ChaosSearch Blog - Tips for Wrestling Your Data Chaos

Understanding Managed Detection & Response (MDR) and How to Innovate Cybersecurity with ChaosSearch

Written by David Bunting | Jun 20, 2024

Managed Detection and Response (MDR) services occupy an important niche in the cybersecurity industry, supporting SMBs and enterprise organizations with managed security monitoring and threat detection, proactive threat hunting, and incident response capabilities.

In this week’s blog, we’re taking a closer look at the role of MDRs in cybersecurity, the biggest challenges they face, and how integrating ChaosSearch is helping MDRs manage complexity, reduce data retention costs, and enable long-term security analytics use cases that are critical for customer success.

 

 

What is Managed Detection and Response (MDR)?

An MDR is a managed cybersecurity service that provides organizations with:

  1. 24/7 Security Monitoring and Threat Detection - MDR service providers aggregate security logs and other data from throughout the customer’s IT infrastructure, then analyze the data with security log analytics software or a SIEM tool to identify anomalies or suspicious activity that could indicate a security threat.
  2. Proactive Threat Hunting - MDR services include proactive threat hunting, where security analysts manually search through historical security logs and other data to identify Indicators of Compromise (IoCs) and track down cyber threats that may have evaded security monitoring and threat detection systems.
  3. Incident Response - MDR services support their customers with incident response capabilities, taking immediate action to investigate, contain, and remediate threats before they cause damage and conducting post-incident analysis to determine the root cause and prevent future incidents.

MDR services are delivered by Managed Security Service Providers (MSSPs) who deploy a combination of security experts and modern security technologies.

 

Image Source

 

Some MDR solutions are built around Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) software tools. Software vendors who build EDR/XDR products sometimes provide MDR services using their own technology, or an MSSP might develop an MDR offering that consists of an existing EDR/XDR product managed on the customer’s behalf by an in-house team of security experts.

Other MDR solutions are based on proprietary technologies developed by MSSPs but not available to the public, or cybersecurity analytics tools (e.g. Elasticsearch, SIEM tools like Splunk, etc.) from multiple software vendors managed by a single team.

 

Why Do Organizations Choose MDR Solutions?

MDRs are a relatively new category of security service (Gartner published its first Market Guide to Managed Detection and Response in 2016) that solves important problems for customers.

Before MDRs, organizations that needed threat detection, security monitoring, and incident response capabilities had no choice but to set up a Security Operations Center (SOC), purchase and deploy the software technology themselves, and hire a team of security experts to manage and operate it.

As the threat landscape diversified and IT environments became more complex, security teams needed an increasing number of tools (e.g. Firewalls, IDS/IDP, EDR, SIEM, vulnerability management, etc.) to protect their assets. This created ballooning costs and manageability challenges while leaving gaps in security coverage that could be exploited by cyber attackers.

 

Image Source

 

MDRs allow organizations to off-load the time, cost, and complexity of cybersecurity monitoring and threat detection to a service provider with the expertise and tooling to safeguard the organization’s IT infrastructure against security threats.

 

Data Fragmentation Drives Complexity Challenges for MDR Vendors

Security monitoring and threat detection are at the core of every MDR service. To deliver these capabilities effectively, MDRs must:

  1. Collect security data (e.g. application and event logs, security logs, user behavior data, etc.) from the customer’s IT infrastructure
  2. Aggregate the data in a centralized location
  3. Continuously monitor, correlate, and analyze the data to detect IoCs that could indicate a threat

When it comes to delivering effective security monitoring and threat detection, the big challenge for MDRs is data fragmentation.

Modern organizations operate extremely complex and fragmented IT environments that can include on-prem data centers, resources across multiple public clouds, web-based applications, and hundreds of endpoint devices.

MDRs need security data from all these components to power their security monitoring and threat detection capabilities, but the process of aggregating, normalizing, and centralizing huge amounts of security data from so many disparate systems into a single database to enable those capabilities is both complex and time-consuming.

To deal with that complexity, MDRs need a simplified and cost-effective way to ingest security data at scale into a single centralized repository with analytical capabilities.

 

 

High Data Retention Costs at Scale Impact MDR Margins

MDRs must retain security data from their customers to demonstrate compliance with data privacy/security regulations and enable long-term log analytics use cases like proactive threat hunting, advanced persistent threat (APT) detection, and root cause analysis.

When it comes to retaining security data at scale, however, MDR and MSSPs using Elasticsearch and Splunk often run into trade-offs and limitations.

As the daily volume of ingested security logs increases, the cost of ingesting and retaining those logs grows exponentially. For MDRs that use Elasticsearch, retaining large amounts of data can increase management overhead and degrade query performance.

These challenges can significantly cut into MDR profit margins and consume valuable financial resources that could otherwise be used to accelerate new tech investments or reduce prices for customers (making the MDR more competitive).

The high cost of data retention at scale can even drive MDRs to shorten the data retention window or set limits on which data will be retained, measures that sacrifice long-term analytics capabilities to reduce short-term costs and negatively impact the customer’s overall security posture.

Is there a solution? Yes!

Read: ChaosSearch Teams Up with Armor to Deliver an Integrated Log Analysis Solution.

 

How MDRs Can Reduce Costs and Complexity with Chaos LakeDB

Top MDR vendors like Armor, Blackpoint, and Levelblue are integrating Chaos LakeDB into their cybersecurity tooling as an Elasticsearch replacement to address the complexity caused by data fragmentation, and avoid the high cost of retaining data at scale.

 

Blackpoint CEO Jon Murchison explains how retaining data with Chaos LakeDB instead of Elasticsearch helped Blackpoint tackle complexity and reduce costs.

 

Chaos LakeDB is a data lake database that transforms public cloud storage into a live database for security analytics. With Chaos LakeDB, MDRs can aggregate security data from all sources in cost-effective cloud object storage (Amazon S3 or GCS), index it in our proprietary Chaos Index® data model with up to 95% compression, and run SQL, text search, or Gen AI queries on the data to support proactive threat hunting and long-term analytics use cases like APT detection and root cause analysis.

By allowing MDR vendors to centralize and index their data in a single cost-effective database, Chaos LakeDB helps MDRs counteract the complexity caused by data fragmentation and achieve unlimited data retention for much cheaper than alternative analytics solutions like Splunk or Elasticsearch.

 

Ready to learn more?

Read our Blackpoint Customer Case Study to discover how Blackpoint Cyber, a frontrunner in the highly competitive MDR space, is leveraging ChaosSearch to enable a unified data-first approach while reducing costs and driving revenue growth.