4 min read
MDR, MSSP, SIEM, EDR, etc. — the world of managed IT security has far too many acronyms, each of which represent a different product or service. Below, we’ll unwrap some of the most common acronyms, describe what their related services entail, and provide examples of typical organizations that utilize these services.
Managed Detection and Response, aka ‘MDR’, is an IT cyber security service that detects intrusions, malware, and malicious activity in your network and assists in rapid response to eliminate and mitigate those threats. Quality MDR services have a very light footprint on your network and use a combination of human analysts and technology to eliminate false positives, identify real security threats, and develop incident responses in real time. While the average time across industries to detect a compromised asset is close to 198 days, MDR typically reduces that to hours, and therefore minimizes the impact of a security event. Some MDR providers also offer remediation solutions, such as CI Security's rapid quarantine solution, to manage all aspects of incident response when a security incident occurs.
The clearest need for MDR is among organizations that have a regulatory requirement to provide effective detection and response (healthcare, financial services, etc.), yet have no fully-staffed Security Operations Center (SOC). These organizations frequently struggle to recruit and retain in-demand IT security professionals. At the same time, these are the organizations with the high-value targets for cybercriminals, making effective, auditable response that much more critical.
MSSP is the predecessor to MDR. Managed security service providers (MSSPs) monitor network security events and send alerts when anomalies are identified. MSSPs do not investigate the anomalies to eliminate false positives, nor do they actively respond to security threats. Some MSSPs also provide a variety of other network services such as virus protection and firewall management. See What is an MSSP?
MSSPs are best suited for organizations that do not have sensitive data (payment records, health records, intellectual property, etc.) and want the basics of their detective controls handled by a third party. MSSPs can help focus investigation efforts, but leave it up to you to perform the actual investigations, eliminate false positives, and prepare incident responses.
Over the past couple years, as MDR has become the industry-leading managed IT security service, some MSSPs have tried to characterize their services as such by simply applying the language of MDR to their marketing materials and sales presentations. This is something to be aware of when choosing between IT security service providers. Be sure to validate against your requirements!
The term SIEM, or Security Information and Event Management (see: What is a SIEM?), refers to a wide variety of products and services that range from technology-only solutions, technology with administrative management, and managed IT event processing and alerting. SIEM solutions combine data about network traffic/events from multiple sources and correlate that data to highlight items that require further investigation. The “management” part can range from running the technology as outsourced administration (security maintenance, tuning) all the way to notification of events requiring investigation as a “lightweight” MSSP.
Managed SIEM solutions are generally cheaper than MDR or MSSPs and fulfill a number of regulatory requirements, such as the Payment Card Industry data security standard. Organizations that have robust in-house IT security teams and are interested in additional prioritization of investigations may be well-served by SIEM solutions as the technology requires a good deal of interaction with an operator/analyst to be effective. Note that many managed SIEM vendors require the purchase of a specific technology product, rather than leveraging your existing investments.
EDR is a type of MDR-lite that focuses on endpoints or hosts. Unlike Critical Insights's Managed Detection and Response, endpoint threat detection and response (EDRs) services typically utilize a software agent installed on endpoints that sends information to a centralized database for analysis. In general, this “analysis” is limited to matching a signature of a pattern that indicates a security event is in progress, however some use statistical baselining and even artificial intelligence to make that determination. EDR services can disable communication at that endpoint when an incident is identified for rapid quarantine, however human analysis is still required to avoid false positives and unwarranted shutdown of a device, and that is typically assigned to in-house IT security, networking, or desktop staff.
EDR services are best suited for organizations with a large number of similar, non-critical devices (endpoints) such as company issued employee laptops, over which the organization has complete authority (as in the finance sector). It is not a great fit for organizations with a variety of devices, especially if the devices are critical to the organization’s mission — think networked medical devices – or organizations who lack the staff to analyze data aggregated by the EDR solution and provide a confirmation prior to quarantine.
This one goes by a number of names: Managed Logs, Log Management, Log Monitoring, etc. Whichever name you prefer, these monitoring services all exist to examine the logs generated by the many components of your network in order to identify malicious activity. Log management services have been around for many years and a number of the other security services in this article include some level of log management.
Organizations that fall under HIPAA, GLB, PCI DSS, and similar regulations need some sort of log management. This can be done in-house or through a third-party provider. However, since a variety of other managed cybersecurity services include log management (MDR and many MSSPs for example), most organizations are better served by a more robust, comprehensive managed security services provider.
Typically, this is just another name for Managed Detection and Response (MDR). However, if considering a “SOC-as-a-Service” offering alongside a true MDR service, ensure the SOC-as-a-Service does indeed include all the same detection and response services as MDR.
Interested in learning more about Managed Detection and Response and how our expert information security analysts can help serve as an extension of your team? Learn how our Critical Insight Managed Detection and Response solution and consulting services can help you solve your biggest security challenges – contact us today!