Why the Rush to MDR?
LogicHub recently published a survey conducted by Osterman Research, looking at changing trends and attitudes of security professionals around Managed Detection and Response (MDR) services. It’s not surprising that MDR is growing, but the survey revealed that this trend is moving fast, and organizations are in a hurry to solve critical challenges around staffing, alert overload, and the shortcomings of legacy MSSPs. While we encourage everyone to download this free report, here are a few highlights that stand out.
Osterman Research explores why organizations early to embrace MDR services report higher security posture across multiple dimensions in
The Rush to MDR: Achieving the Promise of Elevated Security Posture.
Low-quality alerts waste everyone’s time
We hear these complaints from almost every security team: there is too much security noise, far too many alerts, and unacceptably high rates of false positives. Everyone seems to have a number they can throw out for false positives rates, typically ranging from 50% to 95%, so it’s useful to look at some unbiased survey data.
So, how high is too high? Well, 14% of respondents seem to have things under control, with a false positive rate under 10%. On the other end, 59% reported a false positive rate between 26% to 100%!
Given the severity of real cyberattacks, the security industry seems far too tolerant of false positives. Imagine a surgeon telling you there’s only a 25% chance of making an error. Or a bank telling you that only half the transactions in your checking account were mistakes… oops.
Any false positives come at a significant cost. Enterprise SOCs have told us that a typical alert can take an analyst 30 minutes to chase down. Let’s do the match conservatively: if you get 250 alerts per week and only 30% are false positives, that’s 37.5 person-hours just dealing with the noise. Basically, one full-time employee is doing nothing productive for your business.
In smaller organizations, that one person might be a third of the entire security team, and it’s a zero-sum game. Any time chasing down junk, takes away from your ability to stop real threats.
Frankly, all SOC teams should demand false positive rates well below 10%. By automating alert triage and using AI learning models, LogicHub routinely deliver false positive rates well below 5%.
Outsourcing security makes sense, but MSSPs are coming up short
Keeping up with security requires specialized skills and the latest technology, so it makes sense to bring in the experts. But if you outsource security, you don’t want a vendor to just throw bodies at the problem – and of course, bill you for their time.
The Osterman survey found a dramatic shift away from legacy MSSPs. 79% of MSSP customers surveyed said they plan to upgrade to more modern MDRs. Equally dramatic is the planned adoption rate of MDR among all the respondents. While 30% are already using an MDR, another 42% said they plan to adopt one within the next 12 months.
In my 20+ years in security, I can think of very few technologies that went from an adoption rate of 30% to over 70% in just one year. While it may take some organizations longer than expected to make the move, this shows the urgency of the problem.
What’s most important from an MDR?
While we established that alert fatigue is a major force behind the move to MDR, interestingly, it’s not on top of the wish list for most organizations. The Osterman survey asked respondents to rank their top reasons for adopting MDR, and the answers show a need to not just deal with the basics, but to modernize their overall security posture. Let’s look at the top 4 reasons cited:
Reason #1
On top of the list was the desire to have a service that complements their existing cybersecurity teams – not replacing them. This shows that while most organizations need help, they do not want to give up control, visibility, or oversight into how security is managed.
Reason #2
Second on the list was the need to automate response capabilities. A common complaint about legacy MSSPs, and some MDRs is that they highlight threats, and maybe suggest solutions, but they don’t proactively act to eliminate the threat. Automation is critical for this, but it must be flexible, and integrate with the businesses entire security stack – including network tools, cloud apps, endpoints, and ITSM systems.
Reason #3
Third on the list was threat detection. On the surface this shouldn’t be a surprise, but it also highlights that most organizations are not comfortable that their current security tools will catch every threat. In fact, we talk to many businesses that are so overloaded with alerts and manual response from their current systems, that more proactive threat detection is always on the wish list – and not achievable. Clearly, detecting the most advanced and dangerous threats requires vendors that combine the best detection technology with expert analysts that can see through the haze.
Reason #4
The fourth reason also shows gaps in our current security systems and processes. Support for cloud services ranks high because many organizations have been putting cloud security in a silo, and not considering it an integral part of their overall security posture. While we know that cloud providers deliver great benefits, ultimately the customer is always responsible for securing their critical systems and data. We’ve seen many recent examples where businesses using seemingly secure cloud services, such as Office 365 have had their account hijacked, and sensitive data exposed. Given the extensive APIs that most clouds offer, this is entirely preventable by modern MDR services that fully integrate cloud systems into the security stack.
LogicHub is helping customers harness the power of AI and automation to face the toughest security challenges – today and tomorrow. White paper: Power to the People Democratizing Automation & AI-Driven Security
LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.
*** This is a Security Bloggers Network syndicated blog from Blog | LogicHub® authored by Willy Leichter. Read the original post at: https://www.logichub.com/blog/why-the-rush-to-mdr
