Our sales team are trained to be able to work with our customers to identify their needs and recommend either MDR or MSS… or even a combination of both.
Pete: Thank you for your time today Scott, I hope this podcast was useful for our listeners. I’m looking forward to our next Podcast. For any of our listeners who are interested in our services to include CipherBox MDR, please reach out to us via our marketing department, which can be reached at: [email protected]. Also, if you liked today’s podcast, please subscribe so that you can be automatically notified when we publish our next episode.