Of all foundational elements for information security, logging requires far more care and feeding than its fellow cornerstones such as encryption, authentication or permissions.
Log data must be captured, correlated and analysed to be of any use. Due to typical log volume, software tools to manage log events is a must-have for businesses of any size.
Traditionally, log events have been processed and handled using security information and event management (SIEM) tools. SIEM systems at the minimum provide a central repository for log data and tools to analyse, monitor and alert on relevant events.
SIEM tools (and data analysis capabilities) have evolved more sophisticated capabilities such as machine learning and the ability to ingest third-party threat data.
What is managed detection and response?
Traditional SIEM falls short in the follow-up steps once an event or incident rises to a certain level of concern. This is where managed detection and response (MDR) comes in.
Just like the sheer volume of log data makes it inefficient and ineffective for humans to review log files manually, so too the scale of modern data centres (with virtual machines and application containers) makes responding to every threat with a human resource impractical.
MDR systems take log events and correlate them with an end goal of identifying incidents that your security team should investigate and takes initial steps to mitigate threats and in many cases perform a root-cause analysis.
A key distinction between MDR and other related technologies (SIEM, endpoint detection and response [EDR], or extended detection and response [XDR]) is that MDR is managed, meaning it is more than just a system, it’s a service.
MDR is often billed as an extension of an in-house security operations centre (SOC), which means that your IT security staff is augmented by individuals with expertise in both the MDR platform and related skills such as incident response, root-cause analysis, and threat hunting.
The benefit to having a service-based response team is that you can more effectively respond to incidents without dramatically impacting your workforce.
This service-related component means you need to consider service-level agreements (SLAs), response times, and other benchmarks related to service performance when selecting an MDR solution.
Organisational needs will vary wildly based on company size, industry compliance requirements, and other key topics. Likewise, one of the biggest impacts to your MDR budget will be the associated FTE full-time equivalent (FTE) costs, so finding that sweet spot will be a critical decision point.
Leading MDR solution providers
Below are descriptions of 12 of the leading MDR solutions, in no particular order.
Sophos Managed Threat Response
Sophos Managed Threat Response offers 24x7 monitoring of your infrastructure and can actively identify both threats and incidents. Sophos also applies context to validated threats by correlating event source data with business resources, improving your ability to triage and respond to incidents. Sophos and its team can also take first incident response steps if needed, or simply provide recommendations for resolving root causes behind recurring incidents.
Arctic Wolf Managed Detection and Response
Arctic Wolf Managed Detection and Response is another service offering round-the-clock monitoring and management of active threats.
Arctic Wolf not only performs active threat hunting but performs continuous scanning of your systems, looking for vulnerabilities and evaluating risk. Arctic Wolf also offers an EDR solution and monitors both mobile and IoT devices, enabling you to quickly identify risk to edge devices.
Red Canary Managed Detection and Response
Red Canary Managed Detection and Response brings SLA-backed 24-hour monitoring and advanced threat detection. Red Canary also has capabilities in adversary analysis and monitoring.
In terms of tooling Red Canary brings automation and orchestration playbooks to facilitate rapid incident response, and executive reporting for SLA metrics such as mean time to response. For businesses where breaches or even false positives impact service availability and the bottom line, Red Canary offers detection testing and validation to help ensure service effectiveness.
Crowdstrike Falcon Complete
Crowdstrike Falcon Complete not only offers 24x7 monitoring but does so with a global team of professionals able to actively track threats in real time.
Crowdstrike’s platform is built for the cloud, meaning management tools are hosted and there is no need for additional server hardware or software in your data centre. Crowdstrike doesn’t just support monitoring cloud workloads and endpoints, identities are fair game as well.
SentinelOne Vigilance Respond
SentinelOne Vigilance Respond also monitors your infrastructure around the clock and offers an 18-minute mean time to recovery (MTTR). Perhaps the most intriguing feature SentinelOne offers is its Storyline technology, which helps you visualise the context of threats to your network, both in terms of business impact and timeline, empowering you to respond more effectively.
SentinelOne augments your SOC with security professionals who can help with incident response, digital forensics, and even malware analysis. SentinelOne offers cadence meetings (either on-demand or scheduled quarterly meetings depending on your service level) in an effort to keep your internal security team up to date on your security posture and potential threats.
Rapid7 Managed Detection and Response
Rapid7 Managed Detection and Response has scale to back its monitoring solution. With over 1.2 trillion security events tracked each week, Rapid7 has a rich data set with which to develop signatures and analytic models. Rapid7 also brings techniques like network traffic and flow detection, and even trap technologies like honeypots to identify attacks on your network early.
Monthly proactive threat hunting, full investigations and reporting on validated threats are also included, as are prioritised recommendations for responding to threats. Rapid7 also offers 24x7 monitoring by a globally distributed team of security professionals.
Alert Logic MDR Solutions
Like Rapid7, Alert Logic offers scale as a major feature in its MDR services. More than 140 billion log events are analysed daily by a globally based 24x7 SOC. Alert Logic monitors cloud platforms, a host of SaaS applications, containers, and a variety of on-premises resources.
Alert Logic also brings compliance reporting to meet a variety of industry-specific needs, including PCI, HIPAA, and SOX. Alert Logic is cloud-based and offers the ability to scale your deployment up in response to incidents, and back down once the threat is mitigated.
Integration with Slack, Microsoft Teams, ServiceNow, and other common collaboration platforms makes notification management user friendly, while custom response playbooks help formalise your incident response.
Cybereason MDR and its 24-hour global SOC offer aggressive response times: threat detection in a minute or less, triage within five, and remediation in under half an hour. Cybereason leverages its MalOp severity score metric to assist with prioritising response efforts, as well as context and correlation to threats to help you gauge risk to your critical business services.
The MDR mobile admin app provides a simple way to visualise threats and initiate a response from anywhere. Cybereason has multiple service tiers available with monthly reports, proactive threat hunting, and next-gen antivirus as features of their premium offerings.
Binary Defense Managed Detection and Response
Binary Defense Managed Detection and Response brings its 24x7 SOC-as-a-service boasting a 12-minute average threat response time, guaranteed at 30 minutes. Behaviour-based detection, honeypot systems, and threat hunting are used to identify threats to your network.
Active threat hunting and red-team efforts are also available to take threat identification to the next level. Binary Defense also publishes its product vision and milestone timeline in an effort to establish confidence that their long-term capabilities match up with your business requirements.
WithSecure Contercept is another 24x7 MDR option that claims to contain and remediate over 99 per cent of threats, the remainder of which are escalated automatically to WithSecure Incident Response.
WithSecure’s Detection and Response (D&R) team spends half of its time researching vulnerabilities and crafting detection and mitigation strategies. WithSecure also touts its “peacetime value,” where they continuously analyse your infrastructure for vulnerabilities and provide reporting on helping you harden your systems to reduce your risk of attack proactively.
Critical Start MDR Services
Critical Start MDR claims an 80 per cent reduction in false positives on day one, with escalation of less than 0.01% of alerts. Critical Start monitors your systems 24x7 and offers remote or on-site incident response and digital forensics capabilities.
Critical Start integrates tightly with other security platforms that you may already have in place (MS Defender for Endpoint/Sentinel, VMWare Carbon Black, Crowdstrike, SentinelOne, Splunk, etc.) to increase time to value, and raises visibility into your active alerts through its CriticalStart MobileSOC mobile app.
Expel Managed Detection and Response
Expel Managed Detection and Response is a 24x7 MDR service built on an XDR platform. Expel integrates with existing infrastructure through API connections, allowing for more effective threat identification and response. Expel integrates tightly with cloud-based systems (both IaaS and SaaS) to identify threats to your systems or identities (compromised identities, anomalous user behaviour, or privileged access abuse).
On-premises infrastructure is also monitored for lateral movement, malicious scripts, and evasion of defense systems. Expel leverages bots for both log and event analysis, as well as to build out context and perform threat triage.
Reporting is a strength with Expel as it provides details on incidents as well as activity it considers “interesting.” Report context includes analysis based on your own company footprint as well as the overall threat level for Expel’s entire customer base.