Three acronyms swirl around today’s security discussions: Managed Detection and Response (MDR), Managed Security Service Provider (MSSP), and Security Incident and Event Management (SIEM).
While all three of these concepts are often discussed in the same conversation, one (SIEM) is really a tool while the other two (MDR and MSSP) are services that can work with it.
The role each can play in an integrated security plan will determine the success or failure of an organization’s cybersecurity protection strategies.
Now let’s examine the advantages and limitations of each solution and how they function in a layered digital protection platform.
What Does a SIEM Do?
SIEM can identify, monitor, record, and analyze security events in real-time. It provides a comprehensive and centralized view of the security scenario of an IT infrastructure.
SIEM can be used by either an MDR or an MSSP, or it can be used by an organization that has decided to develop its own internal security operations center (SOC).
SIEM Log Evaluation and Retention Becomes a Challenge at Scale
But here’s where the real challenge comes in with SIEM: Depending on the size of the organization, the amount of security logs that a team needs to ingest, process, and use to identify threats can be massive. The question often becomes one of risk management versus efficiency.
A small business may be able to deploy a SIEM and monitor it themselves. Since they may only need to monitor 20 endpoints, a handful of people can accomplish that task efficiently.
But a larger organization, with exponentially more endpoints and volume of logs, needs to address questions such as:
- How long will we save logs?
- Are we capturing peak traffic separately?
- Will logs be deleted or placed into cold storage?
The short answer, in this case, is that logs should be saved beyond the typical 14-day rotation and really should be kept at least 2-3 months to trace back the source of an attack. But the deeper answer is often guided by the risk tolerance of the business.
Log File Retention Policies Vary by Industry
Industries such as insurance and healthcare have liability concerns that often drive them to store logs indefinitely. Other industries may draw the attention of nation-states or criminal hackers.
A business’s security plan must also consider its technology stack and how these logs will be monitored and ultimately stored.
This is why MSSP or MDR solutions are helpful: they can support an organization in making these decisions and help lift what could be an unmanageable surveillance burden for the organization to tackle alone.
How MDR and MSSP Breach Response Methodologies Differ
If an organization is working with a third party, the question then moves from surveillance to analysis. An MSSP will take incident and event data from a client’s SIEM and monitor it 24/7. Think of it as an outsourced SOC.
The service of an MSSP is the same as if an organization staffed up by an additional 20-30 team members to monitor events themselves while being able to eliminate the overhead of hiring staff internally.
MSSP Solutions Expect the Client to Respond to Security Incidents
But the downside of this type of outsourcing is that the client needs to make sure that the tools the MSSP uses are compatible with their own technology stack. Also, monitoring and notifications are about as far as this type of service typically goes.
There may be some limited assistance in the area of incident response, but for the most part the client, once notified of an incident, must now formulate their own response. And since the client is basically feeding event information to the MSSP, they are now trusting a third party with their data.
MDR Providers Offer More Robust Breach Response
By comparison, an MDR uses their own SOC, solutions, and infrastructure.
Effective MDRs also have a much deeper and more sophisticated response plan in place to identify both vulnerabilities and threats, and then take a dynamic response to mitigate those issues.
The Benefits of MDR Services vs. MSSP
| FEATURE | MDR | MSSP |
| Event monitoring augmentation | • | • |
| Vendor-run SOC | • | |
| Whitelist/blacklist approach | • | |
| Focus on high-priority alerts | • | • |
| Focus on medium-priority alerts | • | |
| Focus on low-priority alerts | • | |
| Dynamic incident response team | • | |
| Active response to stop threats in progress | • | |
| Transparency into actions taken | • |
MDRs work with the client to identify actions and network events that are normal to develop a whitelist/blacklist approach. This will establish trusted behaviors upfront, so the team can focus on the real threats.
MDR solutions also provide the unique ability to pay attention to even small and medium alerts through an efficient model that shows exactly the information needed.
Incident Response Built Into the MDR Model
When threats are identified, an MDR service provider utilizes its own cybersecurity incident response team that can respond to a threat on behalf of the client. Working through endpoint tools, the team can identify the source of the threat back to the root cause.
Rapid Threat Response Reduces Dwell Time and Mitigates Damage
As an example, let’s say an attacker gains access to a password and enters through an endpoint. The MDR team can shut down that password before the attacker can move laterally through other devices in the system.
If the attacker entered through other means, systems can be isolated and quarantined before the event can spread or critical data can be compromised. Since this team can make an active response on behalf of the client, dwell time is dramatically reduced, and attacks can be stopped before significant damage occurs.
Transparency Is Crucial
Because of this level of capability, an MDR should typically be more transparent about their process and the “why” behind the actions taken. After an event, the MDR team can share a detailed report with the client so they can understand what happened, what steps were taken, and recommendations for strengthening the organization’s security posture moving forward.
Understanding the Differences Between MDR & MSSP Is Critical for Your Organization
Spend some time to learn the different security postures within MDR and MSSP and how they can work with a SIEM platform to alleviate some of the burdens from your internal security team.
These differences are significant and important, but worth the investment to discover how they can impact the security of your own organization.
By working with a vendor that has the right model to meet not only your individual threat matrix but also understands your technical operation environment, you can develop a plan that can stay ahead of whatever challenge you’re facing.
Contact CRITICALSTART for More Info About Our MDR Solution
CRITICALSTART’s Managed Detection and Response allows you to resolve every alert and stop breaches. Contact us today to learn more and schedule a demo.
