There Is a Difference
With the alphabet soup that is cybersecurity, it’s important to understand the difference between your service provider options. Not always a “better vs. worse” conversation, we believe that the focused approach of Managed Detection and Response is the right solution for most organizations.
In the Beginning…
Managed Security Service Providers (MSSP) are designed to address the multitude of solutions found in today’s modern security environments. As technologies are added, security organizations realize they don’t have the resources to manage everything. Enter MSSPs. From basic firewall management all the way through complex SIEM configuration and alert triage, MSSPs have expanded their service offerings as customer requests have increased. However, they’ve become constrained by the same challenge that internal security teams face – lack of resources.
As new services are added, MSSPs must find the resources to manage these new technologies and manage them better than their customers can. One minute an MSSP is taking a request to make a firewall change, the next they are responding to a round of SIEM alerts. Customers expect all of this to happen seamlessly and quickly which, unfortunately, is not always the case. As workloads increase, it’s not uncommon, due to the “spread thin” nature of their teams, for MSSPs to respond far too slowly. Even common firewall rule changes can take over 24 hours to complete, let alone addressing the latest attack.
The problem is one of focus. MSSPs have evolved as the market, and customers, have demanded, but this evolution has not been easy. As the increasingly important challenge for organizations is detecting and responding to threats quickly, MSSPs have been slow to address this requirement due to the need to support legacy activities.
Detection and response is vital. Read almost any security report and you’ll hear about dwell time – the amount of time a cybercriminal is on your network before you detect it. By most accounts, the average is still months. And some of these reports are from MSSPs talking about their own customers. The truth is, most MSSPs are good at management of the foundational security elements. Their attempts to deliver high-quality detection and response services are lacking.
Enter Managed Detection and Response
Since the issue is focus, why not build a service that emphasizes the key attack vectors and is dedicated to the fastest detection and response possible. Endpoint Detection and Response (EDR) was the initial foray in this area, as both vendors and customers (and cybercriminals) realized that traditional AV was no longer effective, yet the endpoint was still under attack. While EDR has proved extremely effective it, too, fell victim to alert fatigue syndrome. Increased endpoint visibility was very powerful, and automatically responding to certain actions proved effective, but there was still a lack of coordination between alerts across multiple vectors.
Enter Managed Detection and Response (MDR). Building on the promise of EDR, Managed Detection and Response went a step further by looking beyond the endpoint, correlating events from other common attack vectors. From the outset, MDR was designed to facilitate fast detection and response. People, processes and technology were developed with this singular goal in mind. By starting with detection and response, MDR was better able to address other areas as they were added to the MDR sphere of influence. Rather than starting with firewall management and trying to figure out how to deliver timely detection and response, MDRs asked how they can incorporate firewall events in to MDR, while maintaining the same speed of response. This is the intrinsic difference between an MSSP and MDR – detection and response is the only goal.
But aren’t MSSPs offering MDR services? Indeed they are, but still limited by the original MSSP charter of management rather than detection and response. Remember, this is not necessarily a “better vs. worse” conversation, simply a difference in goal. GoSecure Managed Detection and Response was built with this one goal – detecting and responding as quickly as possible. Everything else we do is complementary to this goal but does not distract us from achieving it.