Managed Detection and Response (MDR) - a growing trend
Achieving operational awareness and visibility into an organization's security related events usually would require a SIEM type of solution able to ingest thousands of events from security tools. The idea was to classify and report on events, which would give the ability to manage and contain threats.
Truth is, SIEM was never a particularly successful solution: it would entail high implementation costs and diligent maintenance. In the SEE region, it would be usually run by customers as an in-house service via a SOC approach (Security Operations Center). The in-house team would lack time to properly respond to all events and pretty soon they were swamped. Complicating things further was a lack of visibility into events, particularly those occurring on endpoint devices operated by employees.
That is one reason why Endpoint Detection and Response (EDR) is becoming so popular: by focusing on endpoint assets, it surfaces many of the events that were previously unknown to devices such as firewalls or antimalware software. It also automates detection capabilities by compressing multiple log entries into a more meaningful event, making it easier for analysts to assess the risk.
However, with the addition of EDR or XDR technology to the organization's security stack, the number of security related events suddenly grows even beyond what was usually expected from a SIEM deployment. The events that suddenly become visible include:
Powershell abuse or misuse
Malicious script executions
Process and kernel hook events
DLL side loading
Registry modifications
Memory exfiltration
Fileless attacks
and many more
Understanding all those events, assessing risk and differentiating from false positives, requires knowledge, skill, experience - and time.
All this means that an in-house approach is becoming even more unfeasible for a SOC. A managed detection and response (MDR) outsourced service is therefore becoming an integral part of EDR offerings. The goal is not only to notify the organization of attacks or suspicious events, but rather take targeted actions on its behalf to contain and neutralize threats.
As security events and attacks will only grow, it is not surprising that Gartner predicts by 2025, 50% of organizations will be using MDR services for threat monitoring, detection and response functions that offer threat containment and mitigation capabilities.
But what do you need to take into account when calculating the return on investment with MDR? These are the most important parameters:
The number of security tools used: firewall, secure web gateway, VPN, antimalware, secure email gateway, etc.
Alerts generated per tool
Number of alerts an analyst can handle per day (typically, assume 50)
Full cost per analyst (salary, bonus, benefits, onboarding)
Annual training costs per headcount (certifications, travel, conferences)
Annual headcount turnover rate
Hiring costs
Of course, this is just a very basic estimation. The parameters could be made more precise (for ex. time to respond, time to resolution, etc), but even with these inputs you can quickly figure out how much staff you would need to effectively address the security alerts, especially after the introduction of EDR.