What IT security managers expect from managed detection and response

Faced with increasingly complex threats, IT security teams in companies of all sizes are sooner or later overwhelmed with the task of ensuring the security of data, applications, and processes. But what help do they need? What is the requirement profile of a managed detection and response (MDR) service provider? And how does an IT security service and its external security experts improve the security situation in companies? This was shown by the results of interviews with responsible persons in the USA and Canada conducted by Bitdefender and the Enterprise Strategy Group in August 2022.

Jörg von der Heydt, Regional Director DACH at Bitdefender comments on the study from a German perspective: “A very similar picture emerges from the interviews with German customers. The spectrum of requirements for MDR service providers is similarly broad, as is the motivation for considering an MDR service. What they all have in common, however, is the fact that skilled workers – i.e., IT security analysts and specialists – are becoming increasingly difficult to obtain and retain, while the number and complexity of attacks are continuously increasing. At the same time, the dependence on digital, i.e. IT-supported processes, is increasing. A dilemma that can probably only be solved by the increased use of managed security services.”

The key findings of the study below:

1) Many IT teams start managed detection and response in a planned manner.

MDR is not an emergency measure in many cases. Most of the respondents – 57 per cent – said that upcoming security audits were the reason for working with MDR providers. 47 % wanted to review and manage vulnerabilities.  Only 39 % each acted specifically to prevent or contain an event, to detect security-related incidents or to recover IT systems and digital processes after an attack.  For 37%, it was to defend against a network intrusion or to respond more extensively to a security event. Around one in three (33%) hoped for help in pre-sorting and prioritising daily alerts.

When asked about their motivation, it is clear how urgently the security managers surveyed need help to cope with both the scaling of IT security and the increasing attack surface and complexity of attacks. 41% of study participants assumed that external security experts could do a better job of cyber defence than their in-house teams. This is a remarkable finding, given that many companies participated that, given their size, should have their own qualified security team. Equally high was the proportion of respondents seeking a more scalable operational model for their IT security. 37% implicitly admitted that they did not have the security tools and systems they needed to carry out their cyber defence processes. However, the following motivations are also interesting:

• 29% purchased MDR to obtain cyber insurance.
• 27% were unable to commit the security and expertise needed for IT defence internally.
• 27 % did not see cyber security as their core competence and therefore outsourced it.
• 18% required protection even after hours.

2) Protecting cloud workloads is a high priority, but all attack vectors demand attention

On the one hand, study participants are looking for help in protecting complex IT landscapes. But even for basic defence technologies, managers are not much less likely to hope for external help.

Customers expect an MDR provider to protect cloud applications (53%), followed by public cloud infrastructure (50%). The competence to assess cloud workloads for vulnerability (46 %) and the private cloud also play a role (43 %).

But classic endpoint protection also remains important. Vulnerability analysis at the endpoint is what 43 % of respondents expect from an MDR service provider. Almost equally important are the protection of identity and access rights (41 %), endpoints (40 % ) and server workloads (39 %).

3) Customer knowledge and proximity in demand

When selecting an MDR provider, customers demand an MDR provider that offers business-specific services. Therefore, for 49%, the ability to support existing security tools and technologies played a role. 39 % of the study participants required industry-specific knowledge of the threat situation in the respective industry. After all, more than one in five (21 %) also wanted a regional focus.

Accordingly, the companies want a close customer relationship in addition to the classic competence factors. 38 % consider better involvement in the defence (better engagement model) as a motive to consider other service providers. 29 % of the respondents stated that the desire for a dedicated contact person could be a reason for them to change MDR providers.

In general, companies prefer to work with an MDR provider for the long term. 61 % worked with their current partner for three or four years, 21 % even for five years or longer. However, many companies also employ several MDR providers: 46% two, 34% three or even more partners.

4) Comprehensive competencies desired

Only a minority of the security professionals surveyed expect MDR service providers to cover the entire attack surface. Only 31% require external service providers to monitor 76 to 100% of the attack surface. 42 %, however, demand protection of 51 to 75 %. Key areas to be monitored are cloud workloads (67%), the network (66%) or DevOps including application security (56%) and the Internet of Things (51%).

MDR is a multifaceted task

If you ask the IT managers about the results of an MDR commitment, one result seems less spectacular at first: only 42 % were able to significantly reduce the rate of successful attacks on their company. Ultimately, however, this is also a remarkable result. After all, attacks to which the cybersecurity analysts of an MDR provider react in a Security Operation Centre (SOC) are usually of a serious nature. Moreover, this can also be an indication that classic defence technologies such as anti-virus and endpoint protection offer a pedestal contribution against the still important opportunistic, automated and apparently numerous attacks. Another 42 % attested to a significantly improved security programme. 77 % nevertheless see MDR as a strategic operational partner. Every second one profited from the know-how of the security experts.

But concrete effects also play a role: 38 % met compliance requirements with MDR, 38 % lowered the operational costs of IT security and 32 % were able to reduce the policy amounts of their cyber insurance. Last but not least, 35% reduced the stress level of the internal security team.

Figure 6: The results of working with an MDR service:

On the process of the study

In the study commissioned by Bitdefender, ESG surveyed 373 cybersecurity professionals in the US and Canada between 3 and 14 August 2022. They worked for companies of various sizes with 100 or more employees from a wide range of industries. About over half (54%) of the participants worked for companies with 1,000 to 4,000 employees.

Picture of the statement maker: Jörg von der Heydt, Regional Director DACH at Bitdefender.

The complete study for download can be found under this link.