Is it managed detection and response (MDR)'s time to shine?
It's time to outsource more security services
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
In the past, I’ve talked about how I believe that with the move away from datacenters, there’s less need for physical security operation centers (SOCs). With more companies using the cloud and adjusting to more technology and engineering-focused businesses, the need for a dedicated SOC, physical or virtual, has diminished.
As security tries to scale, they will likely move toward a model similar to that of engineering with on-call and SREs. This means that SOCs, in their current form, are going away. This leaves the question of how we can replace the SOC. In the current world, staffing a 24/7 SOC doesn’t seem strategic to a business. One can argue that response and remediation time make a difference in outcome. However, most of the time is spent actually finding the root cause and performing the right remediation. The time scale for resolutions varies, and the more complex fixes are on the scale of hours and days, so it’s unlikely that a few extra minutes to respond will be material. That’s why having a dedicated SOC doesn’t make sense for more companies.
I do think it’s unlikely that SOCs will transform into how engineering responds to incidents. First, usually, the monitoring and alerting rules for engineering are based on previous data. However, security typically has much fewer alerts to base their rules on (or at least that’s the hope). Second, the rules typically need little changing for engineering whereas security likely needs to regularly tune rules and create new rules to keep up with the changing threat landscape. Finally, security has fewer incidents than engineering. I’ve even heard people say that customers are more likely to remember a company’s outages more than their security incidents.
So where am I going with this? As businesses look to cut costs, especially in security, SOCs seem like a logical place where a security leader can reduce costs with an MDR. That’s why I think this might be the beginning of a heyday for MDRs.
What is an MDR?
Here’s what Crowdstrike describes as MDR:
Managed detection and response (MDR) is a cybersecurity service that combines technology with human expertise to rapidly identify and limit the impact of threats by performing threat hunting, monitoring, and response. The main benefit of MDR is that it quickly helps in limiting the impact of threats without the need for additional staffing, which can be costly.
This comes in many forms. Historically, companies, especially small businesses, have used managed security service providers (MSSPs) to do part of this work. Recently, there have been more dedicated businesses like Expel, Red Canary, and Arctic Wolf that aim to fully outsource a company’s detection and response capabilities. These businesses are trying to create profitable businesses with SaaS-like gross margins rather than a services business. They are hoping that using technology and automation at scale will achieve this. From what I’ve been hearing (unconfirmed), some of these businesses are close to achieving this goal. It’s no surprise that Arctic Wolf is thinking about going IPO.
Why use an MDR?
Keep reading with a 7-day free trial
Subscribe to Frankly Speaking to keep reading this post and get 7 days of free access to the full post archives.