Major Use Cases and Capabilities
Major Use Cases
Managed, Detection and Response
MDR solutions mean that even smaller organizations can tap into the benefits of having a large team of experts continually on call to detect and respond to incidents and help guide investments, strategies and processes without the cost and challenges of finding and retaining people with the necessary skills.
Inhance Security Posture
Where there is some in-house security capability, MDR can be used to supplement this whenever necessary to ensure that an organization has at its disposal all the cyber security skills and capabilities required to deal with high-risk threats and critical incidents. This is also relevant for very large organizations, given the volume of cyber-attacks and the skills gap in the market, making it challenging to develop long term security strategies, while keeping on top of daily cyber threats and incidents.
Increase Value of Exisiting Tools
Large organizations with in-house security teams find it challenging to manage SIEM, NDR, EDR, SOAR, and even IAM systems to deliver the required security outcomes. As a result, they are turning to MDR service providers to help with this, as well as provide rapid automatic containment capabilities for common threats. Some vendors report a growing demand for MDR services from the world’s largest organizations due to the global lack of cybersecurity skills and high churn rates that make it challenging to run an in-house SOC and maintain the desired quality of service (QoS) levels.
Improved Compliance
Governments have enacted various regulatory regimes mandating privacy, security of health and financial records, “Know Your Customer”, and payment processing security. Examples include EU General Data Protection Regulation (GDPR) and EU Revised Payment Service Directive (PSD2). Additionally, security certifications and standards such as FIDO2, ISO/IEC 27001, and SOC 2 Type II will appeal to customers in certain regulated industries and others that have strict security requirements.
Capabilities
Coverage
Effective detection relies on comprehensive monitoring of the IT environment. This metric reflects the breadth of the solutions coverage in terms of monitoring and analysis of data movement across applications, systems, endpoints, protocols, groups, and locations. It also includes integrations with other security products such as DLP and EPDR.
Cloud Support
A measurement of the degree to which solutions provide monitoring and analysis of cloud environments, including service providers, applications, infrastructures, and data stores. It also includes cloud security posture management, workload protection and vulnerability scanning.
Detection
An evaluation of threat detection coverage and capabilities across modern IT environments. It includes the average detection times, behavior analytics, integrations with intrusion detection and prevention systems, and the capability to detect certain types of malicious tactics, techniques, and procedures.
Response
This category looks at a solution’s ability to respond to threat detections, including blocking capabilities, rapid incident validation, response times, post-remediation support, and activity recording.
Automation
An in-depth look at a solution’s automation capabilities in terms of threat containment actions, including process termination, host isolation, port blocking, and file quarantining. It also looks at solution’s SOAR capabilities and integrations and provision of incident response playbooks.
Threat Intelligence
This is a measure of a solution’s threat intelligence and threat hunting capabilities, including provision of automated threat hunting, type and number of intelligence sources, and support for threat intelligence exchange.
Insider Threat Detection
This metric reflects a solutions ability to detect and block insider threats, including the detection of phishing attacks aimed at tricking employees into revealing their credentials which would give insider access, the abuse of privileged credentials, and the use of user behavior analytics.
Admin Support
An evaluation of the administrative support provided by the solution in terms of initial setup, incident response, language support, and professional support services. It includes the ability of the solution to provide full SOC services, to work as an extension of internal teams, to assist in developing security and governance policies, to provide dedicated analyst teams, and to provide continual improvement guidance.