MDR (Managed Detection and Response) is a class of services for businesses that includes customer infrastructure monitoring, threat hunting, incident response and system recovery.
How MDR works
MDR includes automated monitoring and response tools supported by the service provider’s SOC analysts.
The automated MDR tools usually belong to the service provider. These collect data from enterprise systems and check it for indicators of compromise, as well as automate routine response tasks.
In turn, MDR experts monitor alerts from security solutions, analyze them in detail and take the necessary measures in the event of an incident or provide response recommendations for the customer.
MDR tools
MDR includes technologies such as:
- Endpoint Detection and Response (EDR), Network Detection and Response (NDR) or Extended Detection and Response (XDR) are solutions for detecting and responding to cyberthreats. EDR handles threats at the endpoint level (servers, employee computers, etc.), NDR at the network level and XDR at multiple levels.
- Endpoint Protection Platform (EPP) is a set of comprehensive endpoint security solutions that include antivirus, data encryption, vulnerability assessment and remediation technologies, application and device control, and more.
- Security Information and Event Management (SIEM) is a set of solutions for collection and automated analysis of information about security events.
- Intrusion Detection System (IDS) is a software or hardware solution for detection of unauthorized or malicious activity in the corporate infrastructure.
The full list of technologies varies from vendor to vendor.
How MDR differs from MSS
MDR is often compared to MSS (Managed Security Services). Although both types of services feature vendor-side security management of the customer’s infrastructure, they are not the same thing. MDR specializes in threat detection and rapid response, while MSS covers a broader range of cybersecurity services, such as regulatory compliance assessment, protection technology management (VPN, firewalls, etc.), penetration testing, general security recommendations and so on.