Navigating the Evolving Landscape of Managed Security: Dispelling Myths Surrounding MDR and MSSP

Navigating the Evolving Landscape of Managed Security: Dispelling Myths Surrounding MDR and MSSP

The managed security services market is poised to reach $46.4 billion by 2025, fueled by factors such as compliance regulations, the surge in sophisticated cybersecurity breaches, and the challenges posed by limited in-house expertise or budget constraints for hiring.

This surge in demand has given rise to both Managed Security Service Providers (MSSPs) and Managed Detection and Response (MDR) services, but a growing overlap between the two has led to confusion among consumers.

The 2023 Gartner MDR report highlights the prevalence of misnamed technology-centric solutions and Vendor-Delivered Service Wrappers (VDSW), which often fall short of delivering truly human-driven MDR services. Distinguishing between these services has become complex for buyers, as the terminology has become entangled over the years. This confusion leaves customers uncertain about what is truly “managed” and whether the management involves human intervention.

In this article, I will explore prevalent misconceptions and address the challenges that customers face when navigating the choices between MDRs and MSSPs. We will emphasize the significance of a rigorous qualification process, recognizing that each organization has unique requirements.

MDR Versus MSSP

The distinctions between MDR and MSSP have become somewhat muddled for various reasons. Generally, both terms often involve a managed product experience, where vendors bring their products to market and offer them as managed services to customers. MDR providers may extend this by including additional services, like threat hunting around the managed product, creating a more focused experience for customers.

Conversely, MSSPs operate as comprehensive information security service providers, delivering a spectrum of cybersecurity solutions and services. While an MSSP may include MDR as part of its offerings, it typically goes beyond, encompassing a broad array of services such as Security Information and Event Management (SIEM), anti-spam, vulnerability scanning, patch management, and more. This broader scope allows MSSPs to provide a more comprehensive enterprise service offering, catering to diverse needs, from penetration testing to compliance requirements.

The key distinction lies in the thematic focus of each. MDR providers typically offer a highly product-focused service, providing 24/7 management and monitoring of a specific security solution along with augmenting that product with service features like threat hunting and alerting prioritization based on severity. MSSP’s on the other hand not only manage and monitor this and other security products but may also directly support a customer’s specific response requirements and may include additional compliance reporting and provide more enhanced incident reporting beyond the typical SIEM or (Endpoint Detection Response) EDR MDR provider experience.

For instance, in highly regulated industries like finance, where tracking and alerting on the creation of a new domain admin account is crucial, MDR services may fall short in the reporting of this new domain account if their service is based largely on reporting only security events that origination from for threat hunting services. This limitation is evident when the creation of the new domain admin is part of a normal process and not associated with a compromise. This limitation becomes apparent in routine programmatic changes, such as creating a new account through a proper change management process, where MDR providers might not include it in their standard reporting service.

Additionally, this difference extends to the mindset of MSSPs and MDR service providers. MSSPs tend to think more broadly, offering a comprehensive approach, while MDR providers can be hyper-focused on the MDR process according to one product. MDR providers excel in response capabilities but are often restricted to supporting only a limited number of responses or technologies that must be obtained through them. For instance, implementing network isolation for an infected endpoint might be contingent on having a predefined enterprise service and implementation plan of a key technology or subscription level in the product being managed by the MDR provider. In contrast, MSSPs are typically more proactive in finding collaborative solutions, even if a client lacks specific investments in key technologies, ensuring a more holistic and adaptive response to security challenges.

Qualifying Questions

Before engaging in discussions with MDR or MSSP providers, realistically assess your unique needs and future objectives. This evaluation should occur well in advance, preceding vendor interactions and even the creation of a Request for Proposal if that aligns with your company’s standard operating procedure.

Three key questions that every enterprise should pose to their potential service provider revolve around supporting your custom needs. Simply ask:

1. “Does your service support custom alerts?”
2. “Does your service support custom playbooks to triage the custom alerts?”
3. “Would you work with us to establish custom responses based on those custom alerts?”

Imagine having ten vendors in a room and presenting these questions. Based on today’s current go-to-market strategy for many MDR providers, at the end of this round of questions, you’ll likely have 10-20% that actually offer this. It has been our experience that every organization is unique and requires tailored responses to alerts, making a ‘white glove’ approach a significant differentiator that highlights the importance of personalized alert handling and responses.

When evaluating a managed service offering, consider the duration for which you need to store data. When you first start looking at pricing, many look the same or near in price.  However, solutions like Microsoft Sentinel, Splunk, or other cloud-based logging solutions often base their starting price packages on an assumed minimal storage period, typically ranging from 15 to 90 days. If your organization’s compliance requirements dictate a longer data storage term, be prepared for additional costs, potentially four to five times higher than solutions offering 13 months of data storage as their base service offering.

If you’re contemplating a switch in your MSSP vendor, understanding the spectrum of services you require is essential. For instance, consider whether you need vulnerability scanning, managed SIEM, Managed EDR, or other security services like penetration testing or compliance services.

For customers considering vendor-managed service offerings with insurance riders, be aware that these riders often require your environment to comply with specific minimal standards. These standards might include the mandate that the managed technology be installed on 80% or more of the monitored environment. Modern EDR solutions, however, may not support legacy systems like Windows 2012, Windows 2008, Windows 7, or RedHat 5. If your organization heavily relies on such legacy operating systems, meeting the minimal installation standard could be challenging.

Another significant challenge with insured services is that the protection policy they enforce is often standardized with the insurer, allowing few, if any, exceptions. If your environment runs legacy applications requiring exemptions to traditional anti-virus enforcement policies, adhering to the standard policy may conflict with your production environment. In such cases, you may need to choose between maintaining protection or seeking an insurance waiver due to the continued use of these legacy solutions.

How Compliance Fits In

Breaking down every compliance standard reveals nuanced variations, yet there are four mandatory technologies integral for meeting nearly every compliance standard. First and foremost is a firewall, followed by endpoint security, which includes antivirus or endpoint detection and response technologies. The third is log management, from which SIEM systems originate. Lastly, patch management, which hooks back to your vulnerability management program. These foundational technologies go beyond mere checkboxes; they represent critical investments in enhancing your overall security visibility and security strategies.

Beyond these foundational technologies, organizations also seek additional tools to address specific needs or fill the gaps in their security posture. These may include anti-spam solutions, identity access management platforms, web application firewalls, data leak protection, and more.

While having a team capable of executing tasks is valuable, the true differentiator is vendors willing to engage in meaningful discussions about how they can actively contribute to shaping your security strategy. Identifying vendors that align with your organization’s needs to drive your security strategy forward is where you’ll uncover the best fit for your organization.

What Sets DirectDefense’s Managed Security Services Apart?

While other industry offerings typically approach security from the product side, we approach it from a comprehensive enterprise perspective. We cater directly to your specific response requirements and compliance reporting needs, offering enhanced incident reporting capabilities that go beyond the standard offerings of traditional SIEM or EDR MDR providers.

With both of our programs, you’ll get:

Custom Alerts, Playbooks, and Responses: We understand that each of our clients has unique needs, and we provide a white glove service by supporting custom alerts, playbooks, and responses while most of our competitors don’t.

24/7 Remote Monitoring and Management: We provide remote monitoring and management of your security services, and we’re always ready to act. 

A Tactical Approach to Compliance: We do not only report events with indications of compromise, but we also report on events that are necessary for the day-to-day reporting requirements for regulated customers.

A Forensic Capability on Standby: An incident response retainer is included in both of our programs. We’ll support you from detection through future prevention with expert incident response services, ensuring you can quickly return to business as usual.

ThreatAdvisor, Our Proprietary SOAR Platform: Designed to improve the speed, efficiency, and accuracy of our SOC, ThreatAdvisor offers continuous security monitoring and management, automates manual processes, and includes an extensive knowledge base for compliance, security events and mitigation techniques.

For more information about our Managed Security Services programs, contact us today.

   By: Jim Broome   01.09.24