Why you’ll want to get Gartner 2020 Market Guide to Managed Detection and Response Services
Just like any other tech innovation of the last 30 years, sorting through all the noise about Managed Detection and Response (MDR) to understand what you need and don’t need is difficult. Independent third party opinions are invaluable.
Another reason: “By 2025, 50% of organizations will be using Managed Detection and Response services for threat monitoring, detection and response functions that offer threat containment capabilities”, according to the strategic planning assumption in the 2020 Gartner MDR Services Market Guide.
That’s why we’re sharing the full Gartner 2020 Market Guide to Managed Detection and Response Services* as a complimentary download. This document is helpful for organizations considering an MDR service.
It helps do several things:
Cut through the noise about MDR and assists with the process of evaluating vendors. We believe, the Market Guide clearly articulates what features and capabilities a vendor must have to be an effective provider – we’re big fans of high fidelity detection, for example, something that gave us an advantage in the latest MITRE ATT&CK evaluation. Slight caveat: The most proficient tooling in the world is nothing without the right people, both in the end user security team and at the provider end.
Response capability – and speed – is fundamental. We’ve been banging the drum about this for a long time. Reducing this response gap is fundamental to defending the enterprise, and we think you must measure the viability of an MDR service on its ability to respond. It’s recommended that you couple MDR with an IR retainer. We’d go one step further and say IR is a core part of the Managed Detection and Response value proposition.
Why? Response included in your MDR service must do more than just tackle commodity malware. It needs to be able to contain and stop attacks (like human-driven ransomware) before they become serious problems.
Secondly, you want to make sure the IR and MDR resources work really well together, so there’s no gap when handing any incident off. A key message we’ve seen in the Market Guide chimes with our experience: MDR should be measured by ability to respond. Detection is important, but it’s nothing without an even better response capability.
This is a significant departure: look at traditional models like Managed Security Service Providers (MSSP) and Endpoint Detection and Response (EDR), and they’re often tuned to alerting in a timely fashion before calling in IR. It’s better to hear from your provider that they’ve stopped an attack in the early stages than to hear that they’ve seen signs an attack is underway and hey, you might want to bring in the Incident Response team.
Coupled to this: Trust is everything – and it’s growing. Organizations that take on an effective MDR service are increasingly willing to adopt a position that pre-authorizes their MDR provider to perform the action AND then discuss it, containing live attacks as soon as they’re spotted. This is something our Detection and Response Team (DRT) do to as part of our service, saving customers the cost and delay of wheeling out the big IR guns for every single incident – even if it’s easily contained.
We’ve spent time working out the best way of communicating our workflow to customers so they understand the how, why and when of our Detection and Response Team’s actions. Our customers need to be comfortable an automated response won’t kick off every time it stumbles on a false positive. Our service is human-driven, combining technical capability with human experience and expertise. This has two elements, by the way: understanding how MDR fits into customers’ existing processes, and ensuring the whole organisation is prepared for incidents. This preparation involves things like conducting readiness exercises or table top war games.
Organizational maturity in MDR providers shouldn’t be underrated. There’s a steep institutional learning curve when it comes to working with enterprises that can mean even the most experienced band of experts at a startup struggle. Our MDR service, Countercept, has been around for five years – but F-Secure got started over 30 years ago as a cybersecurity provider.
Organizational maturity and ensuring a good fit are important, both at setup and as part of an ongoing service. These things are independent of technical capability. In a market with lots of new entrants and ongoing acquisitions, there are inevitably vendors that don’t necessarily have the experience and knowledge required to work with small and large organizations.
Speed of deployment and time to value are key benefits of MDR, but they must be achieved without negative impact; poorly deployed MDR agents can wreck a customer’s estate if not handled carefully.
We’d ideally also like to understand what organizations value most from their relationship with an MDR provider. We’ve been taking on board feedback over the last few years from our own customer base about what they want to see with the specific intention of creating what we call Peacetime Value. We’ll be adjusting this over time based on conversations with customers, but it’ll be interesting to see what the rest of the market looks for, too.
MDR – especially services with excellent Response capability – are a powerful and effective choice for protecting organizations from attack. It’s not for every security team or every estate, and there’s a heck of a lot of noise in the market, which is where we believe this Market Guide is a massive help for those starting out on the process of selecting a vendor.
The caveat, of course, is that no-one should rely on a single source for a buying decision; but this is a really great place to start.
*Gartner, Market Guide for Managed Detection and Response Services, Toby Bussa, Kelly Kavanagh, Pete Shoard, John Collins, Craig Lawson, Mitchell Schneider, 26 August 2020