Market Guide

Recommendations to Security and Risk Management Leaders Responsible for Security Operations

• When the organization needs to accelerate or augment existing capabilities or when there are no existing internal capabilities, use MDR services to add remotely delivered modern 24/7 security operations center functions in a turnkey approach.
• When there are no internal 24/7 operations to respond to threats that require immediate attention, embrace containment actions as an incident response capability of MDR service providers.
• You need to assess how the MDR provider’s containment approach can integrate with your organization’s policies and procedures.
• From on-premises to cloud, ensure the MDR provider's technology stack fits well with your existing security controls and IT environment.
• Use MDR providers that have experience with use cases appropriate to your organization’s location, size, and industry vertical. To differentiate potential providers, use any unique challenges in your industry vertical.
• When security technology and device management, and compliance use cases are required, consider managed security service providers that offer MDR services. Data residency requirements may also drive the consideration of an MSSP over an MDR service provider.

Various Buyers in the Market Are Addressed by Different MDR Service Delivery Styles

• BYO technology stack
• Full technology stack from the provider
• Managed print solutions
• Technologies for monitoring cloud services, OT/ICS, and IoT

The Evolution of the MDR Service Market

During the past 12 months, some areas have highlighted how the market is evolving and maturing. As MDR services providers mature and expand their offerings, there is an expansion of threat detection and response services for cloud environments, which is steadily becoming more visible. However, it’s still early. While broad coverage for SaaS, such as via a CASB solution in the provider’s technology stack, is rare, coverage for popular SaaS applications such as Microsoft 365, Google G Suite and Box is increasing. Comprehensive coverage for infrastructure as a service (IaaS) is still in the early stage. Using proprietary technology solutions or via adding solutions to their tech stacks and service offerings, some providers have invested in monitoring IaaS and platform as a service (PaaS) via proprietary approaches.

To improve their internal SOC efficiency while assisting clients by reducing dwell time, some providers are using proprietary or commercial security orchestration, automation, and response (SOAR) tools. Some providers are starting to expose these orchestration and automation capabilities to their customers, which may require more interaction and work with the provider. This does not appeal to buyers that just want to lean on providers as the experts but appeals to buyers looking for more flexibility in interacting and customizing their MDR experiences.

The scope of log sources is expanding based on the realization that turnkey services that require a set of technologies from the provider are not optimal for organizations with existing investments in security tools as some MDR providers target more mature buyers. To detect threats, some providers are even expanding into log-agnostic analytics. With a stronger emphasis on incident response activities (not just alerting and notification), however, this approach starts to look closer to traditional SOC services from MSSPs.

It may be difficult for the customer and the provider to accommodate any log or to alert the source the customer wants. Because of the focus on monitoring a variety of log sources from whatever technologies they have deployed, instead of having the right sources generating telemetry and alerts, at the right time, in the right format, in the right locations, many customers fail with their threat monitoring, detection and response initiatives. Buyers considering MDR services need to closely evaluate and confirm the capabilities of the MDR service provider.