As director of information services for Hopkins Public Schools in Minnesota, John Wetter has seen IT and cybersecurity soar to new heights over the past 17 years. Initially, his 17-person tech team managed security by isolating systems and enforcing good data handling practices. This sufficed for a long time. But in 2015, the business office expressed concerns about PCI regulations, which could transfer the liability of fraudulent transactions to the organizations themselves.
The discussions about PCI regulations prompted Wetter to seriously consider upgrading the school district's security measures. By around 2020, the situation came to a head with an increase in breaches. Moreover, cyber insurance requirements began to include extended detection and response agents on all endpoints. Given that his team had the responsibility of securing 7,000 students and 1,500 named accounts, it became clear they couldn’t handle it alone. As a result, Wetter decided to explore the option of adopting managed detection and response services.
What Is Managed Detection and Response (MDR)?
In a nutshell, MDR is a service that puts the onus of continuous threat monitoring and response on an external provider, either entirely or partially. This approach is becoming increasingly popular among organizations, with a recent Emergen Research report projecting the MDR market to grow by more than 18% through 2030.
“Previously, there were pretty defined parameters: endpoints and networks,” explained Jonathan Ong, a senior analyst for managed security services at research firm Omdia. “Once cloud came into the picture, the border started to blur and the need for high visibility became even more important.” In addition to this, organizations are struggling to keep pace with the growing frequency and sophistication of cyber threats.
According to Omdia’s research, the top challenges in threat detection and incident response are gathering, normalizing, and correlating data from sources; an ever-expanding threat landscape; and the need to integrate data from disparate sources. The research also found that 96% of organizations are open to adopting new technologies to enhance their ability to detect and manage threats.
Two MDR Models To Choose From
Mark Benaquista, managing director of Thomas H. Lee (THL) Partners, a private equity firm, appreciated the value of MDR when he recognized the evolving cybersecurity landscape and the risks it posed to the company’s assets under management, which exceeded $15 billion.
“We needed to ensure that those assets are protected along with protecting THL itself,” Benaquista said.
Initially, he considered building the capability internally and hiring more staff. However, upon further evaluation, he found that the MDR model offered more benefits and was cost-competitive compared to building it in-house. He started researching MDR options around 2013 and made his choice about a year later. Since then, he has never regretted his decision.
When it comes to improving cybersecurity, moving to a managed services model for incident detection and response is just the beginning. IT leaders must choose between two approaches: the “concierge” model of MDR and the more traditional model.
In the concierge model, the MDR provider takes the lead by evaluating the environment, installing their agents on the organization’s devices, and handling the process from there.
The traditional model, meanwhile, involves collaboration between the MDR provider’s expertise and the client’s own IT staff. The MDR provider monitors the organization’s security information and event management system and endpoints, while the IT staff manages these resources and participates in remediation efforts.
Benaquista is a fan of the concierge approach. “We call it ‘MDR’ for a reason,” Benaquista said. “If you don’t empower them to respond, you’re losing very valuable seconds and minutes. The bad guys are good at what they do, and they don’t do it between 9 and 5; they do it on holiday weekends at 3 am … when most people aren’t paying attention.”
The concierge model also helps make up for a shortage of cybersecurity skills. “We have 35 companies in our portfolio, and we’re all trying to hire the people who partner with the MDR services,” Benaquista explained. “It’s hard to find people, and the salaries of these folks have been rising at a much faster pace than other areas. The MDR service allows us to offset that a bit.”
Wetter prefers the partial service model. He believes that completely outsourcing cybersecurity introduces additional risk to the organization.
“While our staff doesn’t have the capacity or expertise to be doing [cybersecurity] on a day-to-day basis, they still need to have an investment and involvement in securing our environment,” Wetter said. “I’ve seen the concierge model go sideways too many times with other things. For example, our buildings and grounds department outsources HVAC support because they don’t have the expertise, and that hasn’t always gone well.”
Finding the Right MDR Fit
After deciding to adopt MDR, the next steps involve finding the right fit for your organization – and “fit” is the operative word.
Ong said it’s important to understand where MDR fits into your overall security program. For instance, you should determine whether MDR serves as a stop-gap measure while you develop in-house capabilities.
Additionally, organizations must consider the location of the MDR provider’s teams. “If you have a provider that has teams based out of Asia, you’re going to have some teams working overnight,” Ong noted. “That may be a point of concern because the team members can be exhausted and morale can be low. That could lead you to question whether they are catching anything.”
And make sure the service is strong, Ong added. “You want someone guiding you, narrowing down the alerts and only presenting the ones that are most important, and giving you very actionable recommendations.”
In general, Omdia highlights the following as the most important features to look for in an MDR service:
- Enhanced capabilities for orchestrated and automated threat investigation and response
- User analytics to provide fast and accurate threat detection
- Cost savings compared to existing solutions
For Wetter, the MDR provider needed to align with all the school district’s security layers. The MDR service he chose sends remediation responses back to specific security components, such as JamF Protect, endpoint security and mobile threat defense for Mac and mobile devices, and Windows Defender.
“If a person is working on an endpoint off the network and there is a security event, a call may come back to the service desk from that person saying that the computer has been locked due to a security event,” Wetter said. “You don’t want your service desk to have to check into each layer of your security stack to see which one is affected, because none of those layers are aware of what the others are doing. It becomes a closed-loop problem.”
Benaquista stressed that organizations should assess the MDR provider’s track record in handling zero-day attacks. He values advanced tooling that includes purpose-built algorithms that can detect anomalies effectively. “If you leave it in the hands of just people, it’s no different from doing it yourself,” he said. “They may have a bigger army, but you want the army to have the right tools and weapons in this space.”
Furthermore, Benaquista sought strong security orchestration, which includes alerting mechanisms for the MDR team. He also looked for proof of how the automated orchestration process brings incidents to the provider’s attention, the provider’s ability to learn from past incidents, the efficiency of the restoration process, the quality of reporting, and the willingness to address any gaps in its product offering.
Evaluating an MDR Provider’s Performance
So, how can you evaluate whether your MDR provider is doing a good job? The obvious metrics include assessing the provider’s ability to catch threats, their timeliness in notifying you of potential threats, and their contribution to saving time and money for your organization.
Benaquista saw the effectiveness of the MDR model firsthand – in an instance of keyboard-to-keyboard combat. A hacker had gained access to the environment of a company that THL was responsible for. The MDR provider immediately responded, kicking the hacker out of the system. However, the hacker persisted, attempting to reenter the environment multiple times. Nevertheless, the MDR continued to block the hacker’s access.
Eventually, the MDR team discovered that the hacker had established several backdoors to maintain access. Realizing the severity of the situation, the MDR provider collaborated with Benaquista’s team, working side by side to successfully regain control of the environment.
“Our MDR took the initial action, sending out alerts and establishing a ‘warm call’ where everyone was brought up to speed – all at the same time they were taking privileges away and kicking people out," Benaquista said.
About the author
Karen D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek and Government Executive.
