Security Operations

What Is Managed Detection and Response (MDR)?

5 min. read

Managed detection and response (MDR) is a cybersecurity service that provides organizations with a team of experts who monitor your endpoints, networks and cloud environments and respond to cyberthreats 24/7. The team uses a combination of expertise, processes and technology to reduce risk, stop attacks and improve the effectiveness of your security operations center.

What is MDR?

MDR services universally provide the following value:

Increased security maturity with a modern approach to threat management and security operations that is both reactive and proactive, such as threat hunting, paving the way for transformation across other aspects of security operations.
Faster time to value for your security investment with access to security experts and operational best practices and recommendations on policy changes and tuning.
Reduced mean time to detect (MTTD) and mean time to respond (MTTR) for faster detection of and response to advanced threats, thereby reducing risk.
Resource augmentation with continuous 24/7, year-round coverage and expertise to aid security teams in areas that require specialized skill sets, such as threat hunting, forensic investigation and incident response.
Guided response and managed remediation to restore endpoints to a known good status in the event of a threat.

The level of remediation may differ depending on the vendor, service tier or customer needs.

What challenges does MDR address?

Evolving Threat Landscape: Cyberattacks are increasing in speed and sophistication, requiring continuous monitoring, proactive hunting and immediate response to stop these attacks before damage can be done.
Limited Resources: Companies are challenged to prioritize limited resources to combat sophisticated threat actors and tactics.
Alert Fatigue: Security teams are overwhelmed by too many low fidelity alerts and often don’t have additional time for threat hunting.

How does MDR work?

MDR services are delivered remotely and often using a predefined technology. The MDR collects relevant logs, data and other telemetry from the customer environment and then analyzes this telemetry using analytics, threat intelligence, automation and human expertise to deliver continuous monitoring, high-fidelity threat detection, containment and investigation. Additionally, proactive threat hunting is carried out to detect new types of threats and multistage attacks.

Benefits of managed detection and response

MDR benefits include:

Increased confidence from continuous monitoring 24/7 by a team of experts and access to expertise in incident response, forensic investigation and other expert support.
Accelerated response and remediation from improved threat detections, mitigation and containment as well as threat intel pooled from across a large, diverse customer base.
Reduced alert fatigue through alert management.
Improved resilience to attacks from a hardened environment and improved security posture.

MSSP vs MDR

Managed security service providers (MSSPs) typically focus on alerting, security management and monitoring, leaving response actions to the customer. MSSP services are mostly focused on more passive activities and are designed to be highly automated, including interactions with customers typically via a portal.

MDR includes both reactive (continuous monitoring) and proactive activities, such as proactive threat hunting that is done real time by a team of human experts. MDR provides alert and indicators of compromise (IoC) triage, and includes alert response, investigation and remediation.

Vendor MDR vs MSSP MDR

Many EDR/XDR vendors provide MDR services built on their own technology and offer customers a full solution of both product and service from a single vendor. Additionally, these vendors have a deep understanding of their own technology and its latest capabilities and best practices. Alternatively, MSSPs with MDR services typically offer customers a broader array of managed services covering a wide range of multivendor technologies as well as additional specialized services, industry niches and regional language capabilities.

How to choose a MDR Service

Combining requirements from industry analysts with customer expectations, Palo Alto Networks has identified a list of criteria for fully developed MDR. An MDR service provider must be able to:

Correlate alerts and telemetry data across data sources for analytics, threat detection, forensic investigation and response.
Offer services across managed and unmanaged devices, incorporating tools like user and entity behavior analytics (UEBA), network traffic analysis (NTA), endpoint detection and response (EDR), and endpoint protection platforms (EPP).
Pivot instantly from threat hunting to incident response.
Provide 24/7 coverage with MTTD and MTTR service level objectives.

EDR vs XDR vs MDR

EDR refers to endpoint detection and response and solutions that record endpoint level behaviors via installed agents or sensors and use data analytics to detect suspicious or anomalous activity and block it.

XDR is extended detection and response that gathers data from any source (endpoint, cloud, network, identity and others) for comprehensive visibility and to stop known and unknown threats on more than just the endpoint.

MDR is a managed service that is layered on top of an EDR or XDR solution to provide 24/7 monitoring, detection and response, including expertise, threat hunting, remediation and prioritization of alerts.

Unit 42 MDR | Our MDR Service

The Unit 42 MDR service is an MDR service for Cortex XDR, delivered by the Palo Alto Networks Unit 42 team. Palo Alto Networks world-renowned Unit 42 experts work for you to detect and respond to cyberattacks 24/7, allowing your team to scale fast and focus on what matters most. We use Cortex XDR so our analysts have unmatched visibility into all data sources (endpoint, network, cloud, identity, etc.) to quickly identify and stop malicious activity most likely to impact your organization.

Unit42 MDR Services