In a recent overview of 42 Managed Detection and Response (MDR) services providers, Forrester Research recognized eSentire as one of only five large companies that qualified as “proactive hunter, investigator, and responder specialists.”
In the Q4 2020 Forrester report, this select group of Managed Detection and Response services providers “brings an MDR service to clients built on a foundation of deep subject matter expertise in analytics, incident response, and threat intelligence. Proactive hypothesis-driven threat hunting methodologies curated into analytics and their use of automation makes these vendors excel.”
Within the Forrester report, they examined three other groups in addition to the MDR specialists: Managed EDR providers, Managed incident response-as-a-service (IRaaS) vendors and MSSPs adding MDR to service stack.
Forrester compared the four groups across 13 functions, one of which—extended detection and response (XDR), in particular “use of non-endpoint telemetry in MDR service”—receives special attention throughout the report due to its foundational role within MDR.
We couldn’t agree more with Forrester about the importance of XDR, and we thought it was worth helping everyone understand just why XDR is so critical to effective delivery of MDR services.
What is XDR’s foundational role in MDR?
The ability of an MDR vendor to deliver an effective service is enormously dependent upon their XDR platform.
The Forrester report’s authors touch on this dependency when they note that, “The quality of MDR services depends on its ability to incorporate extended detection and response (XDR) visibility from not just EDR software, but also network analysis and visibility (NAV) tools, network traffic analysis (NTA), and analysis of security log data.”
As we explained in our recent post, What is XDR?, an XDR platform enables effective Managed Detection and Response services by:
- Centralizing the aggregation of normalized data from across the threat surface (e.g. cloud environments, endpoints, logs, networks)
- Correlating data and alerts to provide cross-signal threat detection
- Providing a centralized response capability that can implement actions and change security policies
And mature XDR capabilities just aren’t widespread: of the four vendor groups Forrester examined, only two—the “proactive hunter, investigator, and responder specialists” and the “MSSPs adding MDR to service stack”—are rated as having “high” XDR functionality.
Plus, an XDR capability isn’t something that can be built overnight, which is one reason why the Forrester report states unequivocally that, “Quality MDR vendors should already have XDR-like capabilities within their service stack.” (emphasis added)
What should you look for in an MDR vendor?
Forrester is adamant that XDR is a required enabler of MDR, but how can a non-expert separate the wheat from the chaff to distinguish between real XDR (and MDR) expertise and the growing list of “me too” vendors who fear being left behind?
Forrester provides three recommendations.
“Identify a vendor’s history and motivations for offering MDR”
Except for the rare vendors for whom MDR is their core competency, delivering effective Managed Detection and Response services requires a major transformation in terms of technical architecture, operational processes and business model. Needless to say, these changes are not made easily.
In Forrester’s words, “Buyers need to figure out why a vendor entered the market. The motives behind the service will shed some light on how committed the vendor is to MDR, and also reveal the strengths, weaknesses, and overall approach to their MDR offering.”
eSentire has a unique history when it comes to MDR: we invented it and it’s our complete focus.
“Evaluate the relationship between threat intelligence, threat hunting, and analytics”
Forrester notes that, “Many MDR vendors fail to articulate threat hunting in meaningful fashion — in terms of intent, methodology, and outcome.”
That is, these MDR vendors will use the words “threat hunting,” but in a purely cosmetic or superficial way.
Forrester continues: “Ask for details like top five threat-hunting methodologies used, how successful hunts become analytic rules, and how threat intelligence becomes a source for future threat hunts.”
Prospects who ask eSentire these questions will enjoy no shortage of information and evidence. For instance:
- This page provides an overview of how our Threat Response Unit (TRU) outpaces the evolving threat landscape, linking Threat Intelligence, Advanced Threat Analytics and Tactical Threat Response within the MITRE ATT&CK framework
- Our threat dissections and incident reports frequently highlight how proprietary research, open source intelligence (OSINT) and direct observations are quickly incorporated into ever-evolving defenses
- The recent (and ongoing) SolarWinds/Sunburst saga underscored the importance of operationalizing threat intelligence—within just a few hours of FireEye’s initial announcement on December 8th, we had already rolled out new esNETWORK detection rules and we were running esENDPOINT and esLOG queries against the CVEs targeted by FireEye’s stolen Red Team tools
(and those examples really are only scratching the surface)
“Restrictions in response should come from your playbooks, not vendor APIs”
This is an important point and essentially boils down to: your MDR vendor should unlock new response options, not limit what you can do.
Beyond a wholehearted shout of “we agree!” we can also provide a couple of recent examples that reinforce the importance of having a rich and varied response capability:
- The Zerologon exploit highlighted the value of combining threat research with rich response capabilities
- The “SunWalker” incident illustrated in frightening detail what it takes to stop a ransomware attacker before damage could be done
And note also that MDR vendors shouldn’t come in and just tell you what to do—unless that’s what you’re asking of them. In every case, they should work with you to determine clearly what responsibilities each party owns.
That’s one of the wonderful things about the MDR model: if you’re just getting started with cybersecurity, then the MDR provider can take on more of the “end to end” responsibilities; if your organization’s approach to cybersecurity is very mature, then responsibilities can be divided, choosing to focus expertise where it’s most needed.
eSentire Atlas XDR Cloud: real XDR for the world’s leading MDR
Without a comprehensive, cloud-native XDR platform with adaptive machine learning, Managed Detection and Response services can’t monitor the whole threat surface, can’t make sense of the information it ingests and can’t respond fast enough to stop skilled attackers.
At eSentire, we’re proud to be pioneers in delivering effective, efficient and scalable cybersecurity solutions; consistent with this track record, we were the first MDR vendor to introduce a cloud-native XDR platform—Atlas—and our clients are already enjoying the benefits while competitors play catch up.
Leveraging patented artificial intelligence (AI) technologies, Atlas learns across our global customer base and immediately extends response to every customer with each specific detection. This ability to rapidly learn and work at cloud scale, combined with expert human actions, stops breaches and reduces customer risk in ways unattainable by legacy security products, traditional MSSPs and other MDR providers.