What Is Managed Detection and Response (MDR)?
Managed detection and response (MDR) services offer dedicated personnel and technology to improve the effectiveness of security operations in threat identification, investigations and response. These services complement traditional managed security services that focus on broad security alert management and triage. While various definitions exist, MDR services universally provide the following value:
- Resource augmentation aids security teams in operations that require specialist skill sets, such as threat hunting, forensic investigations and incident response.
- Increased security maturity provides a mature approach to threat management that is proactive and available 24/7, year-round, paving the way for transformation across other aspects of security operations.
- Faster time to value delivers a curated technology stack, security experts and operational best practices to reduce detection and response times to days, not years.
- Reduced mean time to detect (MTTD) and mean time to respond (MTTR) guarantee faster detection of and response to advanced threats inside a fixed, time-based service level agreement (SLA).
The term “MDR” has been diluted by many endpoint protection platform (EPP) vendors offering loosely defined managed services in an effort to decrease the investment needed to operationalize their products. This shifts the focus away from security value.
Forrester has described MDR as requiring “advanced analytical techniques” from tools like “endpoint detection and response software [and] network analysis and visibility” to perform “proactive threat hunting and automated response.” Gartner adds “24/7 continuous-monitoring coverage” as a requirement of MDR services.
Palo Alto Networks defines MDR as a 24/7 managed security service that detects, investigates and responds to cyberthreats across network, endpoint and cloud assets with predefined, quantifiable SLAs.
Combining requirements from industry analysts with customer expectations, Palo Alto Networks has identified a list of criteria for fully developed MDR. A provider of MDR services must be able to:
- Perform services across networks and endpoints, not from one siloed data source.
- Correlate alerts and telemetry data across data sources for analytics, threat detection, forensic investigation and response.
- Offer services across managed and unmanaged devices, incorporating tools like user and entity behavior analytics (UEBA), network traffic analysis (NTA), endpoint detection and response (EDR) and EPP.
- Pivot instantly from threat hunting to incident response, providing both remote and in-person options.
- Provide 24/7 coverage with concrete, time-based MTTD and MTTR SLAs of less than 60 minutes which include an agreed-upon set of workflows for action.