There’s a fundamental shift happening in what customers expect from today’s managed security service providers. Market trends indicate customers value providers that consider themselves “strategic security partners” focused on security outcomes, rather than on alert reporting and tool management.
In a booming market for managed services, traditional MSSPs are becoming displaced by Managed Detection and Response (MDR) players that differentiate their service based on customer-centric service models. These MDR vendors are placing an increased focus on strengthening their customers’ security posture—layering on industry experts, workflow processes, and industry-leading technology—to put security outcomes at the center of their success criteria.
The customer focus has changed, too. The goal is no longer to simply outsource SOC operations due to resource constraints or building their security programs based on a service-oriented architecture. This is a stark contrast to traditional MSSPs, whose business model values a standardized approach focused on convenience rather than a tailored, best-of-breed service delivery. Doing so completes the need to offload analyst bandwidth (either freeing up resources internally or removing the requirement to hire staff), but typically comes at the cost of less-than-ideal service from the MSSP.
While gradual, this shift is evident. And it can be marked by changes in five trends in customer requirements that lend themselves to MDR service providers:
1. Customers now look for a partner that doesn’t just manage a product—the vendor must offer a holistic solution for detection and response.
Most MDR service providers that evolved from the MSSP model will typically deliver their service either by leveraging the third-party technology stack implemented in the customer environment or one they recommend implementing to monitor. This extends past finding alerts to supporting you in process development and recommending which containment, remediation, and mitigation actions to take to remove the threat from your environment. The best MDR providers don’t just run a SIEM solution for you: They use the product to deliver a solution that evolves over time.
How Rapid7 does it
At its core, Rapid7’s Managed Detection and Response service is a strategic partnership that allows your business to strengthen your security program maturity. Rapid7 MDR services extends your existing team to detect, investigate, report, and recommend response actions to threats in your network. We do this through 24x7x365 monitoring by a team of security experts, leveraging proven cloud SIEM technology, cutting-edge endpoint technology, and world-leading threat intelligence to stay ahead of attackers. When engaging with this service, you’ll gain a true security partner that can provide mentorship and guidance that simplifies the complexities of cybersecurity to securely advance your business.
2. Customers want to leverage providers for economies of scale, but their primary goal has shifted to achieving their desired security outcomes by adopting the service.
Delivering value in detection and response services goes above and beyond simply reacting to threats materializing in the customer’s environment. The best detection and response programs evolve with the threats that are targeting the organization, and they use tactical and strategic recommendations to both eliminate the threats and move to prevent them from reoccurring. Customers seek outcomes of the service—looking to be an expert in a changing landscape and upholding the promise to deliver that outcome regardless of the changing landscape.
How Rapid7 does it
Rapid7’s Managed Detection and Response service takes both strategic and tactical approaches to achieving our customer’s two primary security outcomes:
- Minimize the financial impact of a breach
- Maximize business continuity in the event of an incident
Tactically, our SOC team finds any threats or attackers in our customers’ environments and validates them before we provide containment, remediation, and mitigation recommendations to stop attackers in their tracks. On a strategic level, Rapid7 MDR services provide strategic recommendations to advance our customers’ security programs to add both proactive and reactive defenses based on the threats the SOC team sees and how those threats materialized in the environment. This allows all MDR service customers to advance their security programs and enable operations without impacting the business.
3. Customers want a partner that can leverage their existing investments for deeper visibility in addition to the managed provider’s recommended SIEM.
The best MDR vendors are most successful when they are able to implement solutions built on top of other products. Successful MDR service providers combine the tools in their arsenal with the output of the security tools that are already installed and configured in the environment. This combination gives the MDR provider the maximum amount of visibility and allows each customer to make use of their existing investment in technology to complement and extend detection methodologies.
How Rapid7 does it
Rapid7 is relatively unique in the MDR service space as one of the only vendors that both builds software and delivers our service back-ended on that software. As such, our team prioritized integrating event sources from your existing security infrastructure, granting the Rapid7 MDR services team greater visibility into threats across your environment. Additionally, our solution for MDR has guided the technology and features of the products versus other MDR/MSSPs that use technologies that have no impact or influence over the engineering lifecycle. Our MDR service customizes workflows so we can marry the value we provide as a solutions provider with efficiency for managed services across multiple customers.
4. Customers seek expertise across the spectrum of incident detection and response disciplines and an intimate knowledge of their environment, from Tier 1 analysts to someone they can contact in case of full-blown Incident Response.
Delivering a top-notch MDR service requires multiple security disciplines to organize in concert to deliver a service capable of finding malicious activity. From SOC analysts with varying backgrounds and experience levels, incident responders, malware analysts, network analysts, threat intelligence analyst and research, and developers, the best MDR services align experts together for one common customer cause: finding threats and breaches in their environments. That’s something that can’t be replicated by low-cost, outsourced analysts in other countries or from providers who focus on forwarding contextless alerts.
How Rapid7 does it
Your environment is monitored 24x7x365 by world-class SOC analysts, each with years of experience building detection and response programs, and hunting for and validating threats. SOC analysts leverage specialized toolsets, malware analysis, tradecraft, and forward-looking collaboration with Rapid7’s Threat Intelligence researchers to make detection and remediation of threats possible. These teams are augmented by a Customer Advisor (CA), who is your interface with the Rapid7 SOC and Threat Intelligence teams. The CA will provide suggestions on managing your technical environment while offering tailored guidance and recommendations specific for your business to accelerate your security maturity. Additionally, we have a custom engineering team to build capabilities above and beyond what a typical solution would provide for a large-scale SecOps operation like Rapid7 MDR.
5. Customers seek to build engaging relationships with their partner that can help evolve their entire program over time and accelerate their security maturity.
Incident detection and response programs are stressful. Chasing bad guys, delivering bad news, and working at all hours of the night are mandatory for any successful program. The best MDR services take the time to build relationships with customers such that when something happens and the MDR team is in the heat of the fire, the managed provider and customer both act as a team to collaboratively respond.
How Rapid7 does it
The CA is your main point of contact for the Rapid7 MDR service. This person has a deep knowledge of your organization and works with you as a strategic security partner. From initial technology deployment through incident remediation, the CA is the trusted security advocate. Above all else, the CA has great breadth of knowledge cross-industries which is helpful in driving meaningful change beyond tactical and analytical aspects of the MDR service.