How to Choose an MDR Solution

Managed Detection and Response (MDR) solutions are specialized security services that allow an organization to outsource the management of Endpoint Detection and Response (EDR) products installed across their network domain. According to Gartner, MDR provides real-time threat hunting to detect malicious activity on individual endpoints, actively mitigate identified threats, and push alerts for further investigation to the MDR service provider’s SOC. MDR services give an organization access to security experts specializing in threat hunting, analysis, and response, alleviating the burden of complex and critical security operations.

Types of MDR

Bring-Your-Own Security Stack / Hybrid Solution

Full Vendor-Supplied MDR Stack

Cloud MDR Solution

Managed Extended Detection and Response (Managed XDR)

Custom MDR Solutions

There are several ways MDR services can be packaged and delivered depending on an organization’s specific technology environment and risk requirements. The standard MDR delivery platform is a centrally managed, multi-tenant Cloud platform that offers customers access to log management, orchestration, real-time analytics, and a user interface (UI) dashboard. 

MDR services can be differentiated based on their ability to integrate with existing security products across an environment (Bring-Your-Own Security Stack) or whether they only operate as a standalone platform (Full Security Stack). Most MDR solutions are limited to two endpoint detection products: EDR agents and Multifunction Network Security Monitoring (NSM) applications. These products are not typically environment agnostic and support a limited set of vendors and technologies. 

Leading MDR vendors can develop custom agents to protect email, Cloud services, DNS, IoT and medical devices, and Industrial Control Systems (ICS) and SCADA networks. MDR providers are also increasingly offering support for Cloud environments with Cloud Security Posture Management (CSPM), Cloud Access Security Brokers (CASB), and Cloud Security Workload Protection (CWPP) capabilities.

Components of an MDR Solution

Platform admin and analytics dashboard

EDR Agents

  • Workstation Agents
  • Server Agents
  • Network Security Monitoring (NSM) Agents
  • Email Server Agents
  • DNS Server Agents
  • IoT / Medical Device Agents
  • ICS / SCADA Security Agents

Outsourced SOC team monitoring and threat response services

What Makes a Good MDR Solution?

An MDR solution combines Endpoint Security products with MDR services. When evaluating an MDR solution, evaluate associated EDR products and cybersecurity services separately.

It's a good idea to evaluate MDR products based on their ability to reduce malware dwell time by detecting a broad scope of threats and responding quickly, preventing the malware from impacting the affected system. 

The effectiveness of an MDR solution also depends on its ability to detect known and unknown threats and make use of new threat intelligence as it becomes available. If an MDR product includes extended capabilities (as with Managed XDR), it should correlate security telemetry and effectively orchestrate a cohesive response across a network environment in real time by updating security awareness to all endpoints.

It's also a good idea to evaluate an MDR provider in terms of its commitment to delivering services—such as whether the service includes 24/7 support availability and the comprehensiveness of its service-level agreement (SLA). It’s also important to consider the size and reputation of the service provider to determine a level of trust, the potential scalability of their services, and their ability to produce, digest, and act on global cyber threat intelligence (CTI). Some MDR providers may also employ comprehensive threat remediation, mitigation services, and customized products for an organization’s unique environment.

How to Choose the Right MDR Provider for Your Organization

Selecting the right MDR provider for your organization requires a comprehensive analysis of its risk requirements and operational technologies. Decision-makers should understand where operational criticality and sensitive data lie in their network, which technologies are used, and how the threat landscape applies to their organization on a department-by-department basis. This high-level understanding gives an organization the information it needs to evaluate each MDR provider in terms of product and service offerings.

Performance benchmarks for top Endpoint Security solutions are also published in independent research reports such as the MITRE Enginuity ATT&CK Evaluations. These evaluations offer insight into how a particular vendor's products performed against targeted simulated attacks. This can help you understand how a particular solution compares to that of competitors'.

Companies of all sizes must now contend with a growing number of devices, each one representing a new addition to their attack surfaces. And they must do so while balancing skill gaps and resources shortages, all while hoping they don’t end up in an adversary’s crosshairs. This is challenging enough for larger organizations, but for small and mid-sized businesses, it verges on impossible.

As a human-centric subscription-based 24x7x365 MDR with XDR service, CylanceGUARD® provides the expertise and support businesses need. CylanceGUARD combines the comprehensive expertise embodied by BlackBerry Cybersecurity Services with AI-based Endpoint Protection (EPP) through CylancePROTECT®, continuous authentication and analytics through CylancePERSONA, and on-device threat detection and remediation through CylanceOPTICS®. In short, it provides businesses with everything they need to contend with a modern threat landscape—no matter what that landscape throws at them.