Managed detection and response (MDR) is a managed cybersecurity service that relies on a combination of advanced threat detection technology and human SecOps expertise. Together, they provide 24/7 monitoring, analysis, detection, and rapid incident response across your entire IT infrastructure.
What sets MDR apart is the fact that there’s a dedicated team of human security experts in the mix. When a suspected security incident is flagged, automated response playbooks kick in immediately, but the human team is also alerted for further investigation and resolution.
MDR gives you the best of both worlds: leading-edge technologies and advanced human expertise watching your cloud when your teams can’t.
In this post, we’ll look at some of the differences between MDR and traditional managed services, how MDR functions within organizations, some of the tools it works with for even more effective threat detection and response, and the most important tip for getting the most out of your MDR solution.
What’s the difference between MDR and traditional managed security services?
A managed service security provider (MSSP) is a third-party partner that monitors your networks for threats, alerts you to possible incidents, and may offer additional IT services like technology management and compliance support.
MDR and MSSPs are both outsourced services that complement and boost your in-house security capabilities with a mix of human and automated services. The biggest difference is that MDR provides active threat hunting and expert investigation.
Think of traditional managed security services as being like a home security system. When there’s a problem, the system sounds an alarm, but you still need to respond. The security system focuses on monitoring and won’t usually investigate or respond to threats. This is considered a passive approach—even if a human team is sometimes involved in monitoring.
MDR, on the other hand, is like having an on-site security guard. It actively patrols your cloud estate, searching for threats and vulnerabilities. It also provides active threat hunting and expert investigation by skilled analysts and will take action to neutralize any threats it detects.
Here are the main similarities and differences between MDR and MSSP solutions:
| Feature | MSSP | MDR |
|---|---|---|
| Event response | Alerts you about breaches | Actively remediates threats |
| Solution set | Mainly focuses on prevention | Detects, responds to, and prevents threats |
| Proactive or reactive? | Mainly reactive, responding to identified breaches | Combines proactive threat hunting with reactive incident response |
| Human oversight & 24/7 monitoring | Generally automated systems with some human intervention | Human analyst team monitors and responds to threats 24/7/365 |
| Cost | Typically lower | Generally higher |
What security challenges does MDR address?
As the technology we use grows more complex and sophisticated, so do the strategies used by threat actors. Here are three of the main challenges for cybersecurity today, along with how MDR helps address each challenge.
Complexity of modern threats
Today, cloud infrastructure and supply chains are at growing risk from sophisticated ransomware attacks, among other threats. This means that traditional perimeter security isn’t enough to keep you safe. Cloud environments can also grow and shrink on demand, making it tough to see connections between resources and to know where your true risks lie. Finally, the explosion of APIs and microservices—along with new technologies such as AI—introduces new vulnerabilities. Greater collaboration among dev, ops, and security can help address this increased complexity.
How MDR helps
MDR helps you keep ahead of threats with access to the latest threat intelligence, advanced analytics, and expert analysis.
Resource constraints
Given global cybersecurity talent shortages and budget constraints, it’s harder than ever to find and retain skilled security professionals for your security operations center (SOC) or cloud security team. With resources stretched to the limit, it’s tough to maintain 24/7 coverage and keep pace with evolving threats, leaving you vulnerable when it comes to monitoring and responding to security incidents.
How MDR helps
MDR takes pressure off internal teams with access to a dedicated 24/7 SOC team, freeing up internal resources.
Need for proactive approaches
Traditional security tools usually work by reacting to known threats that are trying to access your environment. But this doesn’t protect you against novel or zero-day attacks. Modern security strategies need a more integrated, intelligent approach that includes threat hunting, analytics, and automation to stop threats faster, before they can cause damage.
How MDR helps
MDR uses analytics to identify and address threats before they cause major damage. And because MDR correlates data from all your security services, it can offer a context-rich approach that individual tools alone can’t.
How should MDR work in the cloud?
MDR complements and amplifies your existing cloud security solutions. It does this by collecting and analyzing data from security tools such as:
Security information and event management (SIEM): Analyzes cloud provider and other logs
Endpoint detection and response (EDR): Monitors endpoint activity
Cloud detection and response (CDR): Tracks events and activities across your cloud environment
Cloud security posture management (CSPM): Verifies configuration, vulnerability, and compliance posture
Cloud workload protection platform (CWPP): Monitors runtime workload data
Identity and access management (IAM): Tracks user, login, and session data
MDR solutions can also add their own proprietary technologies to boost your security capabilities.
By correlating data from a wide range of sources, MDR solutions can determine…
Whether behavior is normal or anomalous (anomaly detection)
A severity score for potential alerts
Indicators of compromise (IoCs) for known threats
Over time, you’ll also work with your MDR provider to fine-tune and customize the service. For example, setting up alerts to trigger based on specific criteria like time of day, geographic location, and unusual user activity.
Once a potential incident has been discovered, MDR triggers both automatic and human escalations as seen in the following example response flow.
Example response flow
Here’s how MDR might respond to a potential data breach.
1. Detection
MDR makes its initial determination that a data exfiltration attempt is in progress, using data from the organization’s cloud detection and response (CDR) tool. This data could include a sudden spike in S3 bucket activity from an unusual service account along with multiple failed API calls.
2a. Response – Automated
Automated response capabilities are one area where MDR really shines. For instance, MDR can automatically quarantine affected systems for further investigation. In this case, the initial automated response will block access to the affected S3 bucket. It will then alert the on-call MDR team to a potential threat, providing them with data from security and monitoring tools already in place.
2b. Response – Human MDR team
The major differentiator of MDR is the fact that it includes a human SOC team on call 24/7/365. In this example, the senior analysts or on-call engineers will review the alert and investigate further using data from the CDR platform.
Following analysis, the team determines that the service account is compromised and rotates the credentials. They then trace the cloud service account to a compromised user and alert the customer.
3. Resolution
Because MDR, based on data from CDR and other tools, has applied fast containment, no data has been compromised. In other words, the attempted breach was unsuccessful. Meanwhile, the IT or operations team contacts the user whose account was compromised and resets their cloud credentials.
Is MDR still helpful even if you already have an internal SOC?
Absolutely! No matter your current security maturity level or the size of your organization, MDR can complement and enhance your existing security capabilities.
Smaller organizations
If you’re a smaller organization, you have a smaller team, but often, they’re extremely busy and stretched to their limit. Rather than staff up a full SOC that includes 24/7/365 response capabilities—and a likely prohibitive price tag, MDR is a great alternative. The organization gets the benefits of round-the-clock monitoring, threat hunting, and incident response capabilities without needing to build and maintain those capabilities in-house.
Larger enterprises
If you’re a larger enterprise, you may already have a SOC in-house. But with the scalability and ephemerality of cloud, it can be tough to handle fluctuating security demands—especially when you consider the specialized expertise cloud environments require.
Here, MDR acts as an add-on for your existing SOC capabilities. For instance, MDR offers advanced analytics and AI/ML to catch threats that in-house teams might miss. That’s especially important in industries where security matters. For ISPs, MSPs, or in the finance, healthcare, or manufacturing industries, MDR can bring down mean time to remediation (MTTR) and boost you to an even higher level of security maturity, fostering a greater degree of trust as you grow.
IR Playbook Template: AWS Ransomware Attacks
The AWS Ransomware Incident Response Playbook Template from Wiz is designed to give incident responders a practical, step-by-step guide tailored specifically for AWS environments.
Download template
Getting the most from your MDR solution with Wiz
As we’ve seen here, MDR isn’t a standalone solution. Both its automation and human SOC team capabilities rely on security data from a range of security solutions, such as CDR. Chances are, you already have a number of these tools in place. The question is: Are your security tools siloed or integrated?
Siloed tools could slow down your MDR team or leave them with blind spots where they can’t track your environment effectively.
Using security tools that work together within a cloud native application protection platform (CNAPP) can really boost the effectiveness of MDR and give MDR teams and automation access to all the data and context needed to stop threats quickly.
While a CNAPP gets all your security tools working together, it shouldn’t lock you in—an effective CNAPP solution should let you choose the tools and services, including MDR, that will best defend your organization from code to cloud.
For example, Wiz, a true CNAPP solution, works with numerous industry-leading MDR providers. When you integrate Wiz with your existing MDR solution, you get…
Streamlined MDR integration with direct ingestion of Wiz security alerts
Enhanced MDR effectiveness with critical cloud environment data and context
Automated information sharing between Wiz and the MDR provider
Plus, Wiz Defend gives MDR SecOps teams access to the up-to-the-minute forensics data they need to resolve issues quickly. With the Wiz Security Graph, eBPF-based sensor data, and CSP audit logs, Wiz Defend empowers MDR platforms with unparalleled threat context.
See Wiz Defend in action and how it can help your organization guard against today’s threats 24/7.
Cloud-Native Incident Response
Learn why security operations team rely on Wiz to help them proactively detect and respond to unfolding cloud threats.
