Tom Field, Senior Vice President of Editorial at Information Security Group, and Lyndon Brown, Chief Strategy Officer at Pondurance, discuss the path to modern managed detection and response (MDR). They share what MDR is and is not, the evolution of incident response and what modern MDR entails. Watch the video above and read the transcript below.
Tom: Hi there. I’m Tom Field, Senior Vice President of Editorial with Information Security Media Group. Our topic today is the path to modern MDR. It’s my pleasure to be speaking today with Lyndon Brown. He’s Chief Strategy Officer with Pondurance. Lyndon, thanks so much for taking the time to speak with me today.
Lyndon: Tom, thanks for having me. Excited to talk to you today.
Tom: So, to start, let’s demystify MDR a bit upfront. First of all, what is it versus what is it not?
Lyndon: Great question, Tom. We find so much in technology that there’s always a new acronym to learn, a new category to kind of wrap your head around. And you’re right. There are two ways to look at it: What is it and what is it not?
Managed detection and response was built to address a fundamental challenge that organizations were facing. To date, most of security has focused on preventing, trying to keep things outside of the castle walls, and not enough focus on actually detecting and taking care of things that may seep in. And that’s really what detection and response is focused on. Managed detection and response adds an additional layer, and that’s based on the realization that most organizations simply don’t have the talent, the people or the treasure to tackle this internally. So managed detection and response is about delivering those around-the-clock detection and response outcomes, partnering with an organization that has that skill set.
Now, what is it not? Now, there’s a lot of managed security services, and that’s a pretty long-standing category, which really started kind of around the invention of the internet, where as soon as users started plugging into the information superhighway, attackers started finding ways to monetize it and do bad things. So managed security service providers have been around for a long time, but they’ve largely focused on keeping the firewall configured and working on those kinds of perimeter-focused defenses.
Tom: So Lyndon, in pace with the digital transformation over the past couple of years, I have to add to the adversary evolution as well — how has MDR advanced?
Lyndon: Sure. So, like any technology, you know, I’ll say in any species over time, it’s really about evolving and advancing and making any kind of improvements. So the first generation of managed detection and response was built for the world that existed 10, 12 years ago, which was a world that was a perimeter only, right. There was not much cloud, no real SaaS applications, and attackers were doing things consistent with the times, right, launching attacks at a certain pace, a certain rate, etc.
As time has gone on, a decade has passed, a couple of things have changed, right? If not most, many organizations are cloud-first, whether they’re using SaaS applications or storing their information and running virtual servers in the cloud. Attackers have new motives and ways to gain access and take advantage of the applications’ brawl in the environment. And then, at the same time, technology has also given benefits, right? We have artificial intelligence, machine learning, cloud scalability, data analytics, all these things that just simply didn’t exist 10-plus years ago in this capacity. So the MDR space itself has to respond to both of these things: the threats that are changing but also the new opportunities that technology is creating.
So what we’ve seen is that the first generation of managed detection and response, while they wanted to focus on detecting and ultimately responding to threats in the environment, their platforms were simply ill-fit to scale and keep up with the volume and the veracity of attacks and what was happening in the environment, didn’t take advantage of advanced analytics such as machine learning, artificial intelligence, etc., and additionally didn’t factor in the fact that full-fledged incident response needs to be part of detection and response. So more of a big R than a little R enabling organizations to stop a threat versus just having a phone number to call. And that’s some of the big shifts.
The final piece I’ll mention is that there are way more security technologies, obviously, than there were a decade ago, 15 years ago, etc., and organizations are making judgment calls on some of these technologies. They want to be able to decide certain things, right? Who’s their antivirus vendor, etc. And the first generation of MDR was much more focused on supporting what the provider thought was right. And over time, we recognize that organizations come from different verticals, have different needs, have different technology preferences, etc. So really, modern MDRs need to be able to bake all these things together, including that technology support and doing it in a way that is able to keep up with the demands of today.
Tom: Well, you packed a lot into that. I want to peel it back a little bit, starting with some discussion about myths and realities. Start here: What are some of the prevailing myths about the technology behind MDR?
Lyndon: Sure. So, I would say one prevailing myth about any technology — security technology itself — is that technology itself is good enough. So there are vendors out there who will talk about their platform, XDR, etc., and we recognize that human intuition needs to be baked in to be able to scale and enable the outcomes that security programs need.
Another aspect, Tom, really has to do with the scalability of platforms. So there’s a very big difference between something being cloud-native and something being cloud-hosted. Taking an application that was built and moving it, you know, forklifting it into the cloud, doesn’t necessarily give it any more scalability or any more stability or any more availability than something that was running in a data center somewhere else. So looking under the hood and understanding, was this platform built for today, or was it something that was built for yesteryear and simply, you know, trying to extend its life.
Tom: I want to come back to something you talked about a few minutes ago. I want to get some facts about response, both the big R and the small R, and who should provide it.
Lyndon: Sure. You know, I always want to go back to the customer and the customer’s needs specifically, so let’s take an example. An organization has a managed service provider, a managed detection and response provider, and something goes bump in the night. What’s the ideal situation to happen from there? So on one model, the staff service provider is able to carry it across the finish line. So actually be able to take the initiative and resolve the issue without the customer having to wake up in the middle of the night or for there to be a long, elaborate conversation about who should help us in this situation. That’s one reality and that’s one world.
Another example is that service provider really stopping at, “I’ve detected something” or “I think there’s something going on,” and then there having to be kind of musical chairs to figure out who needs to come in, who’s responsible for what, and that’s really chaos. What we recognize is, when you really need incident response, two things matter: time and clarity. Being able to address issues quickly and also being able to know who’s responsible for what simply drives much better outcomes than the alternative.
Tom: Go back to this topic of modern MDR: 1. How do you define it? 2. What does it entail?
Lyndon: Sure. So there are a number of factors that are really core to modern MDR. The first element I’ll mention is being able to be pervasive across the environment. We defined that as having 360-degree visibility. So that means, from the network perspective, from applications and logs and security devices, from the endpoint perspective, and the cloud perspective, being able to leave no stone unturned and ensuring that you have full visibility. Now, many organizations, whether they’re doing it in-house or they’re using a managed service provider or they’re using a first-generation MDR provider, can’t say they have that. And, you know, we’re thankful to be able to help our customers deliver on that and have full visibility.
Another aspect of it is being able to meet customers where they are.
We’ve all been to theme parks, and there’s, “how tall do you have to be to ride.” And we recognize that organizations are at different levels of maturity. Some organizations may have antivirus and a firewall. We want to be able to help them mature and move up to the right from a maturity curve perspective. Other organizations may have already dipped their toe in the water. Maybe they went down a path of installing NextGen endpoint detection and response (EDR), etc., and having a modern MDR that can meet you where you are is another main hallmark.
And, I know you touched on it, Tom, that response, that big R in MDR is core. Today, we see these ransomware attacks, right? And we look back at the tail of the tape and the post-mortem, and many cases, if an action was taken in the first 30 minutes, if an action was taken in that first hour, there’s a very different outcome for that organization. And that’s another major hallmark of modern MDR.
Tom: Lyndon, I don’t need to tell you it’s a crowded marketplace out there for MDR. How do you distinguish yourself in this marketplace?
Lyndon: Tom, that’s a great question. And you’re right. In technology, especially when it comes to new spaces and when it comes to acronyms, organizations are quick to label what they have as MDR or another category.
For us, our customers tell us there are three or four core things that set us apart and lead them to choose us.
In no particular order, I’ll start with integrated closed-loop incident response and the fact that we have a world-class, recognized, fully enabled incident response team that is connected to our MDR service. So there’s no dropping the ball. There’s no transition time required to go from detecting to addressing an issue and reducing any impact that can occur.
The second hallmark is full, or 360-degree visibility across all the different vantage points that we discussed. And most providers in the market are focused on one, or two, maybe three. There are MDR providers that simply focus on endpoint, and we know too well that attackers like to go and find ways in that organizations are simply not prepared to cover. So that’s another big differentiator there.
And then, the final piece is being able to integrate with the customer’s environment, not requiring a customer to change the way they operate completely, change their investments, change their business model. It’s not about taking three steps backward to take one step forward. We want to focus on helping customers take three steps forward.
Tom: Let’s take a long look at this year ahead of us, starting with a risk-based approach to MDR. What are the trends that you are most closely tracking?
Lyndon: Tom, yeah, one of the things that we do with our customers is try to help them migrate from a kind of a threat-based-only approach to a risk-based approach. So, to give you an example, when we read headlines — and many companies are reading board of director headlines, etc. — the threat matters but also the risk, your vulnerability to that threat matters, and also the relevance to your organization. So we’re helping customers, and we’ve been recognized for helping customers transition from the kind of a spray-and-pray approach to security to a risk-based approach where you’re making deliberate investments to close deliberate holes, deliberate gaps and explicitly drive your program forward.
So as we look at trends, we’re definitely at the forefront. Part of it is us working with clients to understand their needs and be able to combine those needs with the technology that we’ve built and the way we’re able to deliver the service. So really tighter integration between the risk conversation and the actual detection and response prevention strategy is core. Many organizations have security policies. And those security policies are in a file cabinet, and they’re sitting somewhere, and the actual program is not consistent with those policies. Engineers and technologists are making judgment calls every day around a specific implementation, and that’s not tied to the policies that either the third-party auditors or the internal security leadership or other risk and compliance organizations are mandating occur.
So really, the trends that we see are better visibility into risk, tighter integration, and then we’re really thankful to be at the forefront of helping customers drive those two, thrust together both the security program itself and the overall risk management approach.
Tom: Great topic. Thank you so much for taking the time to speak with me today.
Lyndon: Thanks, Tom. Always a pleasure.
Tom: Again, the topic has been the path to modern MDR. You just heard from Lyndon Brown. He’s Chief Strategy Officer with Pondurance. For Information Security Media Group, I’m Tom Field. Thank you so much for taking the time to listen to this interview today.