MSSP is/and/or/vs MDR?

So, we are wrapping up our research on the effective use of managed services for security and that debate of MSSP vs MDR came up … again!

Gartner defined MDRs (here), perhaps a bit vaguely, as providers that “deliver services for buyers looking to improve their threat detection, incident response and continuous-monitoring capabilities.”

For years, Gartner defined MSSP as “the remote monitoring of security events and security related data sources, or the management of IT security technology along with security event monitoring, delivered via shared services.”

An astute reader may observe that even people without much imagination will notice that these overlap … a lot. On the other hand, a cynical [but perhaps no less astute!] reader may quip that “an MDR is simply an MSSP that knows how to detect actual threats and not just to monkey around with compliance.”

On yet another hand (there is one more?), somebody may point out that a hotshot MDR won’t manage your firewalls and NIPS boxes, so if you need help with that, MSSP is the right choice. This, BTW, has led some clients to procure the services of both an MSSP and an MDR (and, in case of one organization I’ve heard of, that of one MSSP and two MDRs … and both of them pushed EDR agents on clients’ machines … and hilarity ensued). This of course creates beautiful opportunities for finger-pointing after they are hacked!

Furthermore, our “bucket of MDRs” contains plenty of fairly dissimilar providers: some rely on EDR agents (and represent a “managed EDR” type of MDR… confused yet?), some use logs and other data, some focus on traffic analysis, and others do a mix of all of the above, backed up by some analytics, often of unknown provenance…

Given that in all likelihood more of infosec / cybersec will end up with 3rd parties (and/or robots!) over time (despite known problems), this is important to get right. We even have a document about how to understand all those befuddling MSSP services and some research on how to test them.

Finally, it seems to us that over the next 1-2 years, MDR will become simply a type of an MSSP service type that focuses on detection excellence and remote incident response (wherever such IR is possible).

Dear MDR vendors, please consider disagreeing! :-) Perhaps some of you are offended by being thrown in with what you’d call “legacy MSSP riffraff”? On the other hand, MSSPs that offer a range of valuable services may be offended by being thrown together with such “narrow” offerings as MDR?

In other words, have I just offended everybody? :-)

Related posts:

This is a Security Bloggers Network syndicated blog post authored by Anton Chuvakin. Read the original post at: Anton Chuvakin