Managed security services are undergoing a timely and significant transformation, armed with new hyper-scalable technology stacks, hybrid enterprise and cross-cloud protection complexities, and a demand to evolve from 24/7 eyes-on-glass into hands-on customer-integrated early warning and response. If it wasn’t a tired industry cliché we’d probably be adding “next-generation” or NG prefixes to many of these newly transformed managed services.
That transformation of traditional managed security services provider (MSSP) offerings, combined with an explosion of software product vendors and consulting services providers entering the fray with their newly hybridized managed detection and response solutions, is confusing to many. Whether from an MSSP, security product vendor or a consulting services provider pitch, the same vocabulary and acronyms increasingly mean different things.
Endpoint protection platforms (EPP) have evolved over the past decade from alert-generating megaphones into standalone, powerful endpoint detection and response (EDR) solutions. Key to that evolution is the incorporation of progressively advanced machine learning threat detection capabilities and automated remediation. Although EDR continues to grow smarter and more capable, a diverse portfolio of managed services is being welded to them to enhance threat protection and remedy capabilities.
As such, in broad strokes EDR solutions (and the market in general) is evolving into managed detection and response (MDR).
For product vendors, MDR is tied to advanced manageability and proprietary services almost exclusively built around enhancing their own stand-alone EDR product (and may extend to data ingestion and analytics of integrated partnered products). For MSSPs and consulting services providers, MDR typically refers to the addition of human-led detection and response capabilities provided 24/7 and layered upon EDR suites from one or more vendors.
Recently the term XDR (extended detection and response) has become a catch-all for combined endpoint, network, and cloud-based detection and response. MSSPs tend to imply that “XDR” is a managed service and often a component of an outsourced and managed SOC (security operations center) offering.
Tight product integrations and security ecosystem fusions with automation have made it exponentially easier to provide managed detection and response across a broader range of security products and technologies — and easier for service providers to offer highly scalable and managed XDR (or EDR, NDR or MDR) detection and response solutions.
Meanwhile, some software and SaaS vendors have launched stand-alone XDR products that aggregate detection alerts and automate response across multivendor EDR, NDR (Network Detection and Response) and CSPP (Cloud Security Protection Platform) products — enabling third-party human specialists to transform their XDR product into a managed service.
It can feel like a Monty Python sketch when speaking with a product vendor: XDR and managed XDR (MXDR) are different solutions, but EDR and MDR may mean the same thing because vendor-provided management is often part of the product purchase subscription. For an MSSP, managed EDR is different from MDR, but MDR and XDR may be the same thing.
The inclusion and advancement of machine learning is the key ingredient to modern managed detection and response solutions. For example, supervised and deep learning methods play such a fundamental role in bulky detection triage processes that they’ve effectively eliminated the traditional mind-numbing tier-one security analyst role. Meanwhile, Natural Language Processing (NLP) and anomaly clustering, along with no-code playbook automation, is simplifying threat hunting and response — removing the daily grind tier-two analysts tend to face. “Virtual analyst” is the term we’ll hear with growing regularity.
MSSPs and EDR vendors may have commenced their detection and response journeys from different starting points, but they are converging to roughly the same solution and reinventing the managed security services market along the way. Virtual analyst technology (and the advances in ML and AI that lay behind its efficacy) will assuredly drive further innovation in managed services, with the next click-stop on this journey likely being autonomous SOC (or SOC-as-a-Service).
-- Gunter Ollmann
First Published: SecurityWeek - Feb 9th, 2021
