Blog | Sep 08, 2020

Retrospective: How Managed Detection and Response Became a Cybersecurity Gamechanger

Five years on, change is still the constant in Gartner’s 2020 Market Guide to Managed Detection and Response

Last week, Gartner released its 2020 Market Guide for Managed Detection and Response Services. Reading the fifth edition of this report reminds me of how far eSentire has come and how much cybersecurity has changed.

I remember 2016 and working with Gartner analysts to champion a new category that better described what eSentire had defined. Originally, the market tried to label us a Managed Security Solutions Provider (MSSP), but we didn’t fit that mold because we didn’t manage devices nor users because we focused on managing cyberthreats. We were the round peg trying to fit into an industry’s square hole. Back then there was no category talk about threat identification, investigation and containment of cyberattacks. So, we argued for measurements of time to respond and time to contain, rather than simply relying on misleading alerting metrics.

But in 2016, cybersecurity was the prime domain of organizations that understand the algebra of risk management. It meant Fortune 500 companies, tier one banks and government contractors could quantify the risk of cyberthreats and determine their security programs based on budgets that never exceeded the watermark of cyber incidents. And, enterprise risk management was not yet common language for the small and medium-sized companies (the types of companies we protect) that felt the full brunt of cyberattacks.

Five years ago, I also remember attending a legal technology conference in New York, as we worked with law firms to help them understand the risks they faced. In a sea of document control and billing service providers, we were a novelty. Sure our stories were far more exhilarating than the ROI of document control and automated account billing, but they were seen as tales from a far away land. It wasn’t until December that year, hacks on two prominent Wall Street Law Firms validated our value to the legal industry.

Our founder, Eldon Sprickerhoff, built eSentire Managed Detection and Response (MDR) by securing an enviable stable of hedge funds and other alternative investment firms, ultimately recording trillions of dollars under our protection. In fact, 2016 was also the year that the SEC turned its enforcement focus to cybersecurity to ensure these organizations could guard against a new generation of digital criminals. The economy was finally recovering from the 2008 financial collapse and the SEC knew that a cyberattack that eroded trust could topple a tender economy a second time.

At that time, other industries lagged the financial sector and had yet to face their acid test. The rise of ransomware and second-generation crypto-locking attacks made easy work of medical facilities that focused on patient privacy and compliance, but failed to recognize that compliance and security aren’t twins and don’t serve the same purpose. Manufacturing has also entered an unparalleled era of revolution through digital connectivity. Previously unreachable operational technology (OT) was now connected to IT infrastructure and susceptible to the cyber predator pack, well-versed in hunting its prey.

Over the years, other events have shaped how we plan for business continuity and disaster recovery. For example, nearly 20 years ago during the horrific events of 9/11, IT systems recovery centered on back-up and colocated services outside the walls of office towers.

Then in 2012, Hurricane Sandy swept along the northeastern seaboard, flattening New Jersey and flooding lower Manhattan. The storm flooded primary operations in Manhattan and crippled back-up centers in Hoboken, NJ … and in its wake, redefined business continuity planning. As we learned, major natural disasters aren’t deterred by the Hudson River, nor do they adhere to state lines.

Just this year, we have all faced the business disruptions of a global pandemic and a mass shift to remote workers outside the protection of traditional perimeter-based technology.

Look How Far We’ve Come

As Managed Detection and Response celebrates its fifth birthday, we can reflect on how far cybersecurity has come with this industry-defining category leading the way. Clearly in demand, Gartner predicts that the majority of firms will use MDR by 2025, and they have seen a 44% increase in user inquiries. The first market guide contained a baker’s generous dozen vendors with varying services. What was most notable in the inaugural guide, was the absence (active exclusion) of the leading MSSP vendors. It was a clear delineation between MSSP and MDR. It was a classic disrupter emerging to take on the incumbent players.

The MDR category has taken on mass, but still struggles with a sense of identity. As this year’s Gartner Guide notes: “buyers are challenged to differentiate among the variations in delivery approaches and technologies used by MDR service providers.” Many copycat players simply can’t deliver scientifically defined and measured detection and response. Frankly, simply rebranding old services to harness the favored-state momentum of MDR doesn’t cut it.

Alerts STILL Don’t Equal Response

Five years on, there is still an argument whether alerting equates to response (FYI, it doesn’t!). I use the following analogy to help this conversation. Your kid comes up from the basement and tells you that there is water pooling on the floor. Does your kid telling you about a major water leak resolve the leak and fix any damage? No. So, alerts don’t equate to response. Shutting off the water feed equates to containment. Patching a leaking pipe equates to response. Cleaning up the water damage and replacing flooring equates to remediation.

So, my advice is this: if your security vendor can’t even triage the leak and turn off the water source, then they are simply Managed Detection and Alerting. That’s it without the ultimate payoff of real Response. What does that look like? Every day, the combination of eSentire’s cloud-native Atlas platform, plus our expert analysts, deal with over one million security events (potentially leaking pipes and flooding basements), and we begin triage within 35 seconds and resolve (contain attacks and report with full forensics) within 20 minutes.

Gartner does raise the risk that many MDR players lack the experience of their more mature MSSP counterparts: “Most MDR providers lack the vetting and decades of competition that MSSPs have faced.” I do agree that there are a crop of novice MDR providers, but have found that much of the traditional MSSP experience is more about managing a highly competitive market with diminishing returns. They are well-versed at surviving the race to the bottom. But when it comes to managing threats (not devices), they are just as inexperienced as the emerging MDR players.

We’ve been in business for 20 years. We were in New York during 9/11. We protected our customers through Hurricane Sandy. And now are protecting them during Covid-19 cyberattacks on remote workers. We’ve kept tens of thousands of hospital beds functioning throughout the pandemic and protected critical infrastructure and manufacturers working to deliver life-saving technology. Our approach, our proprietary technology and our methodology comes from decades of experience. Our ethos is earned and worn with pride: our customers’ networks can never be compromised. We have the years of service to rival MSSPs and stand above the other MDR players when it comes to facing down threats. We’ve gone toe-to-toe with nation states, organized criminals and exposed multiple zero day APTs. We don’t play “Call of Duty.” Our SOC analysts are called to duty and they perform it well, every day.

What’s Next?

The other constant since the term Managed Detection and Response was born is, of course, change. Every year, Gartner identifies critical security areas that need protection. For example, endpoint security has been a focus the last couple of years, whether delivered as a proprietary solution or as a partnership with the leading Endpoint Detection and Response (EDR) and next-generation anti-virus vendors. This year’s guide focuses on cloud services, specifically software as a service (SaaS) and infrastructure as a service (IaaS). And that’s sage advice. The guide notes that “coverage for cloud services … has improved during the past 12 months; however, it is still a work in progress for many MDR providers.”

An MDR vendor should be able to protect your entire environment--not simply your network traffic or endpoints. Its services should encompass network telemetry, endpoint forensics, log aggregation and cloud services. eSentire launched its cloud services in 2019 and was in full swing when Covid-19 hit. Endpoint was also well established by that point.

Cloud services and endpoints represent the new cyber war front. Covid-19 taught us that lesson. But the new Gartner MDR guide also covers a new frontier for MDR:IoT, industrial control system (ICS) and supervisory control and data acquisition (SCADA), the triad of Operational Technology (OT). Once restricted to the manufacturing assembly floor or hidden away in guarded utilities and power plants, these digital industrial controls are now exposed to cyberattacks as OT and IT technologies blend.

We easily identify cyber adversaries as risk factors, but often overlook the fact that we ourselves introduce risk when we adopt new technologies or emerging business models. OT controls are run by engineers who know how to assemble products or operate a nuclear power plant. But they don’t know IT security. And IT experts lack expertise in operational engineering.

And it’s not just manufacturing and utilities. Healthcare is based on connected healthcare devices from patient telemetry to medical imaging to pacemakers and insulin pumps. They call it Healthcare IoT (HIoT). Most MDR vendors lack fundamental experience with industrial security. For more than five years, we’ve protected transportation, manufacturing, healthcare facilities and public utilities from cyberattacks. I’m not sure how many other companies in Gartner’s report can say the same.

Since the term MDR was first coined by Gartner, we’ve been through natural disasters, pandemics and war. Digital transformation is accelerating like a runaway freight train. Everything is connected and there is nowhere to hide. Every surface is exposed to cyberattacks. So, when you look over your cybersecurity wall, look at the MSSP or MDR vendor at your side. Are they shiny and new and full of promise? Or do they carry the weight of experience? I don’t know about you, but when it comes to protecting my business, I want experts who have seen it all and know how to confront cyberthreats. Catchy phrases, pretty slide decks and enticing price tags won’t seem very comforting when the cyber predators start circling your business.

Mark Sangster

Mark Sangster

Vice President and Industry Security Strategist

Mark is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations.