Managed Detection and Response (MDR) is a cybersecurity service offered by a Managed Security Services Provider (MSSP) that combines human security expertise with modern security tools to deliver managed threat detection, security monitoring, and incident response capabilities for both SMBs and enterprise clients.
MDR services are especially valuable for organizations that need robust security monitoring and response capabilities, but may not have the resources or expertise to manage an in-house Security Operations Center (SOC).
Organizations depend heavily on MDR service providers to secure their IT infrastructure against external cyber threats, but in a world of fragmented security environments and complex threats, even sophisticated MDR service providers can face significant challenges when it comes to efficiently detecting threats.
In this blog, we’ll highlight six of the biggest challenges faced by MDR service providers when it comes to delivering effective threat detection - and how to overcome them.
MDR service providers play an important role in the cybersecurity ecosystem. By outsourcing critical SecOps functions to an MDR service provider, organizations can get the benefits of enhanced cybersecurity without the added complexity and management overhead of building and managing an internal security team or SOC.
MDRs provide a range of services to help secure their customer’s digital infrastructure against cyber threats. These include:
MDRs provide 24/7 security monitoring to rapidly detect and respond to threats regardless of when they occur. MDR service providers use modern security tools like Endpoint Detection and Response (EDR) platforms, Extended Detection and Response (XDR) platforms or Security Information and Event Management (SIEM) solutions to continuously scan customer networks for anomalous activity and other potential indicators of a cyber attack.
MDRs combine sophisticated security monitoring tools (e.g. SIEM, EDR, XDR, Intrusion Detection Systems (IDS) etc.) with up-to-date threat intelligence and detailed detection rules to automate the process of detecting complex security threats inside customer networks.
MDRs engage in proactive threat hunting to search for advanced, persistent, or long-term security threats that may have evaded detection by automated systems.
MDRs support their customers with incident response capabilities, taking immediate action to contain cyber attacks and mitigate damage to customer operations. Actions taken by MDR service providers to block malicious activities and recover operations after an attack can help their customers minimize unplanned downtime, prevent data loss, and avoid the potential negative consequences of a security breach.
MDR service providers retain teams of qualified security analysts, incident responders, and experts in threat hunting methodology who continuously update their skills and knowledge to stay ahead of cyber attackers. Organizations who outsource their SecOps needs to an MDR benefit greatly from this expertise while avoiding the high costs and management overhead of recruiting those experts in-house.
Organizations trust their MDR service providers to efficiently detect and respond to threats against their IT infrastructure and digital assets.
However, MDRs are increasingly facing challenges with threat detection due to the growing sophistication of cyber threats, complexity and fragmentation of modern IT environments, shortcomings of common tools in the MDR security stack, and the massive volume of data that must be analyzed.
Below, we highlight six of the most common threat detection challenges for modern MDRs and how to solve them.
Cyber attacks against enterprises and SMBs are at an all-time high, and cyber attackers have developed sophisticated new ways to penetrate secure networks and systems while avoiding detection. Innovative attack patterns like fileless malware, polymorphic threats, and multi-stage attacks that use lateral movement can be difficult to detect, even with modern security monitoring solutions like SIEM and XDR.
Cyber attackers are at an all-time high in both frequency and complexity, creating threat detection challenges for MDRs.
To detect complex cyber threats, MDRs need a centralized repository of security data where they can compare and correlate security logs to detect threat indicators from throughout the customer’s IT infrastructure. To support proactive threat hunting for advanced persistent threats, MDRs need a more cost-effective way to store and retain security data at scale.
MDR service providers deploy multiple cyber security tools (SIEM, security log analytics, XDR, SOAR, IDS/IDP, etc.) to cover their security needs across monitoring, detection, and incident response. These often include a mix of in-house developed security tools, open-source tools (e.g. ELK Stack for log analytics) and SaaS products from external vendors (e.g. Splunk SIEM).
For MDRs, fragmentation of security tooling means spending more time on tool management/performance tuning and less time on more valuable activities like proactive threat hunting.
MDRs facing challenges around tool fragmentation should try to consolidate their security stack and replace solutions like ELK stack that experience performance degradation and exponential cost increases at scale.
In the past, organizational IT infrastructure lived in on-prem data centers and could be secured by a firewall that blocked traffic from outside the network perimeter.
But with the rise of cloud computing and remote work, the typical organization’s IT infrastructure is now highly fragmented, more complex, and correspondingly more challenging to secure. Large and fragmented IT infrastructures present a larger attack surface for cyber attacks with many potential entry points outside the network perimeter.
MDRs struggling to secure complex and fragmented IT infrastructures can deploy IT asset discovery software to help identify and catalog the customer’s hardware, applications, and cloud services.
Due to fragmentation of both the customer’s IT infrastructure and MDR security tools, data fragmentation frequently occurs inside the MDR’s security monitoring infrastructure.
MDRs capture security data from many different sources using a variety of different security tools. This can often lead to the creation of data silos that make it difficult or impossible for MDRs to analyze their data in certain ways or efficiently correlate data and events from disparate sources.
MDRs struggling with siloed or fragmented data should try implementing a security data lake to centralize their data and make it easier to monitor and correlate security data from disparate sources.
The complexity and fragmentation of MDR tooling makes it difficult for MDRs to scale security operations efficiently with business growth.
Lots of MDRs use security tools like ELK stack or Splunk that run into major challenges (e.g. performance bottlenecks, high management overhead, high costs) when handling security data at scale. These challenges can lead MDRs to data retention trade-offs that limit threat detection capabilities and degrade the MDR’s security posture.
To build a future-proof security stack that can sustain business growth, MDRs need to move away from security monitoring tools that run into cost and performance issues at scale. Establishing a security data lake on top of public cloud storage can help MDRs reduce Splunk security costs and get the cost-effective data storage they need to overcome scalability challenges.
Some MDRs may struggle to operate in compliance with data privacy and security regulations that apply to their customers.
Keeping control of sensitive customer data, moving or storing data in accordance with regulatory frameworks, and ensuring auditability all add cost and complexity to MDR operations. Ultimately, regulatory compliance creates additional operational requirements that drain MDR profits and divert resources away from proactive threat hunting activities.
Storing all security data in a centralized location can make it easier for MDRs to implement the security controls needed (e.g. encryption, access management, auditability, retention, etc.) to comply with HIPAA, EU GDPR, and other data privacy/security regulations.
When it comes to optimizing threat detection capabilities, MDRs face critical challenges around the fragmentation of tools, data, and infrastructure, the complexity of cyber threats, and scaling their existing security stack.
To deliver more effective threat detection, MDRs need to adopt a centralized data-first approach where security data from throughout the customer’s IT infrastructure is aggregated in a single location with cost-effective long-term storage and analytics capabilities.
ChaosSearch transforms Amazon S3 cloud object storage into a security data lake with unlimited data retention, allowing MDRs to cost-effectively centralize security data from an increasingly fragmented ecosystem of security tools and data sources.
By centralizing security data in cloud object storage, MDRs can start to eliminate data silos and overcome threat detection challenges based on IT infrastructure, data and tool fragmentation. They can also reduce data storage costs and while enabling long-term data retention that supports regulatory compliance and long-term threat detection use cases.
Read our Blackpoint Cyber Customer Success Story to discover how Blackpoint, a leader in the MDR space, enhanced its threat detection capabilities and achieved 80% cost savings by replacing a hosted Elasticsearch deployment with ChaosSearch for security analytics.