Managed services that help unify multiple sources of threat telemetry beyond just the endpoint
Managed XDR ServiceManaged extended detection and response (MXDR) is a managed service typically performed by a cybersecurity services provider. A customer can hire a managed XDR provider to monitor telemetry from multiple sources – particularly beyond the endpoint – in a client’s ecosystem that might include many third-party event sources, each with a specific function within the customer’s environment.
The MXDR provider would detect, triage, and investigate potential threat telemetry within that third-party ecosystem in an effort to stop malicious behavior before it can cause real harm to the security organization and the business it protects. MXDR is additive to a managed detection and response (MDR) solution in that it extends the coverage and protection capabilities of an MDR provider.
According to Enterprise Strategy Group (ESG), XDR security capabilities “can act as a cybersecurity force multiplier.” The evolution of XDR into a managed service is relatively new, but the potential benefits are numerous to an organization lacking headcount or proper security skill sets.
The main difference between an MXDR security provider and an MDR security provider is that MXDR extends capabilities to analyze, verify, and act upon security telemetry across and beyond an entire network – and the systems, devices, and cloud applications it includes.
While MDR services do focus on securing a network, they tend to localize detecting and containing threats to the ecosystem of individual endpoints that exist on that network, and typically aren't capable of analyzing and synthesizing the sheer range of telemetry sources an MXDR provider can take on.
Managed extended detection and response truly sits at the convergence of managed endpoint detection and response (MEDR) and pure managed security services providers (MSSPs) that focus on basic network monitoring and management. Let’s take a look at some key features and capabilities an MXDR provider should bring to the table.
XDR integrates telemetry from across a modern environment to help analysts better understand how various events are linked and when certain behaviors are alerted as potentially suspicious. Teams get the right data that enables confident, efficient, and effective threat detection and response.
To successfully conduct an investigation, it’s important to understand the context in which that incident took place. XDR technology accelerates the service provider’s ability to properly respond to threats and attacks on behalf of their customers.
Providers can eliminate context switching and ensure teams have high context and correlated investigation details that blend relevant data across multiple event sources into an informative picture.
Security automation reduces repetitive, manual work. This enables providers to focus on what matters most to a customer’s organization, as they leverage automation features, prebuilt workflows for containing endpoint threats, suspending user accounts, and integrating with ticketing systems.
Dashboards and reports turn event data into helpful visuals to assist in identifying activity that doesn’t form a standard pattern. This visual overview of an environment provides insight into critical details and the data necessary to make actionable decisions.
Massive numbers of alerts will never be high-profile threats. Automation can help to sift, parse, and prioritize the alerts that actually need analyst attention. Look for strong signal-to-noise as well as security alerts that are quantified and scored.
Of course, there are benefits to having any sort of managed service, as the base meaning of someone else doing something for you means that you won’t have to do it. However, when we begin to parse the benefits of MDR versus a more modern approach in MXDR, there are some clear, updated outcomes and benefits for a security operations center (SOC).
Adding coverage for third-party event sources eliminates the need for analysts to swivel-chair and manually normalize information across a technical environment, saving time and making teams more efficient.
Security teams already use so many siloed security tools. By relying on an MXDR provider to ingest top third-party event sources, a SOC can confidently reduce noise and streamline responses for greater visibility into their environment.
The more information an MXDR incident response team has on hand, the faster they are able to respond to threats and eradicate them from customer environments. Extended coverage of a customer’s environment enhances the amount of data available to the service provider – with pivotal endpoint, network, identity, and cloud information.
If someone knew a little – not a lot – about the world of cybersecurity, they might think this is simply another acronym to add to the pile. XDR is a relatively new area of cybersecurity in and of itself, so when a managed services provider professes to offer XDR as a service, it helps to know the main bullet points of XDR itself.
The right XDR approach is the end of tab-hopping. It provides a single, comprehensive hub that can be expanded without technical limitations. Expect SaaS delivery to facilitate collaboration across the office or around the world. An effective XDR solution should also relieve security teams of steep analytical requirements, parsing and analyzing alerts for them.
There is a dramatically different signal-to-noise ratio with mature XDR. The right methodology, threat intelligence, and diligence behind the detection library means a customer likely can trust detections out-of-the-box, with all disparate data typically correlated by user, cyber asset, and activity.
Forrester says XDR should include prescriptive-response cybersecurity playbooks that can be executed with one click. An MXDR customer should expect prebuilt workflows for things like endpoint threat containment, user-account suspension, and integration with ticketing systems like Jira and ServiceNow.
If an MXDR provider can offer these capabilities in an extended detection and response solution, they’ll likely be able take down threats faster by acting on curated and actionable telemetry as well as leveraging proactive intelligence to detect threats earlier.