Managed Detection and Response (MDR), a relative newcomer in the cybersecurity realm, is starting to have a noticeable impact on enterprises seeking to better secure their operations. Research giant Gartner notes that, “By 2025, 50% of organizations will be using MDR services for threat monitoring, detection and response functions that offer threat containment capabilities.” Despite rising adoption rates, though, much confusion remains about MDR and how it should fit into enterprise IT.
MDR is typically defined as an outsourced security service that enables organizations to better detect malicious activity over the network. MDR is usually sold as a service, and vendors offer tools and technologies that integrate into a business’s IT to detect and mitigate network intrusions, malware attacks, attempted data theft and other malicious threats. MDR can be a powerful ally in the quest to contain cyberattacks, but only if deployed correctly and leveraged properly.
MDR offers obvious benefits for enterprises, but there’s enormous potential when MDR is integrated with DevOps. Many organizations are turning to DevSecOps methodologies to build cybersecurity into their development and deployment pipelines, and MDR can help.
“One challenge is that DevSecOps is a term that is poorly defined in most cases, and misunderstood in many others,” said Dave Martin, senior director, product management – threat response at Open Systems. “Some people think of DevSecOps as an extension of a quality assurance department, which means that cybersecurity is mostly an afterthought, and not part of the development cycle. MDR, at least how we do it at Open Systems, brings forth a full-time security operations layer, which includes a security analyst, that can become part of the DevOps team,” Martin said.
Martin makes an interesting point. As more organizations attempt to implement DevSecOps, knowledge, along with action, are lacking. MDR has the potential to supplement knowledge and insight into the security posture of the code being generated. Many organizations leave cybersecurity to the network or operations teams, expecting endpoint or network security tools alone to contain threats. However, many threats in the wild may leverage older code, or target unpatched applications. MDR can enable DevOps teams to get ahead of the latest threats by keeping developers informed about evolving threats and vulnerabilities, as well as incorporating tools for continuous cybersecurity into the development and deployment pipelines. One of the core concepts of MDR is providing access to experts that can take action to mitigate an attack. This is an important consideration, according to the Enterprise Strategy Group, which reports that 51% of survey respondents face a problematic shortage of skills in the area of cybersecurity.
What’s more, MDR becomes a tool to secure the DevOps environment, as well as a tool for developers to make code more secure. “It is critical to find advanced threats, ones that may have bypassed existing security controls, before those threats impact DevOps, yet people need to be made aware of those threats so they are not mistakenly included in the development pipeline,” said Martin.
Choosing an MDR Provider
With so many players in the MDR space, choosing a provider that fits into a DevOps and enterprise strategy can be daunting. According to Reports and Data, the global MDR market is expected to grow at a CAGR of 30.4% until it reaches $4.6 billion by 2026. Today, providers number in the dozens, and while many claim they have “complete” offerings, they may not consider the needs of DevSecOps along with traditional network operations concerns.
There are some important considerations when choosing an MDR platform. For example, visibility of the attack surface is a critical concern. If an MDR provider does not have visibility into all potential attack surfaces, breaches and compromises may still occur. Also, adopters should be keenly aware of how false positives are contained, as well as the level of alert activity. Many cybersecurity solutions can introduce alert fatigue and obscure effectiveness. Automation should be a key part of any MDR solution, as it can help to categorize threats, initiate responses and identify the latest threat trends without human interaction.
“MDR should tear down many of the cybersecurity silos that businesses have today, and bring the various pieces of IT together into a unified cybersecurity sensitive culture,” said Martin.
Ultimately, MDR is about people, processes and technology, and should bring these elements together to ensure success in the ongoing battle against cybercriminals.