Research from Gartner

Market Guide for Managed Detection and Response Services

Managed detection and response services allow organizations to add 24/7 dedicated threat monitoring, detection and response capabilities via a turnkey approach. Security and risk management leaders can use this research to determine whether MDR services are appropriate for their environments.

Key Findings

• MDR services are filling the need of organizations of all sizes that lack internal security resources and expertise, and want to expand their investments beyond preventative security technologies to address their detection, response and 24/7 monitoring gaps.
• Managed EDR is one of the most visible offerings within the market, available from MDR providers, MSSPs and the EDR technology vendors leveraging their own solutions.
• Response capabilities are evolving toward faster reactions once a threat is detected. The ability to disrupt and contain threats is becoming a standard offering. However, incident response retainers are still needed when an incident reaches a threshold that requires significant support.
• Many MSSPs are adding MDR-type services to their portfolios to compete against MDR service providers. This trend will continue over the next 12 months.

Recommendations

IT security and risk management leaders responsible for security monitoring and operations:

• Use MDR services to add threat detection, lightweight incident response, and 24/7 monitoring capabilities when they don't exist or are immature within an organization. Incident response retainers will still be required when significant support for large incidents and recovery is required.
• Use MDR services offering a turnkey technology approach so that your organization can focus on the outcomes delivered by a provider.
• Scrutinize how providers deliver services to ensure the technology stack fits well with existing security technology investments and the entire IT environment, from on-premises to cloud.
• Embrace threat disruption and containment as an incident response feature of MDR service providers, particularly where you do not have 24/7 operations to respond to threats that require immediate attention.

Strategic Planning Assumption

• By 2020, 15% of organizations will be using MDR services, up from less than 5% today.

Market Definition

This document was revised on 11 June 2018. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.

Managed detection and response (MDR) providers deliver 24/7 threat monitoring, detection and lightweight response services to customers leveraging a combination of technologies deployed at the host and network layers, advanced analytics, threat intelligence, and human expertise in incident investigation and response. MDR providers undertake incident validation, and can offer remote response services, such as threat containment, and support in bringing a customer's environment back to some form of "known good."

Market Description

MDR providers deliver services for buyers looking to implement or improve their threat detection, response and continuous-monitoring capabilities. Many MDR providers' services leverage technologies at the host and network layers that generate and collect security event and contextual data that support both the detection of threats and incident investigation (such as forensic data). Additionally, there is a focus on threat analytic detection techniques, threat intelligence and incident response activities, all of which can be expensive, difficult to obtain and hard to sustain for many organizations (midsize enterprises [MSEs] as well as larger enterprises). For large-enterprise-oriented MDR providers, the focus may be on leveraging the customer's existing technologies. However, this is only if the enterprise can provide the necessary data, context and functionality to detect, investigate and respond to threats, as well as augment security expertise and cover gaps in customer's security technologies.

MDR services are characterized by the following attributes, many of which are distinct from managed security services providers (see Figure 1 and Note 2):

• A focus on threat detection, geared toward attacks that have bypassed existing security controls. Use cases such as vendor-agnostic security technology management and compliance monitoring and reporting are not a focus of MDR services and are rarely addressed.
• The delivery of services using the provider's curated technology stack, such as network traffic analysis, endpoint activity monitoring and deception technologies, deployed on a customer's premises and managed by the provider. These technologies allow the MDR providers to monitor "south of the perimeter" as opposed to focusing on monitoring at internet ingress/egress points. Few MDR providers rely solely on logs generated by a customer's exiting security tools to monitor and detect threats, and where logs are collected, they may be used more as secondary data sources for additional context.
• Security event and data analytics systems that use threat intelligence and advanced data analytics that are fed curated events from the provider's technology stack (and, in some cases, customer-owned technologies as well).
• 24/7 monitoring, analysis and customer alerting of validated security events with incident triage performed by a person (not relying just on automation), as well as more direct communication with the provider's analysts and less emphasis on using a portal as the primary interface with the customer.
• The provider takes responsibility for determining what and how threats are detected. Customers may have little opportunity to customize threat detection use cases relative to their environment. For example, the MDR providers might be looking for specific tactics, techniques and procedures (TTPs) that indicate a threat is active in a customer's environment, but if the customer wants some rules specific to their environment, that level of customization may not be supported.
• Incident validation and some remote incident response activities are included in the service (or available as a premium add-on, in some instances), without the need for an incident response-specific retainer. Such activities may include malware analysis, identifying indicators of compromise (IOCs) and threat containment. Incident response retainers are reserved for significant circumstances where a major incident may have occurred. In most cases, recovery of an environment to a known, good state (reimage, rebuild, restore from backup and so on) falls on the client to manage (or coordinate via other means).
• An emphasis on a fast, turnkey deployment of services. This is due to the use of the provider's curated technology stack, which may be faster to deploy compared to the traditional MSS approach requiring the customer to identify critical event sources and implement log forwarding to a central collection appliance.

Figure 1. MSS and MDR Characteristics

Source: Gartner (June 2018)

Market Direction

MDR Is a Dynamic Market

The MDR market is growing, as Gartner observes continued interest in the market. Approximately 25% of all inquiries in 2017 related to acquiring security event monitoring services were specifically about MDR. The market today is characterized by acquisitions by firms looking to enter the MDR market, and general dynamism as new ideas and approaches are introduced by providers. MSSPs are reacting to customer demand and the MDR provider competition by adding or expanding managed EDR and threat hunting-as-a-service offerings. However, some claim they have MDR offerings, with minimal evidence to support those claims.

Key observations of the dynamism of the market include over the last 12 months:

• Demand from midsize enterprises has been particularly strong, as MDR services are viewed as a better fit than procuring security event monitoring services from an MSSP. Buyers' lack of investment in threat detection technologies, processes and people continues to drive demand. Gartner clients with little to no investments in threat detection and response technologies report that outsourcing security event monitoring to an MSSP has led to unmet expectations and negative experiences. Clients often question why they have little to show for the money spent.
• There is market segmentation between MDR as a turnkey service for midsize and smaller enterprises, and MDR to augment existing threat detection and response capabilities in larger enterprises. In conversations with MDR providers, we find that many try to align to one of these segments, though fewer claim to be competing in both. The exceptions are when they are able to segment how the service is delivered, usually via the technologies deployed (for example, managed EDR only versus use of a full network and host technology stack), or the target customer size is so wide that they end up competing in both segments.

"Response" Is a Defining Element of MDR Services, and Capabilities Are Going Further

Many MSSPs offer security event monitoring and threat detection and alerting services, where the customer's security or IT team provides incident triage, analysis and associated response activities, such as containing and mitigating the threat. Gartner clients state that they want more comprehensive threat detection and response services than are typically provided by many MSSPs. MDR services include varying degrees of "lightweight," remote incident response services as part of the core services. MDR providers favor dedicated response experts in their security operations centers (SOCs). These experts validate potential incidents, assemble the appropriate context, investigate as much as is feasible about the scope and severity given the information and tools available, provide actionable advice and context about the threat, and increasingly the ability to remotely disrupt and contain threats.

These capabilities are very appealing to midsize and smaller enterprises, as they lack 24/7 operations to respond when threats are detected outside of business hours. MSEs indicate a greater acceptance of containment actions where and when threats represent business-level impact. Larger enterprises that have 24/7 IT operations and a security operations team to handle response activities currently tend to be less interested in containment being done by the provider. However, they are interested in having the technical capability to initiate the containment themselves, such as through a button in a portal that will initiate containment through an EDR agent.

Disruption and containment of threats can take various forms, and MDR providers are trying different options. There is no one winning approach, although isolation of a host via an EDR tool and blocking traffic on a firewall appear more frequently. Example methods include:

• Changing firewall rules via APIs, watchlists and rules updates
• Isolating a process or a host from the network using an endpoint agent
• Locking and suspending user accounts
• Integrating with a customer's network access control (NAC) tool
• Blocking network activity via DNS requests and TCP resets

More MSSPs Now Offer MDR-Type Services

Over the last 12 months, many more MSSPs have added MDR-type offerings that supplement their existing services, primarily in the form of managed EDR and threat-hunting services (or a combination). However, there are some MSSPs with credible offerings that include their own proprietary host and network technologies, supported by their own threat intelligence and advanced analytics capabilities. These offerings tend to be purchased by larger enterprise buyers with specific MSS requirements that cannot be met by stand-alone MDR providers (such as technology management, vulnerability management and compliance reporting) and want more "advanced threat detection," along with traditional managed security services. Depending on their risk tolerance and culture, an organization may choose to adopt an approach that uses MSS for certain capabilities, and augments the MSSP with MDR services. However, this approach is the exception, rather than norm.

Adoption of the term "MDR" by MSSPs should be met with healthy skepticism by buyers, as Gartner has observed increasing use of the term in the last 12 months. In some situations, the use of the term is legitimately warranted. In other cases, there is little evidence that a service is really aligned to the characteristics defined in this note. Those exploring MSSPs for these services should assess the MSSPs' technology stacks (or supported technologies) and the availability of threat-hunting skill sets.

Market Analysis

Since Gartner defined MDR services in 2016, the number of providers claiming to be MDR has increased dramatically. A survey of the Representative Providers section shows the breadth of providers available across different regions and home markets. North America has a large population of providers, followed by Europe, in particular the Nordics region. Asia/Pacific and the rest of the world have few regional providers visible in the market today.

The current state of the MDR market can be summarized as follows:

• It is a dynamic market, with new providers entering and trying to differentiate themselves against existing providers, which in turn are adjusting their branding and offerings.
• Acquisitions are occurring as firms without MDR offerings seek to enter the market (for example, Booz Allen Hamilton acquiring Morphick and ADT acquiring DATASHIELD).
• MDR is seeing investments from venture capital and private equity, indicating support of MDR as a growth market (see Note 3).
• Endpoint protection platform (EPP) and EDR vendors are increasingly adding services to provide 24/7 threat detection (either in real time or via threat-hunting capabilities) to address customer demand.
• MSSPs actively attempt to compete in the MDR space, as evidenced by the new offerings being added, as well as by the maturation of more established offerings.
• Proactive capabilities are starting to enter the picture for some MDR providers that support MSEs and are looking to extend their services to help address other "security hygiene" gaps (such as vulnerability management).

MDR Providers Generally Target Two Types of Buyers

MDR services generally target two types of buyers as described earlier — MSEs and larger enterprises — both of which increasingly require 24/7 coverage. Providers focus on one of these types of buyers, but as expected, several support a range of buyer sizes and maturity, primarily by segmenting their services (for enterprises, for example) and packaging those services into specific offerings (such as for MSEs).

Over the next 12 months, Gartner expects to see MDR providers continue to segment their offerings to these distinct buyers. MDR providers focused on MSE and less mature organizations will drive packaged offerings that include the necessary technology backed by the provider's experts and processes. Larger enterprises and more mature enterprises will look to adopt MDR services when there are options available that allow the provider to address the specific situation of each customer. One example is the ability to leverage existing security technology investment where appropriate (if the enterprise has already invested in EDR or network forensic technologies, whether it's for a short duration as the enterprise gains experience with the solution, or as a long-term relationship). The provider can then segment its offerings to fill gaps in the customer's threat detection and response capabilities (such as using managed EDR only).

The Technology Stacks Employed by the MDR Providers Are Starting to Mature, but Still Have Gaps

The following characteristics of the technology stacks employed by MDR providers are being observed in the market:

• EDR agents have become the common technology employed for MDR — especially those offering containment capabilities. Most providers are aligned with a single EDR vendor, but we increasingly see MDR providers support two to three vendors. A number of EDR vendors are using their own proprietary technology. However, these are a work in progress for several vendors, and many don't yet support the response capabilities required to contain a threat.
• Network-monitoring capabilities using on-premises deployed sensors (physical or virtual) are being extended to include other vectors, such as DNS traffic and NetFlow data.
• Email monitoring is available from few providers, but it is appearing on more providers' roadmaps to shift threat detection capabilities earlier in the attack life cycle — for example, to the delivery phase — rather than focusing solely on the command and control (C2) phase.
• Deception technologies are offered by a few providers to address such challenges as accelerating service implementation and concerns about deploying EDR agents onto endpoints.
• Technologies to monitor industrial control systems (ICS), supervisory control and data acquisition (SCADA) and other operational technology (OT) environments is available in the market, and offerings are increasing based on MDR provider roadmaps. Europe, in particular, has several examples of providers with OT security monitoring offerings.
• Monitoring of cloud-delivered services, such as SaaS and IaaS in public cloud services, is still nascent outside of providers specifically focused on monitoring cloud environments, either agnostically or as part of a wider set of cloud management services. Adoption of direct monitoring of SaaS and IaaS environments has been slow, although Microsoft Office 365 and Amazon Web Services (AWS) CloudTrail are becoming more common. For SaaS there is a reliance on a customer procuring a cloud access security broker (CASB) solution. However, MDR providers are starting to establish partnerships with CASB vendors to expand their monitoring capabilities (if they don't have their own CASB solution already).
• Log management is not widely available from MDR providers, since the focus is on analyzing events and data from their own technology stacks, and not on compliance monitoring and reporting capabilities. This means some end users may see MDR as a misalignment to their main buying drivers. MDR buyers with this requirement may have to leverage their own log management tool when a preferred MDR provider is unable to meet that requirement.

Reliance on More Advanced Analytics

Another critical component observed with MDR services is reliance on more advanced analytics in event and data analysis platforms. MDR providers have entered this market with the ability to leverage commodity big data analytics platforms, such as Hadoop and Elastic, along with a growing pool of data science talent. This big data analytics approach takes the curated data out of the MDR provider's technology stack and enables the provider to do more-precise, real-time threat detection. However, buyers should realize that not all threat detection has to, or even could, be done with advanced analytics like machine learning. A range of analytics is required to do great threat detection, including whitelists, correlation rules, simple statistics and machine learning approaches.

The ability to collect large volumes of data also helps the MDR providers' incident investigation and response activities. Investment in log and data capture and analysis capabilities enables MDR providers to invest in smaller teams of experienced analysts focused on incident investigation and response. It also allows many providers to perform automated and manual threat hunting through their customers' logs and data, looking for IOCs.

A few MDR providers take the approach of leveraging commercial security information and event management (SIEM) solutions for security analytics and threat detection that are deployed on the customer's premise. Most MDR providers rely on a central, multitenant platform for analysis. This does not necessarily imply that a lack of advanced analytics and machine learning is an impediment to doing more precise threat detection (especially as many commercial SIEM solutions have advanced analytic capabilities). However, buyers should ask potential providers what tools and methods they employ, and how they differentiate their services from those of their competitors.

Pricing Models Are Primarily Based on the Size of the Buyer

When pricing is based on the size of the buyer's organization, the common metric is either number of employees or the number of IT assets being monitored. Many MDR providers use organization size as a core component of their pricing, not the volume or velocity of logs processed, or number of devices generating logs. Final pricing is based on a variety of factors. For example, variables affecting pricing may include the technology stack components employed; such pricing is a combination of organization size and the number of network appliances and EDR agents deployed. Some providers are more closely aligned with some MSSP pricing models; pricing services are based on the volume or velocity of events analyzed. Finally, some providers are employing approaches based on the number of incidents generated by a customer over a set period of time, usually monthly.

Representative Vendors

The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.

Market Introduction

The MDR market has a variety of service providers around the globe. Representative providers listed in this section are referenced by the region where their corporate headquarters are located. However, many have a strong presence in multiple regions, ranging from a sales presence through to having regional headquarters and in-region SOCs. Buyers interested in specific providers should confirm their geographic presence in the buyer's region, especially as Gartner has witnessed many providers expanding, or planning to expand, their footprint outside of their home regions.

Table 1. Representative Providers Headquartered in North America

Source: Gartner (June 2018)

Table 2. Representative Providers Headquartered in Europe

Source: Gartner (June 2018

Table 3. Representative Technology Vendors Offering Managed EDR Services

Source: Gartner (June 2018)

Market Recommendations

• Organizations that have not yet invested, or are underinvested, in detection and response technologies and internal capabilities should consider MDR services. MSE buyers should look for providers with comprehensive technology stacks, while larger enterprises should look for providers that have flexible technology options.
• Do not assume that all MDR providers are the same. Choose a provider that is oriented toward your organization's size, security maturity level, specific requirements, and existing threat detection and response capabilities. The variability across offerings, delivery models, vertical expertise and pricing can make direct comparisons challenging. Having a strong set of requirements at the beginning will ease the analysis and selection process.
• Threat-oriented use cases beyond detecting and responding to external attackers, such as insider threats, privilege abuse and web-application level attacks, are not usually addressed by MDR service providers. Organizations with gaps in these use cases and requirements, must augment an MDR service with other providers, or look for a single provider that may offer a more comprehensive set of services. These include consultancies, system integrators or IT outsourcers that also offer managed security services.
• If internal response capabilities are nascent or immature, they should be treated just as important as threat detection capabilities when evaluating MDR providers. Time to detect a threat is great, but if the time to respond is still too challenging for an organization, then weighting response capabilities for a provider is critical. If an organization does not have 24/7 operations available to help with response, then focus on MDR providers that offer the ability to disrupt or contain a threat to buy time for the customer to initiate mitigation and recovery activities.
• Enterprises implementing an SOC should leverage MDR services as a way to accelerate threat detection while their SOC is being implemented and as it matures. This can mean an SOC is operating at a greater maturity level in several months, rather than several years. If the relationship is successful with the MDR provider, don't kick them out if you think you should be able to run everything yourself. Retaining the MDR provider as a long-term partner may be the best approach once the SOC is fully operational and self-sustaining.
• Use proofs of concept (POCs) to your advantage to validate claims and fit for purpose with your organization's requirements. Most MDR providers lack the vetting and decades of competition that MSSPs have faced. Therefore, the customer must perform sufficient due diligence on the MDR providers before signing a contract.
• If you have data residency and strong privacy or other compliance requirements, validate that the MDR providers can comply with them. Focus on MDR providers within your geographic region, or those using a data collection architecture in which your data remains on-premises, and only metadata or event data is sent back to a central SOC.

Note 2. MDR vs. MSS

Table 4 summarizes the differences at a high level across the MDR and MSS providers' landscape.

Table 4. Differences Between MDR and MSS

Source: Gartner (June 2018)

Source: Gartner Research Note G00334680, Toby Bussa Kelly M. Kavanagh Sid Deshpande Craig Lawson Pete Shoard, 11 June 2018