LINEARSTACK
March 23, 2023

Managed Detection and Response vs. Managed Security Services

How Managed Detection & Response (MDR) differs from Managed Security Services and how to choose between the two

Both Managed Detection and Response (MDR) and Managed Security Service Providers (MSSPs) offer cyber security expertise to organisations to augment (and sometimes supplement) their cyber defence. However, they focus on different stages of the cyber threat lifecycle and have different value propositions.

MSSP services have been around much longer than MDR and focus primarily on preventative controls, which include cyber threat prevention, vulnerability management and perimeter defence. MDR, on the other hand, focuses on proactive threat detection and quick containment, including the post-compromise stages of the threat lifecycle.

Differences between MSSP and MDR services

Incident Response

MSSPs do not traditionally provide incident response support – if an incident is detected, the MSSP will typically escalate it to the customer to handle internally. MDR providers address this gap by providing varying degrees of incident response support. This can range from automatically neutralising a threat to isolating and shutting down an affected host.

Threat Detection

MDR providers operate on the assumption that advanced threats that evaded detection are already inside the network perimeter, and need to be found and rooted out. They do this by proactively looking for anomalous behaviour inside the enterprise environment using attacker Tactics, Techniques and Procedures (TTPs). Most MDR services include a threat hunting component to find stealthy, post-intrusion threats. MSSPs rely more heavily on traditional technology-based detection methods and usually do not conduct proactive threat hunting.  

Use of Technology

While both MDR providers and MSSPs use a wide range of perimeter defence, threat detection and response tools and technology, MDR providers rely heavily on human intelligence and analytical ability to drive technology use. For effective behavioural-analytics-based detection MDR teams need complete visibility into the customer environment, a deep understanding of the business context, and knowledge of ongoing attack trends. This requires trained analysts with years of experience and sharp pattern recognition skills. On the other hands, MSSPs are concerned primarily with network monitoring, alert handling and triaging, which can be accomplished, to a great extent, with the use of monitoring and detection tools.

Threat Types

MSSP services are better suited for the detection of threats with known IoCs fed into a SIEM platform. These are usually known threats that are caught and neutralised at the perimeter. MDR providers' focus is on advanced threats that evade perimeter controls. These include advanced persistent threats (APTs) and state-sponsored threats that can sit undetected in an environment for months on end and can't be detected using IoCs and known signatures.

MDR vs. MSSP - Comparison chart
MDR MSSP Comparison

When to consider an MDR service

  • When you don't have the capacity for 24/7 SOC operations to respond to serious threats as they are detected
  • When you have an in-house SOC, but you need to augment existing capabilities, especially to reduce detection and response times
  • When you have a technology stack including threat detection and response platforms, but don't want to build a full in-house SOC and outsource security operations to an MDR provider mainly for their specialised skillset
MDR for threat containment

Gartner predicts that "by 2025, 50% of organizations will be using MDR services for threat monitoring, detection and response functions that offer threat containment capabilities".

More and more businesses are now beginning to expect MDR services to either include complete incident response or manage more elements of it. But even where threat containment and disruption are the MDR provider's responsibility, remediation and recovery continue to be managed by customers' in-house teams in most cases.  

Choosing between an MSSP and MDR provider

You choice will ultimately depend on your specific risk environment, existing security capabilities and business priorities.  

Some organisations use both an MSSP and an MDR service to take care of different parts of their cyber security program. The MSSP's focus in these cases is basic security functions like 24-hour monitoring, perimeter defence and the maintenance of security tools. The MDR service further strengthens the organisation's defence capabilities by providing advanced detection and response with faster response times, along with threat intel services and deep analytics.  

This is not necessary, however, and the vast majority of businesses opt for one of the two options based on their specific security needs. It's also important to remember that different MSSPs and MDR providers vary quite a bit in their delivery models, flexibility, coverage and technical capabilities. You need to keep all these factors in mind and ask the right questions before making your final decision.

Blogs

Start Reading

Our latest blogs and news are here for you

Extended Detection and Response (XDR)

XDR - What it is and how it speeds up cyber threat detection, investigation and response
Read More

Exploring MITRE ATT&CK for Threat Detection

A brief introduction to the MITRE ATT&CK Framework and how to get started using it
Read More

Difference between SANS & NIST IR Frameworks

NIST IR & SANS are key frameworks used in the data security industry – Do you know the similarities and differences?
Read More
Are you experiencing a security issue? Call us now.