MDR vs. MSSP: Which Solution is the Right Fit for Your Organization?

Thursday, September 13, 2018

Often, we hear the term “Security as a Service” and it ends up getting lots of words thrown in front of it like Managed Security Service Provider (MSSP). Buyers should be aware though, that an MSSP is often not the same as a Managed Detection and Response Service. The two are very different and this can sometimes lead to mismanaged expectations, and ultimately, disappointment.  

MSSPs often claim that they can provide comparable services to MDR. True - an MSSP provides 24/7 outsourced monitoring and management of security devices and systems, and yes, so do MDR solutions. But they differ in three fundamental ways: technology, expertise and relationship.   

The Technology Difference  

Gartner said it themselves in their Managed Detection and Response Service Market Guide; "Clients should be wary of claims from traditional MSSPs on their ability to deliver MDR-like services. Delivering these services requires technologies not traditionally in scope for MSS, such as endpoint threat detection/response, or network behavior analysis or forensic tools." An MDR approach is fundamentally different in that it allows access to extremely sophisticated detection and response technologies. With MDR, an organization can access a different grade of technology – and trust that it is being used to its full potential to monitor, detect and respond to threats by the industry professionals who understand it best. Yes, an MSSP solution can help organizations maintain a basic level of security but if you are a mid-to-enterprise sized organization – forensic tools are a must to catch threats that may be lurking in the darkest depths of networks.  

The Expertise Difference  

Secondarily then, the level of expertise provided by an MSSP is very different to that of an MDR service.  MSSPs typically offer very little human security analyst support and often rely on Tier 1 SOC analysts due to the focus on automated perimeter protection and a more passive approach to detection. In comparison, an MDR service worth its salt provides an entire team of highly experienced security professionals, forensic analysts, incident responders and threat hunters to proactively monitor and take action to maintain a secure network.  

The Relationship Difference 

MSSP services can be significantly cheaper than MDR services. And it’s for good reason. As well as the above, fundamentally the service level that they offer, and the workflow ownerships are dramatically different.  

An MSSP will simply forward any abnormality alerts to a member of the IT team, who then must try to determine if there is a real threat and how they should respond if so. An MDR team however reports only verified information for action and even takes the action to remediate the situation if the partner tells them to do so. They lean in when trouble is knocking at the door, or alternatively watch a client’s back as they lean in – it’s about forming a partnership with a customer. An MDR team will be available 24/7 at the end of the phone, on email, or via text if needs be. It’s about seeing MDR as an extension or augmentation of your in-house team.  

An MDR team should allow the organization’s security professionals to focus on their day job with the knowledge that anything untoward will be identified to them with suggested actions for remediation. It’s this consultative value add that makes MDR such a successful solution. By advising on remediation processes and issues such as firewall blocks and DNS – the MDR team ultimately helps the organization evolve their security posture to keep up with the changing threat landscape and maintain an agile and effective security posture to successfully deal with both the threats of today, and tomorrow.  

- Rae Jewell
MDR Manager