Managed Detection and Response (MDR) is an outsourced cybersecurity service designed to protect data and assets even when threats bypass standard organizational security controls.
What Is MDR?
The MDR approach to security primarily focuses on protecting against sophisticated malware, ransomware, and advanced persistent threats (APT), which traditional security tools cannot detect. It complements solutions like legacy antivirus, firewalls, and intrusion prevention systems (IPSs), providing a second layer of protection in case attackers breach these defenses.
MDR has two three elements: a software platform deployed in the protected organization, threat intelligence, and advanced analytics techniques and a team of human experts. These experts manage the platform remotely, analyze security data, and use it to detect and respond to threats.
MDR and EDR
Most MDR services are based on endpoint detection and response (EDR) technology. EDR is an endpoint security technology introduced in 2013 and quickly became an essential part of the modern security toolkit.
EDR solutions are deployed on endpoints, such as employee workstations, servers, and mobile devices. They use advanced behavioral analytics to detect suspicious activity on an endpoint, send alerts to security teams, and can automatically block some attacks, for example, by stopping a suspicious software process or isolating an endpoint from the network. Security experts can use the EDR platform to further investigate the incident and contain the threat.
SMB Security Challenges
Small and mid-sized businesses (SMBs) are the main driving force of the global economy. However, SMBs face several cybersecurity challenges. For example, most businesses fear cyberattacks could severely impact their bottom line, even putting them out of business.
Unfortunately, cybersecurity breaches are exceedingly common, with over a third of SMBs reporting an incident within the last five years. Unfortunately, some smaller businesses neglect security concerns, believing them to be too difficult to prevent or only a significant issue for large enterprises.
Among the breaches experienced by SMBs, the most common type of incident is a phishing attack. Other significant risks include lost or stolen devices (especially laptops), CEO fraud, and ransomware (which freezes or deletes data to extort a ransom payment). In addition, scammers often use current concerns to trick employees into revealing sensitive information—for instance, some phishing emails exploited COVID-19 pandemic-related fears to breach accounts.
CEO fraud is a decoy that tricks employees into carrying out the instructions in a fraudulent email that appears to be from the company CEO. Often, the email requests an urgent payment for some business purpose.
Summary of the Security Challenges of SMBs
- Many companies and employees are aware of threats.
- However, businesses don’t sufficiently protect their sensitive data.
- Companies lack the budget to implement security measures.
- There is a shortage of cybersecurity experts.
- The SMB sector lacks adequate security guidelines.
In the wake of the COVID-19 pandemic, many SMBs faced additional security challenges. As a result, companies had to find new ways to provide services to customers and enable employees to continue working during lockdown or isolation to keep their business afloat. Usually, this involved moving to online business operations to support a remote workforce.
However, moving online (i.e., to the cloud) and providing remote access to sensitive corporate applications and data presents additional security threats and requires a new cybersecurity approach.
Why Is MDR Important for SMBs?
When EDR solutions were introduced, they were adopted by many SMBs, because of their ability to identify and stop damaging cyber attacks immediately as they occur. For example, an EDR solution can effectively detect and block new and unknown ransomware attacks, which can cripple an organization that is unprepared.
However, most SMBs who purchased EDR found that they couldn’t operate it effectively. An SMB organization typically does not have dedicated, in-house security staff, and security is taken care of by IT administrators. These IT experts do not have the time and training to learn how to use EDR and properly configure them.
Even if in-house experts can use the EDR system, they typically don’t have time to review all high-priority alerts and react to them. To make matters worse, a global cybersecurity skills shortage means that even if an SMB organization chooses to hire a security team—it might not be able to find suitable candidates, and might not be able to pay their demanded salary.
The natural choice is to outsource EDR to an external provider. This is precisely what MDR offers—an MDR service offers EDR software, together with dedicated security experts who can use it for network and endpoint monitoring, incident analysis, and incident response.
MDR has several advantages for an SMB organization compared to using EDR:
- Lower upfront costs, no need to purchase EDR software and related infrastructure.
- No need to deploy and configure EDR (which is time-consuming and requires expertise)
- Access to skilled security experts who are trained in EDR solutions.
- The provider’s experts have the time to review all relevant security alerts and respond to relevant threats.
- Expert use of EDR can result in a much higher chance that critical incidents will be handled quickly and efficiently, preventing data breaches.
- MDR experts can provide input to the SMB organization, helping it improve security practices to prevent the next attack.
An MDR service can provide the following security benefits:
- Protection against zero-day attacks and evolving attack vectors.
- Protection against sophisticated threats that can bypass existing security measures.
- Preventing critical incidents from escalating into full-blow data breaches.
- Must faster time to recovery, which can have a major impact in case of a breach.
- No need to recruit external incident response services when a major attack occurs. This is costly and also less effective when these services are recruited at the last minute.
Evaluating MDR Services
Here are the most important criteria you should evaluate when considering an MDR service for your SMB organization:
- Read third-party reports about the service’s ability to respond to threats that bypass active security controls.
- Evaluate EDR and other technology provided by the service—prefer a proven platform deployed by respected organizations in your industry.
- Evaluate automated security responses are provided by the provider’s technology. Some MDR solutions can orchestrate existing security tools, for example, automatically defining a firewall rule or reconfiguring network segments to block malicious traffic.
- Understand how the provider performs remote management—for example, what level of access they require to local systems, how they work with cloud environments, and the level of interaction with in-house teams.
- Identify the compliance impact of MDR services. For example, some regulations or standards may limit how you work with an MDR service.
- Evaluate the level of service provided and whether the MDR service is really end-to-end, from monitoring through to detection of incidents, containment, eradication, and recovery. If certain parts of the process are not handled by the provider, consider how you will handle them with internal teams.
- Evaluate threat intelligence and analytics capabilities of the platform, which are key differentiators between vendors.
- Ask the provider about customization options, and whether you can adapt the MDR service to your organization’s specific technical setup and needs.
In this article, I explained the basics of MDR and showed how it can be a game changer for SMB security. In particular, MDR can provide the following unique capabilities that a small business would otherwise be unable to achieve:
- Protection against zero-day attacks and evolving attack vectors
- Protection against sophisticated threats that bypass existing security measures
- Identifying critical incidents and preventing them from escalating
- Rapid recovery from major incidents
- Immediate access to external security expertise
I hope this will be useful as you take your small business’s security to the next level.
Featured Image Credit: Provided by the Author; Vecteezy; Thank you!