Is it managed detection and response (MDR)'s time to shine?
It's time to outsource more security services
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
In the past, I’ve talked about how I believe that with the move away from datacenters, there’s less need for physical security operation centers (SOCs). With more companies using the cloud and adjusting to more technology and engineering-focused businesses, the need for a dedicated SOC, physical or virtual, has diminished.
As security tries to scale, they will likely move toward a model similar to that of engineering with on-call and SREs. This means that SOCs, in their current form, are going away. This leaves the question of how we can replace the SOC. In the current world, staffing a 24/7 SOC doesn’t seem strategic to a business. One can argue that response and remediation time make a difference in outcome. However, most of the time is spent actually finding the root cause and performing the right remediation. The time scale for resolutions varies, and the more complex fixes are on the scale of hours and days, so it’s unlikely that a few extra minutes to respond will be material. That’s why having a dedicated SOC doesn’t make sense for more companies.
I do think it’s unlikely that SOCs will transform into how engineering responds to incidents. First, usually, the monitoring and alerting rules for engineering are based on previous data. However, security typically has much fewer alerts to base their rules on (or at least that’s the hope). Second, the rules typically need little changing for engineering whereas security likely needs to regularly tune rules and create new rules to keep up with the changing threat landscape. Finally, security has fewer incidents than engineering. I’ve even heard people say that customers are more likely to remember a company’s outages more than their security incidents.
So where am I going with this? As businesses look to cut costs, especially in security, SOCs seem like a logical place where a security leader can reduce costs with an MDR. That’s why I think this might be the beginning of a heyday for MDRs.
What is an MDR?
Here’s what Crowdstrike describes as MDR:
Managed detection and response (MDR) is a cybersecurity service that combines technology with human expertise to rapidly identify and limit the impact of threats by performing threat hunting, monitoring, and response. The main benefit of MDR is that it quickly helps in limiting the impact of threats without the need for additional staffing, which can be costly.
This comes in many forms. Historically, companies, especially small businesses, have used managed security service providers (MSSPs) to do part of this work. Recently, there have been more dedicated businesses like Expel, Red Canary, and Arctic Wolf that aim to fully outsource a company’s detection and response capabilities. These businesses are trying to create profitable businesses with SaaS-like gross margins rather than a services business. They are hoping that using technology and automation at scale will achieve this. From what I’ve been hearing (unconfirmed), some of these businesses are close to achieving this goal. It’s no surprise that Arctic Wolf is thinking about going IPO.
Why use an MDR?
The straightforward answer is that the value is similar to a SaaS tool. It’s cheaper and faster to buy it than hiring a team to build and maintain the same functionality. Specifically for detection and response, it can take several months or even years to build out a mature detection and response functionality. It’s also hard to show that it will pay dividends.
With that said, even if you want to build out your own detection and response, a company should buy an MDR as a stopgap. It can likely be spun up in a few months because it just requires buying and configuring a product rather than hiring and managing a team. On top of that, it’s a cheaper and faster way to demonstrate the value of detection and response than asking for a whole team. Once the costs become prohibitively expensive, hopefully, the leadership team will understand the benefits and value of detection and response, and they will be open to building a team to reduce operational costs.
Therefore, other than cost, an MDR is helpful for a few reasons. First, it allows for more immediate risk reduction, especially in the early days of a security team or a team with limited resources. Second, it provides investigative expertise. An MDR deals with different types of alerts from multiple customers, so it can triage and remediate an alert faster whereas a customer has to build this context and knowledge internally itself. Related to this, it provides a more consistent experience whereas the response to an alert likely depends on the analyst responding. Finally, especially in resource-limited environments, these security resources can be used toward something more strategic to the business, e.g. product security, privacy, etc.
I acknowledge that sometimes it is strategic for a company to have its own detection and response. For example, some companies have unique assets and environments to protect, so MDRs likely won’t be sufficient or work well. They might also be willing to invest heavily in having their own detection and response because they need higher-quality detection and response. This might be true for AI companies, such as OpenAI and Anthropic because they have an atypical threat surface. However, I do believe that MDRs can likely work for a large majority of companies that currently have internal SOCs.
What will increase the use of MDRs?
In the past few years, there’s been a greater push for security leaders to demonstrate metrics and efficiencies of their teams. That is, security leaders can no longer get away with FUD to get resources, but they have to demonstrate ROI and strive for efficiency.
In my mind and as stated above, SOCs made more sense in the datacenter world where sometimes a physical response was more efficient. However, not only has most of the world moved to the cloud but also communication technology has improved to allow for more efficient response and visibility of a company’s application and infrastructure. Tooling such as Datadog, PagerDuty, Zoom, and Slack, is more prevalent and has reduced the communication gap, so there’s less need for people to be in the same room. Similarly, there’s no need to actively monitor dashboards as alerting tools have improved.
Moreover, SOCs have always been a bit strange to me. With defense in depth, the more mature your security function is, the fewer alerts you should see. Even if you see alerts, hopefully, your defense-in-depth will buy you some time to remediate and limit the blast radius of any attack. It seems that SOCs decrease in value as a company increases its security maturity.
Sure, the argument is that as a company grows in profile, there will likely be more attacks, and the attacks will likely be more sophisticated. However, it’s unclear if that company’s SOC has the knowledge and capability to respond. As we’ve seen in recent hacks, even the largest companies will retain an external incident response firm like Mandiant or Crowdstrike to help with sophisticated attacks. So, why not retain an MDR to continuously monitor for attacks to augment your capabilities? At the very least, it feels like SOCs shouldn’t grow after a certain size because it’s diminishing returns. As a result, if a SOC needs more capabilities, they should choose to spend on an MDR as it feels more efficient.
What really spurred my interest in MDRs is twofold. First, cybersecurity talent is limited. This has been a known fact in the industry for a while, so with limited access to talent, SOCs don’t feel like the best place to place cybersecurity talent in a company as there are more business-specific security priorities, such as security engineering, where strong cybersecurity talent can help build a more scalable solution. Also, talent for SOCs has a high variance because much of it depends on the experience of the individual. The experience is also not correlated with time but with the number of alerts. But, do you want to work at a company that has a large number of security alerts? The company either has a lot of security events or is bad at writing rules. Either way, those are not the best experiences to have.
Second, recently with the increased interest in AI and LLMs, many security products are focused on making SOCs efficient with them. I personally don’t think this is the best problem to solve. Security leaders might try these tools, but they will realize the actual problem — their SOCs aren’t that efficient in general. Although AI and LLM tools seem like they can help provide context, security leaders will soon realize that having an internal SOC overall is not operationally efficient.
SOCs are similar to having your own datacenters. More specifically, it’s only valuable if you can handle the alert volume at its peak. However, MDRs like the cloud allow for elasticity. MDRs can handle the variance in the number of alerts, and especially early on, it’s unclear how many alerts your SOC team will and can handle.
With that said, it seems like a good business decision to outsource your SOC, and I believe for most security teams, the quality of detection and response could possibly increase in this case. Also, there’s no overhead of having to hire and manage a team, which is likely also a big overhead both in cost and cognitive load.
As a result, I believe a security leader will look into buying an MDR in two scenarios. In many ways, this matches the adoption of the cloud! First, for security teams that don’t have a SOC, MDRs will provide a stopgap until the team decides it’s more strategic and/or cost-effective to build their own detection and response capabilities. Second, a company with an existing SOC will use an MDR to augment its capabilities, and it will slowly reduce the size of its SOC once it sees operational and efficiency gains.
We’re entering an age where security leaders have to start thinking of efficient use of resources, and I believe that MDRs will benefit in this new age.