Both Managed Detection and Response (MDR) and Managed Security Service Providers (MSSPs) offer cyber security expertise to organisations to augment (and sometimes supplement) their cyber defence. However, they focus on different stages of the cyber threat lifecycle and have different value propositions.
MSSP services have been around much longer than MDR and focus primarily on preventative controls, which include cyber threat prevention, vulnerability management and perimeter defence. MDR, on the other hand, focuses on proactive threat detection and quick containment, including the post-compromise stages of the threat lifecycle.
MSSPs do not traditionally provide incident response support – if an incident is detected, the MSSP will typically escalate it to the customer to handle internally. MDR providers address this gap by providing varying degrees of incident response support. This can range from automatically neutralising a threat to isolating and shutting down an affected host.
MDR providers operate on the assumption that advanced threats that evaded detection are already inside the network perimeter, and need to be found and rooted out. They do this by proactively looking for anomalous behaviour inside the enterprise environment using attacker Tactics, Techniques and Procedures (TTPs). Most MDR services include a threat hunting component to find stealthy, post-intrusion threats. MSSPs rely more heavily on traditional technology-based detection methods and usually do not conduct proactive threat hunting.
While both MDR providers and MSSPs use a wide range of perimeter defence, threat detection and response tools and technology, MDR providers rely heavily on human intelligence and analytical ability to drive technology use. For effective behavioural-analytics-based detection MDR teams need complete visibility into the customer environment, a deep understanding of the business context, and knowledge of ongoing attack trends. This requires trained analysts with years of experience and sharp pattern recognition skills. On the other hands, MSSPs are concerned primarily with network monitoring, alert handling and triaging, which can be accomplished, to a great extent, with the use of monitoring and detection tools.
MSSP services are better suited for the detection of threats with known IoCs fed into a SIEM platform. These are usually known threats that are caught and neutralised at the perimeter. MDR providers' focus is on advanced threats that evade perimeter controls. These include advanced persistent threats (APTs) and state-sponsored threats that can sit undetected in an environment for months on end and can't be detected using IoCs and known signatures.
Gartner predicts that "by 2025, 50% of organizations will be using MDR services for threat monitoring, detection and response functions that offer threat containment capabilities".
More and more businesses are now beginning to expect MDR services to either include complete incident response or manage more elements of it. But even where threat containment and disruption are the MDR provider's responsibility, remediation and recovery continue to be managed by customers' in-house teams in most cases.
You choice will ultimately depend on your specific risk environment, existing security capabilities and business priorities.
Some organisations use both an MSSP and an MDR service to take care of different parts of their cyber security program. The MSSP's focus in these cases is basic security functions like 24-hour monitoring, perimeter defence and the maintenance of security tools. The MDR service further strengthens the organisation's defence capabilities by providing advanced detection and response with faster response times, along with threat intel services and deep analytics.
This is not necessary, however, and the vast majority of businesses opt for one of the two options based on their specific security needs. It's also important to remember that different MSSPs and MDR providers vary quite a bit in their delivery models, flexibility, coverage and technical capabilities. You need to keep all these factors in mind and ask the right questions before making your final decision.