Forbes: Why Cybersecurity Buyers Aren’t Getting What They Want From MDR
December 17, 2018
Contributed by Ira Goldstein, SVP of Corporate Development at Herjavec Group
The endpoint is hot again. Cybersecurity software meant to protect the workstations, servers, and other connected devices of the world has proliferated in multiple shapes and forms. This is not news to anyone who has attended a major cybersecurity conference like RSA or BlackHat over the past few years. Nor is it a surprise to the financiers of this frothy industry -- the venture capital and private equity firms that have poured funding into technology tools protecting the endpoint.
Despite the swath of tools and services available, I've seen firsthand how companies that want an end-to-end managed detection and response (MDR) service are not getting the coordinated security result and business value they want from a combined security monitoring and advanced endpoint service.
Scarce Real Estate On The Endpoint
Each endpoint tool is competing for precious compute real estate on the workstations and servers of the world. Some claim to be cloud-native tools built for a new era of off-premise computing, while others tout next-generation features that allow for additional management control over a user’s machine.
Generally, the next-gen tools fall into the category of endpoint detection and response (EDR). Ultimately, the goal of these tools is to approach security differently from traditional anti-virus, by moving from signature-based to behavioral detection and by allowing for the automated containment of threats in milliseconds or seconds, as opposed to the minutes and hours required by human intervention. Evidence of the need for such an expedited response could be seen by the crippling NotPetya ransomware attack that spread across Ukrainian infrastructure in seconds and took down a global shipping provider as collateral damage.
Looking Beyond The Tool Set
When a technology fad takes hold in the enterprise or commercial space, service providers are not far behind. This is where MDR plays a role. Customers are asking for it. Gartner has a research category devoted to it. Firms are springing up monthly that claim to deliver a better, more automated MDR service, ostensibly powered by artificial intelligence or one of the prevailing tribes of machine learning. Unfortunately for technology and service buyers at major corporations, MDR is, in most cases, a marketing exercise that packages existing tools and services, attempting to meet a perceived demand.
Why Does MDR Even Exist?
The rise of MDR as a category of cybersecurity services can be traced back to a gap in the delivery of traditional managed security services. Over the past five years, many of the formerly leading managed security service providers were unable to construct an effective business model (read: achieve profitability) while providing both threat detection and security technology management. Large-scale providers publicly divested their business units that managed firewalls or other perimeter security devices. The rise of the black-box managed security service began and landed in the public markets. As a result, customers who required an end-to-end security operations solution had to engage multiple providers, leading to higher expenses and headaches. Market confusion ensued.
Those customers looking for an outsourced security operations center (SOC) primarily found services that would deliver event monitoring using a SIEM tool. Add-ons such as technology management of the endpoint or perimeter may or may not have been an available service from the provider. So buyers searched elsewhere and found vendors competing for wallet-share with SOC services by offering solutions that included tools bundled with the service (usually an endpoint security tool). The benefit of this approach was that these solutions were able to remediate threats instead of just detecting them. And, in some cases, they were able to divert precious log volume away from the SIEM license for those customers bold enough to retain two systems of truth.
What Do MDR Buyers Actually Need?
Companies engage a third-party SOC provider for a variety of reasons, but it’s clear that if both threat detection and security technology management are in scope, there is a reasonable expectation that those tools and services will be orchestrated together to provide a coordinated result when a threat is detected. Once action types are preapproved by the customer and a threat is detected by the provider, remediation action is taken. Whether manual or automated, the threat is ideally contained or eradicated by the provider, and the customer is notified of the result. A lack of basic process orchestration when managing multiple tool sets is the operational gap that ultimately led to the rise of MDR.
Next-generation tools can perform these detection and response functions in an automated fashion, which is the holy grail of security operations. But the market appetite for automated response is remarkably low. Security teams are still afraid to interrupt the business of a senior executive or sales function in the name of security on the off chance they are wrong. But the tide is starting to turn. The high-profile ransomware events of 2018 proved that manual process orchestration is not enough to stop a rapidly spreading malware.
So What Is A Corporate Cybersecurity Buyer To Do?
The principles of effective security operations have not changed in many years despite new categories, tools, investors and entrants into the market. Whether it’s called MDR, managed EDR, managed endpoint or otherwise, a solution that delivers an orchestrated response to threats, on a journey to ultimately deliver an automated response, is what matters.
So, when selecting your next tool, service or partner, be sure to cut through the marketing hype and focus on the ultimate deliverable required by mature security operations -- a reliable framework for decision making, whether manual or automated, that leads to an effective response when a threat is detected.
Originally posted on forbes.com