MSSPs On Why MDR Isn’t Always Enough

MDR is seeing off-the-charts growth, but many MSSP executives say a typical MDR offering is not nearly as comprehensive as the full complement of cybersecurity services they offer.

Managed detection and response continues to see strong demand as organizations increasingly seek outside assistance with their cybersecurity. But the wide variety of uses of the term has created a high degree of ambiguity in the market—in some cases making it difficult for customers to tell the difference between MDR vendors and MSSPs.

“You can ask 15 different cybersecurity practitioners or architects, ‘What defines an MDR?’ and you’ll get many different answers to that,” said Brad Davenport, vice president of technical architecture for cybersecurity, networking and collaboration at Bloomfield Hills, Mich.-based Logicalis US.

Core criteria for MDR, according to research firm Gartner, is that it provides a human-led, remotely delivered service that includes around-the-clock detection, analysis, investigation and response to threats.

[RELATED: Cyber Insurance Primer: How To Avoid The Pitfalls]

MDR has seen stunning growth in recent years: According to the latest figures available from Gartner, the MDR market surged 48.9 percent in 2021. By 2025, it has predicted that the portion of organizations using MDR services will rise to 60 percent, doubling the percentage from earlier this year.

MDR is “a simple and easy-to-understand solution that’s focused on the outcome,” said Pete Shoard, vice president and analyst at Gartner. Compared with many other offerings in the cybersecurity sphere, MDR is “much more outcome-driven,” which has broad appeal in today’s environment, he said.

Many MSSP executives, however, contend that a typical MDR offering is not nearly as comprehensive as the full complement of cybersecurity services offered by many MSSPs.

“MDR is a portion of what somebody should do” for their organization’s management of cybersecurity, said Adam Gray, CTO of Novacoast, a large Wichita, Kan.-based MSSP. “The problem is that when you rely solely on an MDR service, there’s a lot of things that are missing.”

Many MDR providers point to the fact that they offer 24x7 monitoring from a Security Operations Center (SOC), for instance. But unlike traditional SOC services that provide complete coverage of all users, devices and environments, many MDR platforms just monitor endpoints, according to Gray.

Such MDR platforms are “almost entirely reliant on having an endpoint protection tool to tell them that there’s a problem,” he said. And today’s threat actors target a lot more than just the endpoint.

MDR services that focus on the endpoint “essentially look for the behaviors of malware. And the problem is that the behaviors of malware are not really the most effective way, at this point, to find compromise,” Gray said.

For instance, “credential theft from your Azure tenant is probably not going to get picked off very well with an MDR tool because it might not source from a machine that you have an endpoint agent on,” he said.

Ultimately, many MDR providers are “very limited in their global view,” Gray said.

For MDR vendors that are solely offering management of an endpoint detection and response (EDR) tool, that should probably be considered a “misuse” of the term “MDR,” according to Stel Valavanis, founder and CEO of onShore Security, a Chicagobased MSSP.

“If they’re only taking the telemetry from their endpoint, that’s not really MDR,” Valavanis said.

This tendency has led to a situation where providers of MDR services need to draw a distinction between “full-telemetry” MDR—which incorporates more data sources than just endpoint— and MDR that is simply managed EDR, he said.

“We should not have to qualify that,” Valavanis said. “I find it very frustrating.”

The bottom line is many MDR vendors don’t offer the same level of data ingestion available with “more robust” technologies such as SIEM (security information and event management) or MXDR (managed extended detection and response), said Ben Masino, CRO at Avertium, a Phoenix-based MSSP. “They’re more limited in that way,” said Masino, who previously was a sales executive at MDR vendor Alert Logic.

Still, some MDR providers are “very good at deploying quickly across diverse environments,” he said. “They provide a good quality of service for a customer who wants that.”