First there was endpoint detection and response (EDR). The idea was to secure all endpoints – PCs, laptops, tablets, servers – against threats. However, the field became so complex and involved so many technologies that small businesses struggled with implementation, maintenance, and operations.
Enter managed detection and response (MDR) as an outsourced service to provide these organizations with a wide range of protection and threat hunting services. Not only is software or a web-based service available, providers often add expert support personnel to help monitor networks, analyze incidents, and respond to security incidents.
This helps small and mid-sized businesses (SMBs) get around a perennial problem – a lack of in-house IT expertise or bandwidth to deal with the challenges of business cybersecurity. After all, the security field shifts at a fast pace. New viruses, ransomware, and phishing strategies are dreamed up by the bad guys at a dizzying rate. Security firms then respond with an unending outpouring of fixes, patches, security system updates and new tools to protect organizations. Staying on top of all that is a challenge many large organizations fail at; SMBs can feel overwhelmed.
Another challenge addressed by MDR providers is thoroughness of security implementation. Oftentimes, SMBs are sold EDR tools but fail to deploy them efficiently or configure them correctly. They tend to use a small fraction of available functions and remain open to attack despite possessing sufficient defensive tools.
How about alerts? The average SMB doesn’t have the time to scroll through the many screens and apps to figure out what is important among hundreds of entries and what can be ignored. MDR services take that task away from IT. Many of its providers can drill down to find root causes behind incidents and make recommendations about needed changes.
See also: The best EDR tools for MSPs looking to add security services
Core Components of MDR
By outsourcing security operations – either in whole or in part – to an MDR, SMBs can increase their ability to detect and respond to threats before they turn into breaches. The functions needed tend to vary from one SMB to another depending on risk, but MDR services tend to provide most of these functions:
- Threat hunting: Threat hunting is aimed at finding threats before they’re able to deploy ransomware or access critical data.
- Threat intelligence: Intelligence is key to understanding threat actors and the ways they operate. Security teams can gain a better understanding of specific threat actors and their most commonly used tactics, techniques and procedures (TTPs) in order to prepare their environments to more effectively defend against the most prominent threats.
- Threat response: The ability to take targeted actions to neutralize threats on the customer’s behalf versus simply notifying them of potential or imminent threats. An effective MDR not only can provide remediation actions when a potential threat is lurking, but also incident response actions when an active attacker is at work.
- Coverage: The service should be 24/7/365, with analysts who can respond any time of day or night.
- Technologies included or integrated: When evaluating an MDR service, it is important to make sure that the technology used by the operators is included in the price of the service. Some will require you to purchase your own tools (such as endpoint protection and EDR) separately. Others will offer the full technology stack in addition to the services component. However it’s accomplished, an organization needs to be able to share its endpoint and network data with the MDR provider.
- Expertise: How big is the service? How many attacks have they stopped? You want to be backed by a team that has the experience to not only detect an attack, but also the ability to quickly investigate and respond.
- Antivirus: A lot of organizations are still relying on signature-based AV technology. Machine learning is becoming the gold standard for classifying events as good or bad, even if the algorithm has never encountered an event of its kind before, and behavioral-based detection is another technology for discovering unusual or novel attacks.
- Real-time visibility: MDR offerings need granular real-time endpoint visibility to catch and stop attackers.
Top MDR Services for SMBs
We reviewed many MDR services to find the best ones for SMBs, and many will be relevant to larger enterprises too. Here are the top ones in our analysis:
Trend Micro offers an integrated managed service across email, endpoints, servers, cloud workloads, and networks. Its managed detection and response service, Trend Micro Managed XDR, drives improvements in time-to-detect and time-to-respond, while minimizing the risks and impact of threats.
Trend Micro’s standout features:
- Users can choose to monitor email, endpoints, servers, cloud workloads, and/or network security solutions
- Email protected by Trend Micro Cloud App Security for Microsoft Office 365 or Google G Suite
- Endpoints protected with Trend Micro Apex One multi-layered endpoint security
- Servers and cloud workloads protected by Trend Micro Deep Security Software or Trend Micro Cloud One
- Workload Security (virtual, physical, cloud, and containers)
- Networks equipped with Trend Micro Deep Discovery Inspector provide network detection across over 100 protocols and all network ports
- Correlate alerts and activity data from multiple solutions
- 24/7 alert monitoring, correlation, and prioritization using automation and analytics distills alerts down to the events that need further investigation
- Continuously sweeps environments for newly identified indicators of compromise (IoCs) or indicators of attack (IoAs)
Sophos MTR is a fully-managed, 24/7 threat hunting, detection and response service that fuses machine learning with human analysis from a team of threat hunters for a sophisticated approach to proactive security protection. It combines Sophos endpoint protection and EDR with experts to neutralize threats.
Sophos standout features:
- Sophos Rapid Response: For an organization experiencing an active breach and not already a Sophos MTR customer, they can leverage Rapid Response. It is a fixed-fee emergency incident response service that identifies and neutralizes active cybersecurity attacks throughout its 45-day term of engagement.
- The Sophos service fuses endpoint protection and EDR with a team of security experts.
- The user controls how and when potential incidents are escalated, what response actions (if any) they want Sophos to take, and who should be included in communications.
- Targeted actions to neutralize the most sophisticated threats
- Built on Intercept X Advanced with XDR technology, Sophos MTR combines machine learning and expert analysis for improved threat hunting and detection, deeper investigation of alerts, and targeted actions to eliminate threats with speed and precision
- Fast response actions across endpoint, server, cloud, and network data
CrowdStrike Falcon Complete delivers 24/7 expert management, monitoring, and response for the Falcon platform, backed by CrowdStrike’s Breach Prevention Warranty. It combines next-gen antivirus (NGAV), endpoint detection and response (EDR), and managed threat hunting, together with the expertise and 24/7 engagement of the Falcon Complete team. The team manages and actively monitors the Falcon platform for customers, remotely remediating incidents in minutes.
Crowdstrike standout features:
- The Falcon Complete team solves the challenge of implementing and running an effective and mature endpoint security program without the difficulty, burden and costs associated with building one internally.
- CrowdStrike’s threat intelligence team integrates indicators of attack (IOAs) into EDR data in real time, rather than from feeds of atomic indicators (IOCs).
- Focused expertise to stop threats 24/7/365
- Surgically eliminates threats in minutes.
- Team is composed of seasoned security professionals who are experts trained on CrowdStrike Certified Falcon Responder (CCFR) and CrowdStrike Certified Falcon Administrator (CCFA) certifications.
- Cloud native platform with no hardware, additional software or configuration required
- Threat Graph provides real-time visibility and insight into everything happening on endpoints throughout the environment
Netenrich works with mid-sized companies and small enterprises on right-sizing their security operations. Its managed XDR services enable continuous, full visibility and coverage across all network assets and hybrid cloud environments.
Netenrich standout features:
- MDR for endpoints
- MDR for on-prem infrastructure (network, data center)
- MDR for cloud infrastructure (public, private)
- MDR for user behavior and for SaaS applications such as Office 365 email
- 24×7 full visibility and coverage of cybersecurity threats, exposures, and vulnerabilities
- Fast detection, prioritization, and resolution of threats
- Threat hunting
- Remediation services and professional services
- AI/ML/automation platform complemented with human intelligence
- Integration with SIEM and EDR tools to deliver MDR/XDR (IBM QRadar for SIEM, VMWare Carbon Black for EDR, Microsoft Defender for O365 Email, IBM QRadar User Behavioral Analytics).
IBM Security Managed Detection and Response Services deliver a 24/7 threat detection and fast response capability, fueled by threat intelligence and proactive threat hunting to find undetected threats faster while improving SOC productivity. IBM’s AI-powered automation coupled with human-led analysis speeds threat response across networks and endpoints in hybrid multi-cloud environments.
IBM standout features:
- Includes Endpoint Detection and Response (EDR) and Network Detection and Response (NDR) tools to conduct detailed investigations, including IBM’s Tactics, Techniques and Procedures (TTP) threat hunt library and next generation antivirus for behavior-based blocking and continuous policy management.
- Utilizes IBM’s Global Security Operations Centers (SOC) network, integrated infrastructure, expertise and threat intelligence to deliver improved visibility and actionable insights for effective threat defense, including protection from zero-day threats.
- IBM Security MDR is a component of IBM Security X-Force Threat Management, a portfolio of solutions that manage the full threat management lifecycle.
- Defends against attacks with AI-powered detection, threat hunting, and response built on threat intelligence.
- Vendor agnostic to preserve existing security technology investments.
AT&T Cybersecurity provides strategy, risk, and advisory services to help clients plan and implement security-driven initiatives for digital transformation across the network, cloud, 5G, and Internet of Things (IoT). As one of the largest MSSPs in the world, AT&T Cybersecurity boasts strong relationships with leading security technology providers with the ability to incubate emerging innovators to provide best-in-class services.
AT&T standout features:
- Up-to-date threat intelligence
- AT&T Alien Labs fuels its SOCs with continuous threat intelligence backed by the Open Threat Exchange and collaboration with the AT&T Chief Security Office to stay current with the constantly changing threat landscape.
- Software-defined security controls help to reduce the on-premises security footprint and simplify management.
- Provides 24×7 monitoring from the AT&T Global Security Operations Center at a low cost.
- Technological expertise at hand to help defend the business
- A wealth of managed services, including network security, secure remote access, secure web gateway, Distributed Denial of Service (DDoS), and more
McAfee MDR, based on McAfee MVISION EDR, addresses in-house skills gaps while extending the team’s capabilities. It leverages McAfee’s Endpoint Detection and Response and Advanced Threat Defense to provide 24×7 alert monitoring, managed threat hunting, and investigations to improve threat detection and response efforts.
McAfee standout features:
- Provides a 24×7 end-to-end managed endpoint threat detection and response service.
- Offers threat hunting and detection without extraneous alerts to uncover attacks and stop breaches.
- Includes forensics and investigations of endpoint security alerts and incidents to identify the origin of compromise, extent of the breach, and malicious actor attribution and intent.
- Experienced SOC analysts and security analysts oversee defenses without adding full-time staff and resources.
- Provides improved threat intelligence based on indicators and behaviors captured from global insights.
- Lower breach response times
- Vulnerability management and log management
Cynet XDR prevents and detects threats on endpoints, networks and users, and triggers for each identified threat an automated investigation flow that reveals the attack’s scope and root cause and applies automated remediation. It works in conjunction with CyOps, Cynet’s 24/7 SOC team of threat researchers and security analysts.
Cynet standout features:
- 24×7 continuously monitoring, detection and response
- Cynet Prevention & Detection leverages Cynet Sensor Fusion to provide the integrated capabilities of Next-Generation Antivirus, Endpoint Detection and Response, Network Analytics, Deception and User Behavioral Analytics.
- Cynet Response Orchestration includes a set of remediation actions to address infected hosts, malicious files, attacker-controlled network traffic, and compromised user accounts.
- CyOps assist with in-depth investigation, proactive threat hunting, malware analysis and attack reports, ensuring that every security event is handled and resolved.
- Provides exclusions, whitelisting and tunnelling.
- Adjusts Cynet 360 alerting mechanisms to the customers’ IT environment to reduce false positives and increase accuracy.
- Includes over 30 threat intelligence feeds.
- Dives deep into validated attack bits and bytes to gain the full understanding of scope and impact, providing the customer with updated IoCs.
- Conclusion of investigated attacks entails concrete guidance to customers on which endpoints, files, user and network traffic should be remediated.
SecurityHQ’s Managed EDR service leverages EDR tooling together with 24/7 SOC analytics to detect malicious behavior that would otherwise move through a network undetected.
SecurityHQ standout features:
- Threat hunting powered by threat intelligence
- Correlates attack methods
- Automates watchlists
- Uses machine learning to identify new behavior, anomalous and sensor activity.
- Integrates IBM QRadar services
- Expert analysts on demand
- Incident response within 15 minutes
- Isolates infected systems
- Complete endpoint visibility
- View the full scope of an attack