What Is MDR?

Managed Detection and Response (MDR) refers to an outsourced cybersecurity service designed to protect data and assets even when threats bypass an organization’s standard security controls.

MDR security platforms serve as advanced 24/7 security controls. They typically include various critical security activities, such as cloud-managed security for organizations that cannot maintain an in-house Security Operations Center (SOC). MDR combines multiple security services, such as threat intelligence, advanced analytics, and expert human support, to investigate and respond to incidents at the network and host levels.

What Problems Does MDR Solve?

As businesses expand their IT systems, they have more network endpoints such as laptops, desktops, and mobile devices. Each additional endpoint provides a potential entry point for a hacker.

MDR is a great way for organizations to protect their endpoints by supporting threat hunting and continuous monitoring. The ability to rapidly secure entry points makes MDR such a popular enterprise solution. Endpoint protection is a major concern for large enterprises that frequently add new devices to their networks.

MDR services actively improve a company’s information security strategy. The MDR solution handles threat detection, continuous monitoring, IT asset analysis, and incident response. The MDR platform handles these tasks to mitigate common issues affecting modern IT departments, such as:

• Alert fatigue—MDR helps businesses manage numerous cybersecurity alerts that require individual review. Large volumes of alerts can overwhelm a small security team and prevent it from addressing other responsibilities.
• Threat analysis—not all alerts immediately appear as threats, and many require a full analysis to determine their risk status. MDR provides access to advanced analysis tools and security experts to assist with this task, interpret incidents, and recommend improvements.
• Skill shortage—the security workforce has an estimated gap of millions. MDR services can alleviate this strain by providing access to a team of experts. This team typically monitors the network and provides 24/7/365 advice.
• Endpoint Detection and Response (EDR)—many companies lack the funds, time, or skills to train their employees to use EDR tools. An MDR solution comes with EDR tools that organizations can integrate into their discovery, analysis, and response processes, reducing the burden on internal endpoint security mechanisms.

With MDR, businesses give up some control over their security for flexibility and convenience (the same goes for most modern IT outsourcing models). MDR services have several disadvantages over traditional managed security products, depending on the intended use of the client service. However, they make up for this with the major advantage of being tailored to the current and emerging challenges IT companies face today.

MDR and IPS/IDS

An Intrusion Detection System (IDS) is a platform that monitors network traffic and sends alerts when it detects suspicious activity. The key function of IDS is anomaly detection and reporting, but some intrusion detection systems can initiate a response when they detect abnormal traffic or malicious activity. For example, they might block traffic from a suspicious Internet Protocol (IP) address.

IDS differs from the related Intrusion Prevention System (IPS). Like IDS, IPS monitors network packets that indicate suspicious network traffic, but its main objective is to block the detected threats, not just identify and log them.

MDR systems usually include network discovery software that provides network data collection, activity monitoring, and response capabilities. A network-based intrusion detection system (NIDS) helps organizations monitor their networks for suspicious events indicating vulnerabilities in their cloud, on-premises, or hybrid environments. These include policy violations, port scanning, and traffic to and from unknown locations.

NIDS uses a passive approach to security, so it only alerts the organization to suspicious activity and cannot prevent it. For this reason, organizations often deploy NIDS alongside an active security solution like IPS.

MDR and Firewalls

Small and medium-sized businesses often require outside expertise to manage their firewalls. While modern security is not as heavily reliant on the perimeter firewall as traditional network security systems, firewalls remain a major building block of an organization’s security strategy.

Firewall configuration involves complex processes, not just opening and closing ports. A next-generation firewall (NGFW) typically combines several security tools to secure today’s complex networks, edges, and SD-WAN infrastructure.

A managed firewall service can help organizations design and enforce appropriate security policies to protect their networks from the risks posed by incoming and outgoing traffic. This service may be a component in a larger security service offering, such as an MSSP. It allows in-house IT teams to outsource repetitive maintenance processes, including installing the necessary patches and updates.

Managed firewall services are defensive, using a reactive rather than a proactive approach to security. Managed detection and response (MDR) solutions use the opposite approach and implement an offensive strategy.

MDR solutions often address threats from endpoint devices, including laptops, servers, and workstations. However, they also hunt for threats proactively to eliminate them before a security incident occurs and causes damage. MDR is a service typically provided by a highly specialized cybersecurity team, which leverages security monitoring, threat intelligence, and analytics tools to respond to incidents and remediate them quickly.

The MDR team does not send monitoring alerts or reports to track compliance—they only report the actions taken to combat potential threats to the network. Security analysts use various means to communicate directly with in-house teams, including email and telephone (not via a portal).

Conclusion

In this article, I explained the basics of MDR and showed how it interacts with existing security tools deployed in most organizations:

• MDR can complement IDS/IPS by adding a proactive element to the security strategy. IDS/IPS can detect and block known attacks, while MDR goes into action when an attack has already penetrated the organization’s defenses.
• Firewalls, similar to IDP/IPS, are mainly a preventive measure. When a threat gets past the firewall, it can be handled by the MDR service. In many cases, the same service provider will provide both MDR and managed firewall services.

I hope this will be useful as you evaluate how to integrate managed security services into your existing security ecosystem.