The Present and Future of Managed Detection and Response
This blog post has been (too) long in the making, and was co-authored by Migjen Hakaj , Principal Managed Detection and Response Strategist @ Mnemonic, and Amine Besson aka Behemoth, an independent worldwide Detection and Response Operations contractor working with leading SOCs and MDRs to re-imagine their operations.
Thesis
As a category, the MDR market focused on abstracting away the SOC technology layer to a (mostly) turn-key service, departing from the legacy helpdesk or consultancy styled managed SOCs. But SecOps is evolving, and so must the MDR service. Customers want ever more visibility and control, and increasingly want to drive Detection and Response Engineering programs. We will explore where the MDR market is headed, and its convergence toward a mostly autonomic and tech-driven future.
State of play
MDR services have evolved through several waves of technological disruption. Beginning with IDS, SIEM, moving through EDR, XDR, and now incorporating cloud-native and AI-driven tools. Yet the underlying value proposition has remained largely the same: provide continuous security monitoring and rapid threat detection.
Most MDR vendors focus on two core objectives:
- Delivering a platform and service that structurally observes a broad spectrum of security data to detect suspected threat actor activity
- Applying analytics and soc analysts to identify and prioritize “real” threats. Typically, an MDR provider will ingest all “relevant security data” from a customer’s environment, layer proprietary logic and technology on top, combined with human expertise to filter out false positives. Ultimately, customers receive what’s hoped to be high-fidelity alerts that highlight what truly matters, enabling them to respond swiftly and effectively to genuine security incidents.
Historically, the MDR market has focused on detecting and addressing “generic threats” — think of the DDoS, Brute Force or Ransomware type of detection . Sometimes still called “Use Cases”, which is now considered a historical term superseded by threat-driven detection engineering processes) at scale, usually based around available log sources and not necessarily starting from threats.
This approach has provided vendors with economies of scale. However, as detection and response platforms have become more accessible to end users, generic threat detection is no longer a strong differentiator.
Consequently, MDR providers will have to reshape their value propositions — and become more than “alert-forwarders”, where they over-rely on out-of-the-box detections from tools like EDR without adding more engineering or expertise. Rather than simply flagging broadly defined threats, they will now have to emphasize on a deeper understanding of later-stage attacks, and learning to safely respond (i.e. Auto containment & Active disruption) to alerts using active mitigations, where the stakes are higher and threats are more sophisticated.
In other words, the core focus is shifting away from merely responding to common threats to consistently analyzing whether a threat truly warrants a response on behalf of the customer.
Providing detection capabilities is now more critical than ever when MDR must change one of its most important value proposals. But re-dressed from its generic state (log source centric use case development), to a threat and attack centric, and customer environment relevant product.
What is my detection coverage …
As organizations adopt newer detection technologies, especially SaaS platforms (Cloud SIEM, CNAPP, EDR etc), they have by default access to more vendor-provided detection content than ever before. It also opened the door to a much more heterogeneous data ecosystems. The scene has shifted from organisations running large, obese centralized SIEM to several Cloud SIEM tenants, and it is not infrequent for them to be from different vendors. The same story applies to EDR, NDR, CDR — and whatever other specialized platform the industry will come up with…
This surplus of distributed platforms is putting them in a position where detections are accumulated in an uncontrolled fashion across detection systems. Some are owned by the MDR vendor, and some by the customer themselves. Naturally, customers now wonder how well their detection coverage holds up across all those platforms. Customers are now asking questions like:
- What is my overall detection coverage with you as a vendor, across both your platform and mine?
- Where is it most beneficial to deploy detections against these attacks, threats, actors ?
- Which data do I need to acquire first to provide the highest detection value ?
- Which threats are relevant to detect in my environment ?
- Am I missing any detection platform to increase my coverage ?
…And what is my MDR doing to improve it?
Managed SOC services have traditionally struggled to demonstrate the effective threat detection capabilities their service provides. It’s a difficult problem, and the concepts of threat-driven detection capabilities are very recent.
Historically speaking, the industry focused for a long time on visibility, trying to get data into SIEMs and figuring out what to do with it later.
SOC Leaders are nowadays a lot more aware (and concerned) about their actual effectiveness, and are increasingly looking at their MDR provider to not only onboard signals/log sources and providing generic detections over them, but also drive their detection coverage forward.
While the practice of Detection Engineering isn’t yet completely widely used (or understood), it’s becoming clearer that providing such services, whether through detection content creation, or more unique and innovative approaches, will become the separator between a minimal and a full stack detection and response service provider.
MDR Is Drowning in Data — Where’s the Platform ?
Over the past few years, we have seen a progressive platform unification among larger industry players, including Microsoft Defender/Sentinel, Palo Alto Cortex, Google SecOps. This best-of-suite approach has been successful in many companies, where it has become easier to onboard advanced native tooling.
In a larger sense, many platforms extend outwards — SentinelOne and Crowdstrike offer SIEM solutions, SOAR is typically embedded as a function in several EDR/XDR solutions, and there are entire integration ecosystems in many tools to glue functions together.
While piecing together the right tech stack and architecture is difficult because of the breadth of choice, it also means that platforms became more powerful, easier to deploy and use with SaaS delivery models, and SIEMs are becoming a less obvious centre piece: sometimes, a SOAR is a better centralization point for all signals. But as they are themselves challenging to implement well, perhaps AI SOC tooling is a better construct to aggregate alerts.
MDR thus now has to deal with heterogeneity : what to onboard, deploy and integrate. Customers very (very) rarely have no detection and response tools at all, and simply streaming raw logs can become complicated, expensive, and long to action. However, while challenging from an architecture standpoint, it also opens the door for MDR to provide a more comprehensive service — but requiring more investment in their own platform.
MDR… or SOC 2.0 ?
MDR evolved from traditional SOC by investing in building a platform that would not only detect, but also initiate response (custom development, or a combination of a commercial tech stack by leveraging advances in Cloud and SaaS SecOps tools), which would unlock a next level of scaling efficiency.
Outsourced SOCs on the other hand, were built to handle a flow of alerts (without going further into actual response) by throwing human resources against them — a setup which is becoming increasingly inefficient and unrealistic. Some are still stuck using human capital on aggregation, which is even less feasible with customers increasingly expecting value from their MDR vendor further down the attack cycle.
The focus on building value-add, sometimes leading to hybrid solutions like Managed XDR (where a proprietary platform combines and exposes threat signals to customer in a turn-key fashion) has been somewhat lost in the market. Where many traditional SOC providers have rebranded to MDR without necessarily understanding the required investment and ambitious roadmap it represents.
MDR vendors should start to ask themselves how they can build their own platform, combining signals from the many different tools a customer already has — while developing their own custom detections to complement, in the end offering a tailored detection coverage across the relevant threats to their customers.
And to SOC leaders, it begs the question : what is my MDR doing that I really can’t do better myself with well managed technologies and a small number of internal detection and response engineers ?
Unlocking the future of MDR
While today’s industry landscape is somewhat murky, with a mix of providers at different ambition and levels of execution — customer expectations are becoming sharper. In the next posts, we will deep dive into the required scaling factors for the next generation of MDR services, from scaling Detection Engineering to Data Pipelines and Threat Analysis.
More than ever — stay tuned
The Present and Future of Managed Detection and Response was originally published in Detect FYI on Medium, where people are continuing the conversation by highlighting and responding to this story.
目录
最新
- Introducing LUMEN: Your EVTX Companion
- Threat Hunting based on Tor Exit Nodes (+ KQLs queries)
- Introducing the DRAPE Index: How to measure (in)success in a Threat Detection practice?
- Beyond Detections : Scaling Analysis & Response to keep MDR relevant
- Agentic Detection Creation — Now With Atomic Red Team and Splunk MCP Integration
- Agentic Detection Creation: From Sigma to Splunk Rules (or any platform)
- Threat Hunting over internal Devices via KQL Queries
- Detecting Tampering of Windows Security Audit Policy