Note: This post is the final part of The Untold History of MDR; if you haven’t done so yet, be sure to check out Part I: “Collaborative Threat Management” and “Embedded Incident Response” and Part II: Nerds at Work.
An accountant in a legal services organization opens an email from their manager outlining new security protocols which will be put in place while the team is working from home. The details are in an attached Microsoft Word document. Unbeknownst to the accountant, the email wasn’t from their manager—it was just cleverly disguised by hijacking an existing email thread. The instant the document is opened malicious macros go to work in the background, evading the enterprise-grade antivirus that’s in place. A piece of dropper malware executes. It connects to a command and control server. New malicious modules are downloaded and begin to use trusted operating system processes to scan the local network and scrape administrative credentials. So far, everything has been automatic, but now a human attacker gets involved—sitting at a keyboard a world away, manually guiding actions to remain below the radar. Suddenly, the attacker is disconnected. The beacons the malware installed stop reporting. Mere minutes after the malicious document was opened, the attack is contained.
What’s in a name?
As relayed in Part I, when we first started proactively intervening on behalf of our customers to stop attacks, we described our service as “Collaborative Threat Management” and “Embedded Incident Response.”
It wasn’t until 2016, when Gartner published their initial market guide (this past August, Gartner released the fifth version), that Managed Detection and Response (MDR) was elevated to a standard term. And in my view, MDR is a much better term than anything we came up with because it better captures the value and the mechanism:
- Managed: we are always available and ready to help our customers, and we’re always working in the background to level-up our capabilities
- Detection: using as many signals and as much telemetry as we can acquire, we aim to detect threats against your organization
- Response: when malicious behavior is detected, we leap into action to quickly neutralize the threat
And—as in the scenario at the top of this post—all of that happens before the customer is even aware that there’s an event unfolding.
From eSentire’s inception to today, almost 20 years later, the name of the services provided has changed but the mission has not: ensuring a customer’s network is never breached.
Relentless innovation
While our MDR services have been adopted by the mainstream today, they were forged in the fires of defending hedge funds, lawyers, critical infrastructure—and other high-value targets—against motivated, well-funded attackers.
Providing effective defense against such threats required constant, relentless innovation—in terms of foundational technology, operational scaffolding, and people-centric processes.
To a large extent, cybersecurity has always been a data problem. But today it is a big data problem: full-spectrum coverage (e.g., endpoints, network, cloud, logs) creates a constant stream of forensic data and telemetry from an expansive threat surface; in practice, a mid-market company can easily generate in excess of 10,000 alerts per day.
It takes a well-architected platform to ingest and process that data, from pulling in signals, taking automated actions where possible, enabling SOC analysts and manual responses, and constantly evolving the heuristics, baselines and machine-learning algorithms which help the whole system operate (our 2018 acquisition of cybersecurity AI leader Versive really gave us an edge in this regard).
Even more recently, the cloud has become critical to what we do. Building a cloud-native platform takes time, expertise and investment—it requires completely rearchitecting systems and overhauling software development methodologies. This level of commitment means there’s no quick catch-up option for providers who’ve been left behind with legacy architectures.
But there’s no doubt that the investment is worthwhile, so we started the long and challenging shift to cloud native in early 2019—and our clients are already enjoying the benefits of Atlas, our cloud-native platform. To be clear, this wasn’t a lift-and-shift of our existing technologies; rather, it was a complete re-architecting and rebuilding.
Leveraging patented AI technologies, Atlas learns across our global customer base and immediately extends protection to every customer with each specific detection. This ability to rapidly learn and work at cloud scale, combined with expert human actions (there’s that people plus technology theme again!), stops breaches and reduces customer risk in ways unattainable by legacy security products, traditional MSSPs and other MDR providers.
And it turned out that our timing was prescient. When the pandemic struck and we shifted to a remote SOC model (we operate SOCs in Canada and Ireland), it coincided with the introduction of Atlas—and the cloud model made the transition from physical SOCs to a distributed SOC completely seamless.
So in a short time we’ve seen tremendous innovation in a range of areas: from the richness of the telemetry gathered by agents and sensors, to the ability to process volumes of data that even a decade ago seemed far-fetched, to advances in machine learning and other AI technologies that are key to finding well-hidden needles in ever-larger haystacks, to cloud-native architectures that enable necessary efficiency and scale.
The future of MDR
I often get asked what will come next for MDR, in terms of technological evolution and in general.
While it’s impossible to say for certain, on the technology side I think we’ll see increasing levels or more powerful versions of automation in the coming years. While automatic actions have been a part of cybersecurity for as long as “if…then” statements have been employed—which is to say, forever—we’re on the cusp of a new age of automation. Termed hyperautomation, this approach applies advanced technologies like robotic process automation (RPA) and artificial intelligence to extend well beyond what traditional automation technologies can achieve. Hyperautomation is already a key enabler of our Atlas platform, but I think we’re only scratching the surface of what this technology can do.
What about MDR in general? I think we can get a glimpse into the future by looking at some of the challenges in the latest Gartner market guide. Gartner lists a few challenges near the top of the guide, including the need to establish trust between providers and clients before direct responses can be implemented, and the potential for confusion in the marketplace because so many security providers purport to do MDR (related: 5 Essential Questions to Ask Your Security Provider). But one issue that was deeper in the guide is that customers will increasingly want protection that is customized to their environment.
Delivering custom protection introduces a whole new level of complexity for the MDR provider. If you’re taking a one-size-fits-all approach to detection and response, then that lets you benefit from highly efficient economies of scale. However, when detection and response is tailored to the specifics of a customer’s environment, that’s an extra layer of nuance that must be accounted for in your baselines, your AI algorithms, your automated responses, and your manual interventions.
Most MDR providers are struggling to cover the cloud, let alone to introduce cloud-native architectures, and those two items are probably the top priorities for those vendors. They’re a long way away from offering truly customized protection.
But for those few vendors who are truly pioneering the MDR space, customization is a great way to earn client trust and stand out in a crowded and noisy marketplace.
From then to now
It’s been almost 20 years since we set up the beginnings of eSentire in a spare bedroom in Waterloo, Ontario. So much has changed in that time—the threat landscape, the technology on both sides of the fight, the terminology—and when I sit back and take it all in, I’m amazed how far we’ve come.
But whether we call what we do Collaborative Threat Management, Embedded Incident Response or MDR, one thing has never changed: our guiding value that a customer’s network can never be compromised.
