First there was endpoint detection and response (EDR). The idea was to secure all endpoints – PCs, laptops, tablets, servers – against threats. However, the field became so complex and involved so many technologies that small businesses struggled with implementation, maintenance, and operations.
Enter managed detection and response (MDR) as an outsourced service to provide these organizations with a wide range of protection and threat hunting services. Not only is software or a web-based service available, providers often add expert support personnel to help monitor networks, analyze incidents, and respond to security incidents.
This helps small and mid-sized businesses (SMBs) get around a perennial problem – a lack of in-house IT expertise or bandwidth to deal with the challenges of business cybersecurity. After all, the security field shifts at a fast pace. New viruses, ransomware, and phishing strategies are dreamed up by the bad guys at a dizzying rate. Security firms then respond with an unending outpouring of fixes, patches, security system updates and new tools to protect organizations. Staying on top of all that is a challenge many large organizations fail at; SMBs can feel overwhelmed.
Another challenge addressed by MDR providers is thoroughness of security implementation. Oftentimes, SMBs are sold EDR tools but fail to deploy them efficiently or configure them correctly. They tend to use a small fraction of available functions and remain open to attack despite possessing sufficient defensive tools.
How about alerts? The average SMB doesn’t have the time to scroll through the many screens and apps to figure out what is important among hundreds of entries and what can be ignored. MDR services take that task away from IT. Many of its providers can drill down to find root causes behind incidents and make recommendations about needed changes.
Core Components of MDR
By outsourcing security operations – either in whole or in part – to an MDR, SMBs can increase their ability to detect and respond to threats before they turn into breaches. The functions needed tend to vary from one SMB to another depending on risk, but MDR services tend to provide most of these functions:
- Threat hunting: Threat hunting is aimed at finding threats before they’re able to deploy ransomware or access critical data.
- Threat intelligence: Intelligence is key to understanding threat actors and the ways they operate. Security teams can gain a better understanding of specific threat actors and their most commonly used tactics, techniques and procedures (TTPs) in order to prepare their environments to more effectively defend against the most prominent threats.
- Threat response: The ability to take targeted actions to neutralize threats on the customer’s behalf versus simply notifying them of potential or imminent threats. An effective MDR not only can provide remediation actions when a potential threat is lurking, but also incident response actions when an active attacker is at work.
- Coverage: The service should be 24/7/365, with analysts who can respond any time of day or night.
- Technologies included or integrated: When evaluating an MDR service, it is important to make sure that the technology used by the operators is included in the price of the service. Some will require you to purchase your own tools (such as endpoint protection and EDR) separately. Others will offer the full technology stack in addition to the services component. However it’s accomplished, an organization needs to be able to share its endpoint and network data with the MDR provider.
- Expertise: How big is the service? How many attacks have they stopped? You want to be backed by a team that has the experience to not only detect an attack, but also the ability to quickly investigate and respond.
- Antivirus: A lot of organizations are still relying on signature-based AV technology. Machine learning is becoming the gold standard for classifying events as good or bad, even if the algorithm has never encountered an event of its kind before, and behavioral-based detection is another technology for discovering unusual or novel attacks.
- Real-time visibility: MDR offerings need granular real-time endpoint visibility to catch and stop attackers.
Best MDR Services for SMBs
We reviewed many MDR services to find the best ones for SMBs. Here are the top ones in our analysis:
Trend Micro offers an integrated managed service across email, endpoints, servers, cloud workloads, and networks. Its managed detection and response service, Trend Micro Managed XDR, drives improvements in time-to-detect and time-to-respond, while minimizing the risks and impact of threats.
Trend Micro’s standout features:
- Users can choose to monitor email, endpoints, servers, cloud workloads, and/or network security solutions
- Email protected by Trend Micro Cloud App Security for Microsoft Office 365 or Google G Suite
- Endpoints protected with Trend Micro Apex One multi-layered endpoint security
- Servers and cloud workloads protected by Trend Micro Deep Security Software or Trend Micro Cloud One
- Workload Security (virtual, physical, cloud, and containers)
- Networks equipped with Trend Micro Deep Discovery Inspector provide network detection across over 100 protocols and all network ports
- Correlate alerts and activity data from multiple solutions
- 24/7 alert monitoring, correlation, and prioritization using automation and analytics distills alerts down to the events that need further investigation
- Continuously sweeps environments for newly identified indicators of compromise (IoCs) or indicators of attack (IoAs)
Sophos MTR is a fully-managed, 24/7 threat hunting, detection and response service that fuses machine learning with human analysis from a team of threat hunters for a sophisticated approach to proactive security protection. It combines Sophos endpoint protection and EDR with experts to neutralize threats.
Sophos standout features:
- Sophos Rapid Response: For an organization experiencing an active breach and not already a Sophos MTR customer, they can leverage Rapid Response. It is a fixed-fee emergency incident response service that identifies and neutralizes active cybersecurity attacks throughout its 45-day term of engagement.
- The Sophos service fuses endpoint protection and EDR with a team of security experts.
- The user controls how and when potential incidents are escalated, what response actions (if any) they want Sophos to take, and who should be included in communications.
- Targeted actions to neutralize the most sophisticated threats
- Built on Intercept X Advanced with XDR technology, Sophos MTR combines machine learning and expert analysis for improved threat hunting and detection, deeper investigation of alerts, and targeted actions to eliminate threats with speed and precision
- Fast response actions across endpoint, server, cloud, and network data
CrowdStrike Falcon Complete delivers 24/7 expert management, monitoring, and response for the Falcon platform, backed by CrowdStrike’s Breach Prevention Warranty. It combines next-gen antivirus (NGAV), endpoint detection and response (EDR), and managed threat hunting, together with the expertise and 24/7 engagement of the Falcon Complete team. The team manages and actively monitors the Falcon platform for customers, remotely remediating incidents in minutes.
Crowdstrike standout features:
- The Falcon Complete team solves the challenge of implementing and running an effective and mature endpoint security program without the difficulty, burden and costs associated with building one internally.
- CrowdStrike’s threat intelligence team integrates indicators of attack (IOAs) into EDR data in real time, rather than from feeds of atomic indicators (IOCs).
- Focused expertise to stop threats 24/7/365
- Surgically eliminates threats in minutes.
- Team is composed of seasoned security professionals who are experts trained on CrowdStrike Certified Falcon Responder (CCFR) and CrowdStrike Certified Falcon Administrator (CCFA) certifications.
- Cloud native platform with no hardware, additional software or configuration required
- Threat Graph provides real-time visibility and insight into everything happening on endpoints throughout the environment
Netenrich works with mid-sized companies and small enterprises on right-sizing their security operations. Its managed XDR services enable continuous, full visibility and coverage across all network assets and hybrid cloud environments.
Netenrich standout features:
- MDR for endpoints
- MDR for on-prem infrastructure (network, data center)
- MDR for cloud infrastructure (public, private)
- MDR for user behavior and for SaaS applications such as Office 365 email
- 24×7 full visibility and coverage of cybersecurity threats, exposures, and vulnerabilities
- Fast detection, prioritization, and resolution of threats
- Threat hunting
- Remediation services and professional services
- AI/ML/automation platform complemented with human intelligence
- Integration with SIEM and EDR tools to deliver MDR/XDR (IBM QRadar for SIEM, VMWare Carbon Black for EDR, Microsoft Defender for O365 Email, IBM QRadar User Behavioral Analytics).
IBM Security Managed Detection and Response Services deliver a 24/7 threat detection and fast response capability, fueled by threat intelligence and proactive threat hunting to find undetected threats faster while improving SOC productivity. IBM’s AI-powered automation coupled with human-led analysis speeds threat response across networks and endpoints in hybrid multi-cloud environments.
IBM standout features:
- Includes Endpoint Detection and Response (EDR) and Network Detection and Response (NDR) tools to conduct detailed investigations, including IBM’s Tactics, Techniques and Procedures (TTP) threat hunt library and next generation antivirus for behavior-based blocking and…