The Definitive Guide to

Managed Detection and Response (MDR)

Balancing Risk, Cost and Capabilities.
Table of Contents
3 Introduction: From Concept to Criminality
5 The Advent of Managed Detection and Response (MDR)
8 Criteria for MDR Providers
8 Current market definitions
8 Spotting potential red flags
10 Technical criteria
11 Visibility
14 Signal fidelity
16 Detection capabilities
20 Response
25 Other criteria to consider
29 Takeaways
30 Technical criteria summary
32 SOCaaS/Managed SIEM
35 ED-little-r (single telemetry)
38 MD-little-r (multiple telemetry)
41 MD-little-r (full telemetry)
44 ED-big-R (single telemetry)
47 MD-big-R (multiple telemetry)
50 MD-big-R (full telemetry)

53 Summary and Recommendations

54 Glossary

© November 2019
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

Introduction
FROM CONCEPT TO CRIMINALITY

A first-mover advantage in chess is inherently enjoyed by Originally rooted in academia, cybersecurity soon took on a
the player who opens the game, taking the upper hand with darker nature when criminals took an interest. In the late ‘80s,
an offensive strategy, while forcing the opponent to adopt a the Morris worm nearly wiped out the early internet; in doing
defensive strategy. Much like chess, the history of so, it had the effect of spurring recognition of the potential
cybersecurity follows similar gameplay. weaponization and monetization of cyberpower.1

In 1971, a computer researcher named Bob Thomas created Fast forward to today: global cybersecurity spending will
a program named Creeper, which moved between exceed $200 billion in 2019, and cybercrime is expected to
mainframe computers connected to the ARPANET and cost $6 trillion annually by 2021.
outputted the message, “I’m the creeper: catch me if
you can.” From the Morris worm of 1988 to the thousands of new
exploits that now emerge on a daily basis each year,
Intrigued by this idea, Ray Tomlinson (who invented email cyberattackers have demonstrated over the past three decades
the same year) modified Creeper to replicate itself, precision, skill and creativity in exploiting new technologies
rather than move itself, thereby creating the first self-replicating and applications. With the first-mover advantage of time and
worm. Subsequently, Tomlinson also created the first calculated execution, cyberattackers enjoy continued success
antivirus program, Reaper, to chase and delete Creeper. despite enormous investments in cyberdefenses.
As they say, the rest is history.

1
Named after its creator, Robert Tappan Morris, the Morris worm also resulted in the first felony conviction in the United States under the 1986 Computer Fraud and Abuse Act 3
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)
Introduction

Attackers enjoy a first-mover advantage, whether they bide their time or strike quickly. Despite large
defensive investments, particularly in prevention, breaches remain hidden longer and take longer to
contain than ever before, leading to significant real-world consequences for organizations.

DEFENSIVE INVESTMENT2

44
26
15 11 4
Prevention Detection Containment Remediation Post-Incident Response

ATTACKER SPEED3 DEFENSIVE SPEED4

1-5 HOURS: 15% 5 - 10 HOURS: 20% Mean Time to Identify

a Breach (Days):
2017: 191
10 - 15 HOURS: 19% > 15 HOURS: 46% 2018: 197
2019: 206

CONSEQUENCES5 Days to Contain

a Breach:
Abnormal Client Churn: $3.92M
Average Cost of Breach:
2017: 66
2018: 3.4 % Per Employee (SMBs): $3,533 2018: 69
2019: 3.9 % Cost Per Record: $150 2019: 73

2
Ponemon (March 2018): Third Annual Study on the Cyber Resilient Organization
3
2018 Nuix Black Report
4,5
Ponemon: 2019 Cost of a Data Breach Study 4
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

The Advent of Managed Detection and Response (MDR)

Under-resourced, overextended and facing complications due Going back to as early as 2011, the concept of Managed
to distributed people, process and technology, cybersecurity Detection and Response (MDR) represents an acknowledgment
teams often struggle with threat prevention, detection, response that prevention will fail in some instances. Risk mitigation is
and recovery activities. dependent upon how fast an attack can be detected, and
more importantly, contained and remediated before business
Historically, prevention commanded the largest allocation of is disrupted.
budget and resources. However, as threat actors developed
more sophisticated attacks capable of bypassing preventative In this high stakes race against time, the threat detection and
measures, the need for equal investment in detection and response challenge is exacerbated by digital transformation and
response capabilities became clear. mobility that have substantially expanded the attack
surface. What was once a defined perimeter is now a borderless
Released in 2016, the inaugural Gartner Market Guide for environment, which can span on-premises and cloud domains.
Managed Detection and Response Services6 cited an With increased pressures from competitive markets,
emerging category of security service providers that “improves socioeconomic factors and regulatory consequences,
threat detection monitoring and incident response capabilities security teams are looking for Security Operations Center (SOC)
via a turnkey approach to detecting threats that have services to bolster internal capabilities with improved
bypassed other controls.” detection and response.

6
Gartner Market Guide for Managed Detection and Response Services, Toby Bussa, Craig Lawson, Kelly Kavanagh, Sid Deshpande, Craig Lawson, Pete Shoard, 10 May 2016 5
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)
The Advent of Managed Detection and Response (MDR)

From prevention to modern threat management; over time, the mitigated risk has outpaced the
total cost of solution ownership/investment, resulting in greater customer value

TOTAL COST OF OWNERSHIP MITIGATED RISK

OPEN
RISK

PREVENTION DEVICE ALERT ALERT PROACTIVE PREDICTIVE

TECHNOLOGY MANAGEMENT MANAGEMENT RESPONSE RESPONSE RESPONSE
Firewalls + AV + Spam MSSP Managed SIEM Managed SIEM MDR + Hunting MDR + ML +
migrating to MDR Dark Threat Intelligence

PREVENTION TECHNOLOGY AND DEVICE MANAGEMENT PROACTIVE AND PREDICTIVE RESPONSE

Early stages of security services centered around prevention Ultimately, organizations recognized that achieving compliance
and leveraged firewalls, antivirus and patching as proxies for alone does not equal effective cybersecurity. As a result,
risk management. As device numbers grew, organizations proactive and predictive threat management emerged.
outsourced management of these devices, increasing scale Both approaches leverage advanced technologies, including
but falling short in mitigating risk. artificial intelligence, to illuminate the most elusive threats, to
reduce false positives and to predict cyberattackers’ next moves.
ALERT MANAGEMENT AND ALERT RESPONSE
As the attack surface spread and regulatory consequences Integrated response was the crucial factor in minimizing the
grew in severity, focus shifted to correlating signals and dwell time of threat actors, alleviating the burden of staffing
generating alerts that could be actioned quickly while and operationalizing around-the-clock SOC.
satisfying compliance. Unfortunately, the majority of alerts
resulted in longer incident dwell times due to lack of personnel
and the expertise to hunt, confirm and contain threats in a
timely manner.

6
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)
The Advent of Managed Detection and Response (MDR)

A CROWDED, COMPLEX MARKETSPACE

While MDR has been validated in necessity and efficacy, The lack of clear definition as to what constitutes MDR creates
the marketplace for such services has become complex. confusion about the attributes that organizations should use
Early-stage security organizations such as managed security to qualify and validate MDR delivery from a potential provider.
service providers (MSSPs) and those providing managed While no singular definition can yet be established, a number of
Security Information and Event Management (SIEM) now clear categories that exist at the intersections of different levels
recognize the opportunity and are pivoting messaging and of risk mitigation and cost have emerged.
services to align with MDR. This growing contingent creates
confusion around what MDR is and should be. This guide objectively defines the seven categories of MDR
and explores their associated strengths and weaknesses.
The original 2016 version of the Gartner Market Guide The goal is to help organizations make an informed choice
for Managed Detection and Response Services cited 14 that aligns with their business objectives, security resources
organizations as being representative vendors. Just three and risk tolerance.
years later, the 2019 edition states that “Gartner estimates
that there are now over 100 providers visible in this market
claiming to offer MDR services.” 7 THE SEVEN CATEGORIES OF MDR:

SOCaaS/Managed SIEM

ED-little-r (Single Telemetry)

MD-little-r (Multiple Telemetry)

MD-little-r (Full Telemetry)

ED-big-R (Single Telemetry)

MD-big-R (Multiple Telemetry)

MD-big-R (Full Telemetry)

7
Gartner Market Guide for Managed Detection and Response Services, Toby Bussa, Kelly Kavanagh, Sid Deshpande, Craig Lawson, Pete Shoard, 15 July 2019 7
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

Criteria for Managed Detection and Response Providers

CURRENT MARKET DEFINITIONS

Many analyst firms have released reports or guides that define technical criteria by which any MDR provider can be
include broad category definitions of MDR providers. objectively and functionally assessed, let’s briefly examine
Many of these publications also list and discuss provider organizational factors that can be used to initially qualify
attributes to assist organizations with choosing an appropriate potential MDR providers.
solution. Most recently, the 2019 edition of Gartner’s Market
Guide for Managed Detection and Response Services SPOTTING POTENTIAL RED FLAGS
categorized providers into four general styles, based upon
With over 100 MDR providers now being tracked in the
“technology stacks:”
marketplace, backgrounds differ vastly from provider to
provider. MSSPs have evolved their offerings, software
• Full stack from the provider
providers have added a managed component, consultants
• Managed point solutions: Endpoint Detection and have added technology stacks and other players were
Response (EDR) and Network Detection and Response (NDR) founded as pure-play MDR providers.
• Bring your own (BYO) technology stack
While background alone does not qualify or disqualify a
• Technologies for other environments and assets like provider’s capabilities, it does supply important context and
cloud and devices: Infrastructure as a Service (IaaS), is suggestive of a provider’s ability to meet an organization’s
Security as a Service (SaaS), Operational Technology (OT) individual security requirements.
and Internet of Things (IoT) and Industrial Internet of Things
(IIoT) devices

While these categories begin to distinguish between different

MDR service providers, they don’t stipulate the attributes that
determine a provider’s ability to deliver on the very purpose
of MDR (i.e., minimizing threat actor dwell time). But before we

8
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

Outlined below are questions that should be asked of any potential MDR provider; the answers to which
SPOTTING POTENTIAL RED FLAGS

provide important information for subjectively assessing a provider’s qualifications and suitability.

The answers to these questions will help you understand if MDR is a core competency of a
particular provider or more of a trendy and opportunistic addition to a non-specialized portfolio.

• What was the company’s original mission? • From where does the company provide the service?
• Does the company have different levels of analysts?
• How has the company evolved over time?
• Does the company have specific response personnel?
• What is the company’s core competency?
COMPANY • D
 oes the company have dedicated threat intelligence
• Is the company a market leader or a follower? PEOPLE AND
PROFILE analysts and researchers?
SERVICE
• What is the leadership team’s background? DELIVERY • For what positions has the company hired in the past?
• What markets does the company serve? • For what positions is the company currently hiring?
• Where are the new positions based?

• Is the company public or private?

• W
 ho are the company’s backers/investors,
• W
 hat do employees say about the company?
and what are their track records?
(Glassdoor is a useful resource in this regard.)
• Is the company profitable?
• W
 hat do peer review sites such as Gartner Peer Insights,
• W
 hat is the company’s commitment to— SpiceWorks, G2, etc. reveal about the company?
FINANCIAL and investment in—research and development?
STRENGTH • W
 hat do searches on subreddits reveal for experiences
• H
 ow much of the company’s revenue is working with or at the company?
attributable to MDR?
• Does the company have case studies?
DEMONSTRATION
• F
 or how long will the company remain financially • Is the company clear about what they do and
viable without additional investment? OF DELIVERY
AND REVIEWS how they will deliver?
• D
 oes the company have customer references and
statements attesting to delivery?
• D
 oes the company hold granted patents and • W
 hat are the company’s client satisfaction scores,
intellectual property? NPS and retention rates?
• W
 hat is the company’s history of service and
product releases?
• D
 oes the service and product release history
indicate reactive response to cyberlandscape
developments or proactive anticipation of
INNOVATION emerging shifts?
• W
 hat are the backgrounds, specializations
and skillsets of the company’s development
and engineering team? (LinkedIn is a useful
resource in this regard.)
• F
 or what percentage of the total employee base
do development and engineering account?

9
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

TECHNICAL CRITERIA: This radar chart combines the four technical criteria.
VISIBILITY, FIDELITY, DETECTION, RESPONSE
Beyond subjective organizational factors, it is important to
define objective technical criteria against which any MDR VISIBILITY
provider can be measured.

To create a framework for assessing and comparing MDR

providers, we will use four criteria:

Visibility

Detection Capabilities DETECTION

RESPONSE
CAPABILITY
Signal Fidelity

Response

These criteria correspond to the primary purpose of MDR:

minimizing threat actor dwell time.

SIGNAL
Using radar diagrams, these criteria are combined into FIDELITY
an informative summary that captures the capabilities
of each MDR segment.

10
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

VISIBILITY
From applications to infrastructure, organizations are • Endpoints: process and event data
operating on-premises, in the cloud or in both. What was once
• 
Networks: NetFlow, metadata records, full packet captures
a clearly defined defensive perimeter is now a shifting blend of
(e.g., PCAP)
mobile users and cloud workloads. As a result, visibility into the
digital network is more critical than ever before. • Log Data: login events, detection events, etc.
• 
Cloud: data outside of logs, endpoints and vulnerability
There are many ways visibility can be obtained. MDR providers data, for instance from cloud access security brokers
typically rely on telemetry from: (CASB) or cloud workload records
• 
Vulnerability Data: exposed common vulnerabilities and
exposures, ports, etc.

In the context of the cyber kill chain8, each telemetry source has core competencies, visibility and
efficacy across the attack surface.

Cloud
Visibility LOG NETWORK ENDPOINT
(Outside of Log)
Vulnerability

Core competency Breadth Things in motion Process visibility Variable Vulnerability visibility

External Recon
(Depends on configuration) (Depends on configuration)

Weaponization

Delivery
(Depends on configuration) (Depends on configuration)

Exploitation
(Depends on configuration) (Depends on configuration)

Installation
(Depends on configuration) (Depends on configuration)

Internal Recon
(Depends on configuration) (Depends on configuration)

Command and Control

(Depends on configuration) (Depends on configuration)

Data Collection
(Depends on configuration) (Depends on configuration)

Exfiltration
(Depends on configuration) (Depends on configuration)

8
The kill chain was originally used as a military concept related to the structure of an attack; breaking or disrupting an opponent’s kill chain is a method of defense. Recently,
the concept has been applied to cybersecurity. 11
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

At a superficial glance, it appears that log and cloud data These three points capture the capabilities of the majority
VISIBILITY

provide the greatest coverage; however, as we will see when we of MDR providers.
explore signal fidelity, this appearance is deceiving.
VISIBILITY
Moreover, since attack surfaces vary widely, it’s important for or-
ganizations to keenly consider their particular attack surface when
evaluating potential MDR providers’ capabilities with respect to
visibility. Full Telemetry Regardless of Deployment Model

For example, distributed environments require visibility into cloud, Multiple Telemetry Sources (Endpoint + Network)

Internet of Things (IoT) devices, industrial IoT (IIoT)

Singular Telemetry Source
devices and industry-specific services (e.g., eDiscovery,
patient records, trading terminals, etc.). And, all of these DETECTION
RESPONSE
environments and devices are potential attack vectors from CAPABILITY
which signals must be drawn. In addition, visibility into the
full attack surface is required is to reduce dwell times by
monitoring all the places a threat actor might be hiding as
blind spots serve as beachheads for attacks.

In addition, organizations should take into account their own or

their service providers’ ability to correlate data with telemetry
that is out of the service scope. Admittedly, this consideration is SIGNAL
typically a balancing act between in-house resources and cost; FIDELITY
however, correlation and corroboration will nonetheless
be required at some point for forensic investigation, confirmation
of attacker presence, reduction of false positives and root SINGLE TELEMETRY: Typically endpoint or log only (logs are
cause discovery. limited if the source doesn’t alert, no news is potentially a
false indicator)
In reference to the radar chart, we can now populate the first axis, MULTIPLE TELEMETRY: Typically endpoint and log or network, but
Visibility. While many variations can exist, to keep things simple missing visibility to some degree across the entirety of the network
the range of options are condensed into three points that capture
FULL TELEMETRY: Visibility across endpoint, log, network, cloud,
the majority of MDR providers.
vulnerability regardless of deployment model

12
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

QUESTIONS AND CONSIDERATIONS:

VISIBILITY

When examining the visibility capabilities of potential MDR

vendors, organizations should ask:
• 
What does our environment look like today, and what will it
look like in the future?
• 
What technologies will give us appropriate visibility in
the context of our unique threat landscape?
• 
What additional resources (e.g., people, process,
technology) do we require to take action on
informed decisions?
• 
Does the data integrate with our systems, thereby
making it possible or easier for investigation and
forensic investigation?
• 
What industry-specific tools do we use that we
must secure?
• 
Do the technologies also give us the ability to swiftly
contain and respond to threats?
• 
What are the potential implications for regulatory
requirements?
• 
Does the level of visibility help us meet our acceptable
risk tolerance and support our business objectives?

13
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

SIGNAL FIDELITY
When law enforcement investigates a crime different evidence The deeper the level of evidence—the fidelity—the more
provides different information that leads to various degrees of empowered analysts are to detect, hunt and confirm threat
confidence to reach a conclusion, such as: actor presence.

• 
DNA provides an in-depth level of
Visibility and fidelity are closely, but typically inversely, related.
evidence that cannot reasonably be refuted
Log data provides broad-level visibility but is limited in depth,
• 
Eyewitness testimony is much less reliable whereas full packet captures from the network provide deep
• 
Video surveillance is somewhere in the middle: useful fidelity but are limited in breadth of scope. Importantly,
in some circumstances but not without blind spots each has strengths and weaknesses when applied to the
investigative process.

Building upon the previous chart, we see that the depth to which different telemetry sources provide information varies.

Cloud
Visibility LOG NETWORK ENDPOINT
(Outside of Log)
Vulnerability

Low High High High Low

Overall depth of visibility

Core competency Breadth Things in motion Process visibility Variable Vulnerability visibility

External Recon
(Depends on configuration) (Depends on configuration)

Weaponization

Delivery
(Depends on configuration) (Depends on configuration)

Exploitation
(Depends on configuration) (Depends on configuration)

Installation
(Depends on configuration) (Depends on configuration)

Internal Recon
(Depends on configuration) (Depends on configuration)

Command and Control

(Depends on configuration) (Depends on configuration)

Data Collection
(Depends on configuration) (Depends on configuration)

Exfiltration
(Depends on configuration) (Depends on configuration)

14
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

When analyzing potential MDR providers, organizations should These three points capture the capabilities of the
SIGNAL FIDELITY

concurrently consider both the visibility they provide and majority of MDR provider.
the depth of that visibility. For instance, stepping once again
through different telemetry sources:
VISIBILITY
• 
Network: NetFlow or PCAP? Or both?
• 
Log: What APIs are available?
• 
Cloud: What data is being pulled besides logs? How is the
data obtained (e.g., asset and service discovery, access Full Telemetry Regardless of Deployment Model
management, data exfiltration, policy violations, etc.)?
Multiple Telemetry Sources (Endpoint + Network)
• 
Vulnerability: What are the scope and limitations across
cloud, mobile, IT, IoT, IIoT?
Singular Telemetry Source
• 
Endpoint: What level of data is being pulled? Is it down to
the process and binary level? DETECTION
RESPONSE
In reference to the radar chart, we now have the second axis.
CAPABILITY
To keep things simplified, three points represent the majority of Low Level (ex. Log, NetFlow)
MDR providers that can be plotted:
Medium Level (ex. Full telemetry in some, limited in others)
LOW LEVEL: Collection of high level data only, including
NetFlow or logs High Level (ex. Full endpoint, PCAP, Log, Vulnerability, etc.)

MEDIUM LEVEL: Deep information from some sources

(e.g., process and binary level from endpoint) but limited
information from others (e.g., NetFlow only from network or logs)
SIGNAL
HIGH LEVEL: Collection of full visibility depth including NetFlow, FIDELITY
PCAP, full endpoint, vulnerability, log, etc.

QUESTIONS AND CONSIDERATIONS:

When examining the signal fidelity capabilities of potential MDR vendors, organizations should ask:
• 
Given our contextual threat landscape, what level of data is required to complete a thorough investigation of potential threats?
• 
Does the provider have the appropriate technologies and resources to ingest the data, normalize it and correlate
to arrive at informed decisions quickly?
• 
Do we have the resources in place to make sense of the data from the provider and to action accordingly?

15
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

DETECTION CAPABILITIES
Hunting, machine learning, automation, customized threat While important in the detection process, these technologies
intelligence, behavioral, known, unknowns, zero-days … thanks are tools to achieve scale, rather than techniques that provide
to the ingenuity of security researchers and the persistence additional detection capabilities per se. Consider the
of attackers, the list of detection capabilities and related threats analogy of trying to drive a nail into an object: a hammer is
is endless. just as effective as a nail gun, but they differ considerably
in scale.
Ultimately, the detection capabilities axis is the hardest to discern
between fact and fiction when assessing MDR providers. Examining As workloads continue to grow, scale must be achieved,
both the traditional MSSP and the emergent MDR marketplaces but not without sacrificing quality. Organizations must be
reveals an abundance of buzzwords pertaining to the latest careful to appropriately balance machine learning and
technologies and newest threats. human intuition.

Without a proof of concept over an extended period, organizations Algorithms are very efficient at processing large amounts of
vetting potential vendors must ask the right questions and should data, but are no match for the insights of a security researcher;
seek demonstrable proof of delivery. at the same time, researchers rely on advanced tools to help
them separate signal from noise.
To continue building the radar framework, a simplified spectrum
of detection capabilities, starting from very basic detection and For MDR providers, scaling with growing volume—without
extending to advanced functionality that can detect even producing false positives or false negatives—is key.9
unknown threats, must be created. Aggregating across hundreds or thousands of clients and
multiple technologies, the volume of signals can soar, eclipsing
Whether to detect insiders or malicious actors living off the land, millions—and even billions—per day. Consequently, MDR
signatures and indicators of compromise (IOCs) have become providers must be able to ingest signals and apply detection
table stakes. It’s the capability to find signals within the noise and investigative techniques at scale without sacrificing service
that separates advanced detection capabilities. degradation, which would lead to longer threat actor dwell times.

Some providers tout machine learning or automation to

enhance the perception of their detection capabilities.

9
In the 2019 Ponemon SIEM Productivity Study, organizations on average reported wasting 441 hours a week investigating erroneous alerts from their self-managed SIEM alone
16
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

The following are criteria and a sampling of questions that • 

Proactive Threat Hunting:
DETECTION CAPABILITIES

should be taken into account when examining potential - W hat is the provider’s definition of proactive
MDR vendors. threat hunting?
• 
Known Threat Detection (signatures, IoCs, etc.): - How often does proactive threat hunting take place?
- Is the proactive threat hunting driven by hypotheses,
- From where are the known threats sourced?
known IoCs, analytics, etc.?
- What rulesets are being used?
- What data is being correlated?
- H
 ow is the list of known threats integrated into the
detection process? • 
Machine Learning:
- How often is the list of known threats being updated?
- What is the reliance on machine learning?
• 
Commodity Threat Intelligence: - Where does it sit in the process chain?
- C
 an the provider demonstrate the machine
- From where is the threat intelligence sourced?
learning capabilities?
- Is the threat intelligence validated?
- W
 hat level of information is examined by the
- H
 ow is the threat intelligence integrated into the
machine learning?
detection process?
- How does the provider protect against false negatives?
• 
Customized Threat Intelligence: - W
 hat is the delineation between machine learning
and human decision?
- H
 ow is the vendor collecting and synthesizing
this intelligence? • 
Behavioral:
- How quickly is the intelligence operationalized? - W
 hat particular threats does the provider’s behavioral
- H
 ow does the intelligence contribute to the capabilities look for?
detection process? - C
 an the provider demonstrate the behavioral
- H
 ow does the intelligence pertain to your capabilities?
unique threat landscape? - W
 hat level of information does the behavioral
capabilities look at?
• 
Active Threat Hunting:
- How does the provider protect against false positives?
- What is the provider’s definition of active threat hunting?
- W
 hat is the relationship between machine learning and
- Is the process documented?
behavioral capabilities?
- Are there levels of the threat hunting process?
- H
 ow does the provider correlate the data?
- What starts the threat hunting process?

17
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

To populate the Detection axis of the radar chart, we will use three scenarios; customized threat intelligence is leveraged to a limited
DETECTION CAPABILITIES

points to capture the general capabilities of MDR providers: 10 degree; additionally, active threat hunting is documented and
exercised to speed time to detection and threat confirmation.
LOW: Provides basic levels of detection capabilities using
known threat indicators and commodity threat intelligence from ADVANCED: Detection capabilities cover the entire spectrum
subscribed feeds; these types of providers are usually new to of known and unknowns; advanced machine learning and
the market or are MSSPs that are new to offering MDR. behavioral capabilities extend well beyond known threat
detection; integrated hunting teams are both active and
MEDIUM: Detection capabilities extend into the unknown proactive in nature, rapidly speeding time to detection using
to a limited degree; machine learning and behavioral integrated threat intelligence, which is quickly operationalized
detection capabilities are limited but demonstrable for certain into detection capabilities.

While the Detection capability axis has the greatest ambiguity, it can still be readily applied to
assess the detection qualifications of prospective MDR providers.

VISIBILITY

Full Telemetry Regardless of Deployment Model

Multiple Telemetry Sources (Endpoint + Network)

Singular Telemetry Source

DETECTION
RESPONSE
CAPABILITY
Low Level (ex. Log, NetFlow) •  Known •  Advanced Behavioral
• C ustomized Threat Intelligence • A dvanced Machine Learning
• A ctive + Proactive Threat Hunting

Medium Level (ex. Full telemetry in some, limited in others)

•  Known •  Active Threat Hunting
•  Customized Threat •  L imited Machine Learning
Intelligence •  Limited Behavioral
High Level (ex. Full endpoint, PCAP, Log, Vulnerability, etc.)

•  Known
•  Commodity Threat Intelligence

10
Of the four axes in the radar chart, the Detection Capability axis has the
SIGNAL
greatest ambiguity. As such, MDR providers will not align perfectly with each
point but will instead lie somewhere in between
FIDELITY 18
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

QUESTIONS AND CONSIDERATIONS:

DETECTION CAPABILITIES

When evaluating detection capabilities, organizations

should ask:
• 
What is our unique threat landscape?
• 
What types of threats present the greatest risk?
And does the MDR provider account for these?
• 
How will known threats be detected and mitigated?
• 
How will unknown and insider threats be detected
and mitigated?
• 
How do integrated technologies and processes accelerate
the time to detect threats?
• 
What is the provider’s standard onboarding and tuning
period? Will there be a delay while normalization occurs,
leaving us at risk?
• 
What are the provider’s SLAs?
• 
How will the provider confirm a threat, post-detection?
• 
What is our tolerance for false positives?
• 
Have the provider’s detection capabilities been validated
against real-world scenarios?
• 
Can the provider show examples, case studies
and references?
• 
What is the delineation of responsibility in the threat
hunting and detection process?
• 
What resources are needed to complement the provider’s
detection capabilities?
• How will we receive alerts and relevant data about
detected threats?

19
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

RESPONSE
Put simply, detection is futile without timely response. To define the criteria by which the response capabilities of all MDR vendors
can be objectively assessed, begin by looking at the components within the
The 2019 Ponemon Cost of a Data Breach Study 11 highlights Incident Response Lifecycle which correlate to threat actor dwell time.
the relationship between containment time frame and total breach
cost: each day between breach and containment is
calculated to cost an organization, on average, $15,433 USD. The Proactive
calculated cost of the average 2019 breach, which was reported to Monitor for Threat
Re-entry Hunting
last 279 days, is $4.56 million USD.

Confirmed
Obviously, there is enormous value in achieving Hardening Detection
rapid containment.

While the consequences of a data breach are irrefutable,

the definition of the “Response” in MDR remains—perhaps Remediation IR Lifecycle Active
Hunting
ironically—unclear. To understand why, one must recognize
that the very evolution of MDR was predicated on two
fundamental principles:
Tactical
Forensic
Containment
Investigation
1. D
 etecting what prevention misses
2. M inimizing threat actor dwell time Alert/
Confirmation
Guidance

Unfortunately, “response” is an ambiguous word in the MDR

marketspace. Used loosely, it can mean anything from
non-vetted alert forwarding to full Incident Response Lifecycle
(IR Lifecycle) coverage, which is an enormous range.

20
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

Each component requires people, process and technology. However, the delineation of those three pieces is where MDR
RESPONSE

vendors differ drastically. Broadly, we can distinguish between two categories of MDR providers:
• 
MD-big-R (MDR)
• 
MD-little-r (MDr)

Fundamentally, the difference between MDR and MDr is who holds direct responsibility for containment and remediation support. To be clear:
neither approach is inherently right or wrong. Organizations must decide based upon the provider SLAs for alert and guidance if they have the
appropriate internal resources to contain and remediate the threat before an adversary’s objectives are obtained.

The fundamental difference between MDr and MDR is who holds direct responsibility for containment and remediation support.

Proactive Proactive
Monitor for Threat Monitor for Threat
Re-entry Hunting Re-entry Hunting

Confirmed Confirmed
Hardening Detection Hardening Detection

Remediation MDr Active

Hunting
Remediation MDR Active
Hunting

Tactical Tactical
Forensic Forensic
Containment Containment
Investigation Investigation

Alert/ Alert/
Guidance Confirmation Guidance Confirmation

Additionally, some technologies have built-in containment capabilities that allow a provider to perform automated or managed remote containment
on a client’s behalf. When considering MDR vendors, technologies used for visibility must be considered if it is the MDR provider who is performing
containment, rather than an in-house security team.

21
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

We can now update the kill chain diagram to include containment capacity.
RESPONSE

For consideration: a holistic view of visibility, depth and containment capability.

Cloud
Visibility LOG NETWORK ENDPOINT
(Outside of Log)
Vulnerability

Low High High High Low

Overall depth of visibility

Containment capability No Yes Yes Yes No

Core competency Breadth Things in motion Process visibility Variable Vulnerability visibility

External Recon
(Depends on configuration) (Depends on configuration)

Weaponization

Delivery
(Depends on configuration) (Depends on configuration)

Exploitation
(Depends on configuration) (Depends on configuration)

Installation
(Depends on configuration) (Depends on configuration)

Internal Recon
(Depends on configuration) (Depends on configuration)

Command and Control

(Depends on configuration) (Depends on configuration)

Data Collection
(Depends on configuration) (Depends on configuration)

Exfiltration
(Depends on configuration) (Depends on configuration)

22
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

Returning to the radar chart framework, the fourth axis can now be populated. As was the case with the Detection Capability axis, a broad
RESPONSE

spectrum of capabilities have been concentrated into three points for Response:

TIER 1: TIER 2: TIER 3:

Non-Vetted Alert Forwarding Threat Validation Threat Validation
Limited Forensics Limited Forensics Full Forensics
Known Threat Automation Known Threat Automation
Limited IR Lifecycle Support Managed Remote Tactical Containment
Full IR Lifecycle Support

The complete framework by which organizations can objectively evaluate potential MDR providers.

VISIBILITY

•  Non-Vetted Alert Forwarding

•  L imited Forensics

•  Limited IR • V  alidation Full Telemetry Regardless of Deployment Model

Lifecycle Support •  L imited Forensics
• K  nown Threat Automation
Multiple Telemetry Sources (Endpoint + Network)
• F
 ull IR Lifecycle Support •  Validation
• M
 anaged Remote •  Full Forensics
Threat Containment •  Known Threat Automation
Singular Telemetry Source

DETECTION
RESPONSE
CAPABILITY
Low Level (ex. Log, NetFlow) •  Known •  Advanced Behavioral
• C ustomized Threat Intelligence • A dvanced Machine Learning
• A ctive + Proactive Threat Hunting
Medium Level (ex. Full telemetry in some, limited in others)
•  Known •  Active Threat Hunting
•  Customized Threat •  L imited Machine Learning
High Level (ex. Full endpoint, PCAP, Log, Vulnerability, etc.) Intelligence •  Limited Behavioral

•  Known
•  Commodity Threat Intelligence

SIGNAL
FIDELITY 23
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

QUESTIONS AND CONSIDERATIONS:

RESPONSE

When evaluating response, organizations should ask:

• 
What existing internal resources do we have to quickly
contain and remediate threats?
• What response timeframe aligns to our acceptable
risk tolerance?
• With what parts of the IR Lifecycle do we require
assistance?
• 
Do we trust an outsourced provider to contain on
our behalf?
• 
How will threats be confirmed—and false
positives eliminated?
• 
What are the provider’s response SLAs?
• 
Does the provider work under an incident response
retainer model? If so, then what is the delineation
between their IR and MDR services?
• 
What is the general delineation of responsibilities
between client and provider?
• 
Do we, or does the provider, have the appropriate
technologies to facilitate rapid containment?
• 
How will data be received and visualized for
active investigation?
• 
What reporting is available for incidents?
• 
What runbooks does the vendor have to flag compliance,
regulatory, privacy and law enforcement notification?

11
2019 Ponemon Cost of a Data Breach Study
24
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

OTHER CRITERIA TO CONSIDER

The four-axis radar chart provides a framework comparing INCIDENT RESPONSE RETAINERS
MDR providers; however, there are additional criteria for Many MDR providers offer incident response retainers to
consideration that correlate to time to detect, time to respond accelerate the IR process in the event of an incident.
and subsequent risk mitigation. To ensure a potential MDR Contractually agreed upon for a standard set of hours and
vendor is aligned to organizational requirements, the rate, the IR retainer can be enacted when remediation is out
following additional criteria should be validated or considered of standard delivery scope. Organizations are encouraged to
in the selection process. look at SLAs from the following aspects:
• 
Time from incident detection to boots on the ground
TIME OF COVERAGE (virtual or physical)
Many service providers include 24x7 monitoring as standard
• 
Coverage on weekends, nights, holidays
in their service delivery model. However, as the MDR market
has evolved, so too has customization. Select providers offer • 
Cost when the event exceeds retainer hours
9x5, 12-hour shifts, nights and weekends and other versions of • 
Quantity of incident responders
customized coverage. These options are usually intended for • 
Quality of incident responders
organizations that have SOC coverage in place already, but are
limited in the hours of coverage due to resource constraints. MANAGEMENT
Organizations are encouraged to carefully read contracts and Most MDR providers will manage the devices and technologies
SLAs to ensure coverage complements existing resources. included in their service portfolio. However, and as Gartner
has acknowledged, a new category provider has emerged,
SERVICE TIERING referred to as BYO. This approach provides tremendous
Another component of customization is division of flexibility for organizations that already have significant
responsibilities among tiering. Threat hunting, IR Lifecycle technology investments.
coverage, forensic investigation and so on are all time- and
cost-consuming measures from an MDR provider’s perspective. Consequently, to make informed decisions, organizations
As a result, tiering options have emerged to offer greater choice are encouraged to analyze the ongoing internal resources
among required capabilities. Organizations are encouraged required to manage devices. Additionally, organizations are
to ensure service tiers align to applicable risk acceptance and also encouraged to consider the loss of situational awareness
internal capabilities. and detection efficacy if the provider does not retain control
to tune the technology to ensure operation in the manner for
which it is intended.

11
2019 Ponemon Cost of a Data Breach Study
25
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

PORTAL
OTHER CRITERIA TO CONSIDER

Data visualizations are standard with all MDR providers. is detected. Organizations are encouraged to pay particular
However, the information within and the timelines of data attention to these timeframes as they have substantial
differ dramatically. From post-incident investigation details implications for threat actor dwell time, which could mean
to real-time insight into SOC analyst views, data and the the difference in breach occurrence.
value that it provides to organizations must be taken
into consideration. COMPLIANCE
Virtually all organizations operate under one or many
Portals are now available on mobile platforms with integrated regulatory measures. As compliance is usually a byproduct of
response capabilities, which can be enacted with the click of a sound security, many MDR providers check the box on multiple
button. As organizations examine MDR providers, the desired components. Organizations are encouraged to ask potential
insight and response capabilities (if applicable) should be MDR candidates for compliance alignment to ensure the service
considered in direct relation to the delineation of responsibilities provider meets regulatory standards under audit.
from provider to client. If the MDR provider does not provide
incident life cycle coverage, then organizations are encouraged REPORTING
to choose a provider with deep level visibility and integrated Building on compliance, reporting is a critical component for
response capabilities to minimize the threat actor dwell time. submission to regulatory bodies. Additionally, reporting provides
technical- and executive-level insight into security posture
PREVENTION status, improvement and overall value of the MDR provider.
In the case of MDR providers, prevention can be included Organizations are encouraged to vet an MDR provider’s reports
under an Endpoint Protection Platform (EPP). Many MDR single to ensure they meet both internal and regulatory requirements.
telemetry providers that are EDR-based include EPP along
with endpoint technology. This feature can be a value-add as it SERVICE REVIEWS
provides additional information to SOC analysts in the event of While not standard across all MDR vendors, monthly, quarterly
an incident. Additionally, management of the EPP removes or yearly service reviews are becoming increasingly common.
operational overhead and consolidates EPP and EDR into a Cadenced reviews are intended to provide an overview of what
single agent. has happened during a specific time period and the strength
of the organization’s cybersecurity from a technical- and
SERVICE-LEVEL AGREEMENTS executive-level perspective. Organizations are encouraged to
SLA, SLO, best effort … MDR providers build standards into look at service reviews from the perspective of value-add from
contracts that outline what they are contractually obligated to information that is not available via portal or reporting.
abide by or must make best effort to adhere to. In many cases, Presentations should be easy to follow and consumable for
these SLAs and SLOs align to response times once an incident both technical and non-technical audiences.

11
2019 Ponemon Cost of a Data Breach Study
26
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

CONTRACTUAL OBLIGATIONS • 
Customer audits of facilities and practices
OTHER CRITERIA TO CONSIDER

Organizations are encouraged to carefully dissect a provider’s - Customer questionnaire

Managed Services Agreement (MSA) in detail. While provider
• 
Indemnification which allocates the risk of loss between
and client must protect vested interests, contracts—and, in
the parties
particular, the details within them—are key components to
- C  yber insurance inclusion and what is covered and
understanding the division of responsibilities and the
required to demonstrate payout
subsequent risk to which an organization could be subjected
per the agreement terms. The following are example MSA
components that clients should ensure are included and aligned
CYBER INSURANCE
to organizational risk tolerance:
Building on cyber insurance within contractual obligations,
• 
Authorized persons organizations are encouraged to review the details and terms
• 
Handling of personal and highly-sensitive information of their provider’s cyber insurance if they are, in fact, included
- Standard of care as part of a provider’s indemnification clause.
- Breach of personal information by provider
- Return or destruction of personal information In a recent Ponemon study,12 organizations reported that only 16
• 
Authorized persons (third-party access) percent of potential losses to information assets were covered,
- Standard of care while 60 percent of potential losses related to property, plant
- Restrictions or disclosure to third-party and equipment (PP&E) were covered.
- Breach involving third party
• 
Compliance with law enforcement Organizations must recognize the value of information assets
- D  emonstration and documentation of adherence versus PP&E. Consequently, organizations must understand if
there are restrictions on the types of incidents covered:
• 
Compliance with IT management standards
- Demonstration and documentation of adherence • 
External attacks by cybercriminals

• 
Minimum security safeguards • 
Malicious or criminal insiders

• 
Oversight of authorized employees • 
Third parties

• 
Network infrastructure and security diagrams • 
System of business process failures

• 
Security breach procedures or cooperation in the event • 
Human error, mistakes or negligence
of a security breach
• 
Expense of remediation for a security breach
• 
Disclosure of breach to third-parties

11
2019 Ponemon Cost of a Data Breach Study
27
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

In addition, organizations must understand what is covered

OTHER CRITERIA TO CONSIDER

under their provider’s cyber insurance that could require

acquisition of additional cyber insurance to cover resultant gaps.

For instance:

• 
Forensics and investigative costs
• 
Replacement of lost or damaged equipment
• 
Notification costs to data breach victims
• 
Credit monitoring and identity protection services
for victims
• 
Employee productivity losses
• 
Communication costs to regulators
• 
Regulatory penalties and fines
• 
Legal defense costs
• 
Third-party reliability
• 
Revenue losses
• 
Brand damage

12
Ponemon Report: 2019 Intangible Assets Financial Statement Impact Comparison Report
28
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

TAKEAWAYS

No MDR provider currently covers the entire spectrum of the While full visibility, fidelity, detection capabilities and response
four-axis framework, which is intended to set the bar for all MDR appear to be the ideal choice as coverage extends outward in
providers with continuous adaptation to the threat landscape. the radar chart, cost of the service subsequently increases. This
The most important thing to remember when looking at MDR capability and cost relationship typically determines limitations
providers is to make a selection appropriate in the context of in the coverage organizations can achieve.
internal capabilities to strike the correct balance between
budget and risk acceptance. VISIBILITY

At a macro level, MDR providers can be categorized across

SOCaaS, MDr and MDR. Subsets of MDr and MDR include
Higher Cost
single telemetry, multiple telemetry and full telemetry.

Lower Cost
It is also important to understand the interconnection between
the four axes. For example, limitations in visibility directly
impact signal fidelity; consequently, limitations in visibility and
fidelity strongly correlate to detection capabilities and, DETECTION
RESPONSE
ultimately, integrated response. As mentioned previously, CAPABILITY
no MDR vendor aligns perfectly to the three points on each
axis. Many shades of grey exist, creating a spectrum and
interrelated dependencies.

SIGNAL
FIDELITY

29
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

TECHNICAL CRITERIA SUMMARY

The seven types of MDR providers can be reasonably evaluated against each of our criteria; the following charts summarize their
capabilities across visibility, signal fidelity, detection and response capabilities. Organizations are encouraged to assess internal
capabilities, budget and risk tolerance levels when selecting an MDR vendor to ensure proper alignment.

Summarized view of the capabilities of the seven different types of MDR providers across our four technical criteria.

SOCaaS/ EDr MDr MDr EDR MDR MDR

Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

Full Telemetry Regardless of

Deployment Model
VISIBILITY
Multiple Telemetry Sources
(Endpoint + Network)

Singular Telemetry Source

SOCaaS/ EDr MDr MDr EDR MDR MDR

Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

Low Level (ex. Log, NetFlow)

Medium Level (ex. Full Telemetry

in one or some, limited in others)
SIGNAL
FIDELITY High Level (ex. Full endpoint,
PCAP, Log, Vulnerability, etc.)

30
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)
TECHNICAL CRITERIA SUMMARY

SOCaaS/ EDr MDr MDr EDR MDR MDR

Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

Known Threats

Commodity Threat Intelligence

Customized Threat Intelligence Varies Varies Varies Varies Varies Varies

DETECTION
CAPABILITY Limited Machine Learning

Limited Behavioural

Advanced Machine Learning Varies Varies Varies Varies

Advanced Behavioral Varies Varies Varies Varies

Active Threat Hunting Typically No Varies Varies Varies

Proactive Threat Hunting Typically No Typically No Typically No Typically No

SOCaaS/ EDr MDr MDr EDR MDR MDR

Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

Non-vetted Alert Forwarding

Validation Limited Stronger Strongest Limited Stronger Strongest

RESPONSE Known Threat Automation Possibly Possibly Possibly Possibly

Limited IR Lifecycle Support

Full IR Lifecycle Support

Full Forensic Capabilities

Endpoint Managed Remote Tactical

Likely
Containment

Network Managed Remote Tactical

Possibly
Containment

31
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

The Seven Categories of MDR

1. SOCaaS/MANAGED SIEM

PROFILE WEAKNESSES
Security Operations Center as a Service (SOCaaS), also • 
Newer entrants to MDR market; relatively inexperienced
referred to as Managed SIEM, is a category of MDR provider • 
Require high client-side resources to complete
commonly exemplified by MSSPs that are evolving services investigation, correlation and confirmation of
from alert-driven to more comprehensive coverage across threat presence
the IR Lifecycle. Capitalizing on the breadth of log visibility, • 
Limited visibility beyond logs
SOCaaS/Managed SIEM providers offer a cost effective option • 
Limited signal fidelity
to organizations that are looking to outsource expertise but • 
Limited forensic and correlation capabilities
have limited budgets. • 
Typically limited threat hunting coverage
• 
Higher incidence of false positives
COVERAGE • 
Limited maturity in advanced detection responsibilities
• 
Limited IR Lifecycle coverage
• 
Breadth across network signals and technologies
(including cloud providers with available APIs) • 
Limited scope can lead to longer threat actor dwell time

STRENGTHS

• 
Use of best-in-class SIEM technology
• 
Can offer ability to bring your own SIEM
• 
APIs for log visibility across a wide breadth of
signal sources
• 
Can offer automated known threat response via APIs
• 
Proven development and use of runbooks
• 
Established SOCs with global coverage
• 
Established investigation processes
• 
Detailed portals and visualizations
• 
Meets broad level of regulatory requirements
• 
Lower-cost provider

32
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions
1. SOCaaS/MANAGED SIEM Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

24x7 Monitoring
SOCaaS/Managed SIEM providers offer a cost-effective,
but limited-capability, option to organizations that are looking
Varies—carefully dissect delineation of to outsource expertise but have limited budgets.
End-to-End Management
responsibilities in SIEM management

Endpoint Visibility

Network Visibility (PCAP)

VISIBILITY
Log Visibility (on-premises and cloud)

Additional Cloud Visibility (beyond log,

endpoint and vulnerability)

Vulnerability Management

Automated Known Threat Response Possibly—depends on APIs

Proactive Threat Hunting

DETECTION
Active Threat Hunting Possibly—but typically not RESPONSE
CAPABILITY
Forensic Investigation Limited

False Positive Reduction Limited

Managed Remote Host Tactical Threat Containment Client responsibility

Managed Remote Network Tactical Threat Containment Client responsibility

Managed Remote Cloud-Based Threat Containment Client responsibility

SIGNAL
Unlimited Remediation Support Typically requires IR retainer FIDELITY

33
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

QUESTIONS AND CONSIDERATIONS:

• 
Does log data alone provide appropriate visibility across • 
What existing internal resources are required to quickly
1. SOCaaS/MANAGED SIEM

current and future network infrastructure? What else is contain a confirmed threat—including people, process
required to manage and provision to complete the and technology?
missing visibility? • 
Does the provider manage the platform end-to-end or are
• 
Does log data provide the appropriate depth of data that there requirements from a client perspective?
covers the contextual threat landscape? • 
What resources are required to cover components of the
• 
Does the MDR provider have integrated automated IR Lifecycle not covered by the provider?
response for known threats available via APIs? • 
What are the provider’s SLAs for alerts and remediation?
• 
How can data be ingested into existing technologies and Do they meet our requirements?
processes to facilitate additional client-side investigation? • 
Does the provider have adequate visualizations and
• 
Does the provider have adequate detection capabilities reporting to support our internal teams and to meet our
that enable detection of known and unknown threats? regulatory requirements?
• 
How will threat hunting be conducted? Are additional
internal resources required to conduct forensic investigation
and confirm threat presence in a timely manner?

34
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

2. ED-LITTLE-r (Single Telemetry)

PROFILE
Endpoint Detection Response (EDR) and MDR are used • High level of expertise contextual to endpoint
interchangeably by many Managed Endpoint Detection and • Advanced endpoint threat detection capabilities
Response providers. EDR—or in this case ED-little-r (EDr)—is a • Deep-level fidelity into endpoint (e.g., process, binary, etc.)
subset of the MDR market providing expertise focused solely • Limited false positives
on endpoint. • Integrated remediation recommendations
• Deep-level portal visibility into endpoint
Providers in this space typically emerged as software vendors • Can include integrated response capabilities, which can be
enacted from the client side within provider’s portal
that have since added SOCs with deep-level expertise
• Lower cost
specific to managing and monitoring proprietary technology.
As a category, EDr providers offer advanced detection
WEAKNESSES
capabilities for endpoint threats; however, the majority of the
IR Lifecycle—including containment—is the client’s responsibility. • 
Commonly represents newer, inexperienced
entrants to MDR market
EDr vendors are a viable option for organizations looking for • 
Unproven SOCs
endpoint monitoring and detection and that have in-house • 
Reliance on single security signal
resources to correlate data from other signal sources to confirm, • 
High client-side resources required to complete
investigation, correlation and confirmation of threat presence
triage and contain threats in a timely manner.
• 
No visibility beyond endpoint
• 
No signal fidelity outside of endpoint
COVERAGE
• 
Hunting capabilities limited to endpoint only
• 
Process visibility • 
Response support limited to endpoint only
• 
East/West (internal/lateral) • 
Requires client-side response team for stages outside
of IR Lifecycle coverage
STRENGTHS • 
Limited scope can lead to longer threat actor dwell time
• Use of best-in-class endpoint technology
• Can offer bring your own endpoint technology model
(i.e., BYO)
• Can include endpoint prevention under singular agent,
eliminating redundancy

35
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions
2. ED-LITTLE-r (Single Telemetry) Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

24x7 Monitoring
EDr vendors are a viable option for organizations that have
in-house resources to correlate data from other signal sources
End-to-End Management to confirm, triage and contain threats in a timely manner.
Endpoint Visibility

Network Visibility (PCAP)

VISIBILITY
Log Visibility (on-premises and cloud)

Additional Cloud Visibility (beyond log,

endpoint and vulnerability)

Vulnerability Management Varies, but limited to endpoint only

Automated Known Threat Response Typically yes—carefully review contracts and SLAs

Proactive Threat Hunting Varies—carefully review contracts

DETECTION
Active Threat Hunting RESPONSE
CAPABILITY
Forensic Investigation Limited to endpoint telemetry

False Positive Reduction Limited to endpoint telemetry

Managed Remote Host Tactical Threat Containment Client responsibility

Managed Remote Network Tactical Threat Containment Client responsibility

Managed Remote Cloud-Based Threat Containment Client responsibility

SIGNAL
Unlimited Remediation Support Typically requires IR retainer FIDELITY

36
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

QUESTIONS AND CONSIDERATIONS:

• 
Does endpoint data alone provide appropriate visibility • 
Do we have the internal resources required to hunt, to
2. ED-LITTLE-r (Single Telemetry)

across current and future network infrastructure? correlate data from the provider with existing data from
What else is required to manage and provision to other technologies, to conduct forensic investigation and
complete missing visibility? to confirm threat presence in a timely manner?
• 
Does the endpoint data captured provide the appropriate • 
What existing internal resources do we have to quickly
depth of data to cover our contextual threat landscape? contain a confirmed threat, including people, process
• 
Does the provider have integrated automated response for and technology?
known threats available via APIs? • 
Do we have the appropriate resources to cover
• 
How will our team correlate endpoint data with data from components of the IR Lifecycle not covered by the provider?
technologies across the network? Do we have adequate • 
What are the provider’s SLAs for alerts and remediation?
internal resources to do so? Do they meet our requirements?
• 
How can data be ingested into existing technologies and • 
Does the provider have adequate visualizations and
processes to facilitate additional investigation? reporting to support our internal teams and to meet
regulatory requirements?
• 
Does the provider have adequate detection capabilities
to enable detection of known and unknown threats?

37
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

3. MD-LITTLE-r (Multiple Telemetry)

PROFILE STRENGTHS
MDr (Multiple Telemetry), or MDr-MT, represents the majority of •  Higher level threat expertise than SOCaaS and EDr models
the MDR market today. Vendors in this space leverage multiple •  Historically proven vendors in the MDR marketspace
telemetry sources but fall short of full stack visibility across on- •  Use of best-in-class technologies, typically SIEM plus EDR
premises and cloud environments. Typical combinations •  Higher level of visibility compared to SOCaaS and Edr models
seen in the MDr-MT space are: • Able to correlate multiple signals to arrive at more
informed decisions
• 
Endpoint and log (most common) •  More advanced threat detection capabilities that SOCaaS or
• 
Endpoint and network EDr models
• 
Network and log •  Has some degree of integrated machine learning and
Vulnerability visibility and integration into detection and response behavioral processes
processes vary from provider to provider, as does cloud visibility •  Deep-level fidelity into endpoint
beyond cloud-based endpoints and logs. Vendors in the space •  Improved ability to limit false positives
typically utilize machine learning and behavioral analysis software to •  Integrated remediation recommendations
process large amounts of data to look for unknown threats. •  Deep-level portal visibility
•  Typically supports multiple regulatory measures
Coverage of the IR Lifecycle is limited and incident response
retainers are typically available for clients in the event of an WEAKNESSES
incident that cannot be handled in-house. MDr-MT is a viable option • 
Higher level service cost compared to EDr and SOCaaS
for organizations that are trying to balance restricted budgets • 
Client-side resources required to complete investigation,
with wider network visibility and that have existing in-house correlation and confirmation of threat presence
response capabilities. • 
Client-side resources required for containment and response
• 
Limited visibility in comparison to MDr (Full Telemetry)
COVERAGE • 
Limited signal fidelity in certain network components
Varies, but typically two of the following options (note that • 
Limited inclusion of active and proactive threat hunting
cloud visibility outside of endpoints, logs and vulnerability • 
Limited IR Lifecycle coverage
varies by provider): • 
Limited scope can lead to longer threat actor dwell time
• Endpoint: process visibility, East/West (internal lateral)
• Network: things in motion, ingress/egress
• Log: breadth across network signals and technologies

38
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions
3. MD-LITTLE-r (Multiple Telemetry) Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

24x7 Monitoring
MDr-MT is a viable option for organizations that are trying to
balance restricted budgets with wider network visibility and
End-to-End Management that have existing in-house response capabilities.
Endpoint Visibility Typically 2 of 3 visibility options

Network Visibility (PCAP) Typically 2 of 3 visibility options

VISIBILITY
Log Visibility (on-premises and cloud) Typically 2 of 3 visibility options

Additional Cloud Visibility (beyond log,

Varies
endpoint and vulnerability)

Vulnerability Management Varies—carefully review contracts

Automated Known Threat Response Varies—carefully review contracts and SLAs

Proactive Threat Hunting Varies—carefully review contracts

DETECTION
Active Threat Hunting RESPONSE
CAPABILITY
Forensic Investigation Limited to visibility

False Positive Reduction Limited to visibility

Managed Remote Host Tactical Threat Containment Client responsibility

Managed Remote Network Tactical Threat Containment Client responsibility

Managed Remote Cloud-Based Threat Containment Client responsibility

SIGNAL
Unlimited Remediation Support Typically requires IR retainer FIDELITY

39
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

QUESTIONS AND CONSIDERATIONS: • 

Do we have the internal resources required to hunt, to
correlate data from the provider with existing data from
• 
Does included visibility appropriately account for our
other technologies, to conduct forensic investigation and
3. MD-LITTLE-r (Multiple Telemetry)

current and future network infrastructure? What else is

to confirm threat presence in a timely manner?
required that will have to be managed and provisioned?
• 
What in-house resources are required to quickly
• 
Does the level of data captured provide the appropriate
contain a confirmed threat, including people, process
depth contextual to our threat landscape?
and technology?
• 
Do we have adequate budget for the provider’s services
• 
Do we have the appropriate resources to cover components
and in-house requirements without sacrificing our overall
of the IR Lifecycle not covered by the provider?
security posture in other critical areas?
• 
What are the provider’s SLAs for alerts and remediation?
• 
Does the provider have integrated automated response
Do they meet our requirements?
for known threats available via APIs?
• 
Does the provider have adequate visualizations and
• 
Does the provider have adequate detection capabilities
reporting to support our internal teams and to meet
to enable detection of known and unknown threats?
regulatory requirements?

40
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

4. MD-LITTLE-r (Full Telemetry)

PROFILE STRENGTHS
MDr (Full Telemetry), or MDr-FT, encompasses complete • 
High level of expertise across multiple telemetry
visibility across an organization’s potential threat landscape. • 
Typically a highly proven MDR vendor
Whether on-premises, cloud or hybrid, MDr-FT providers have • 
Use of best-in-class technologies
the capability to adapt visibility and detection wherever • 
Complete visibility across attack surface
workloads reside. • 
Able to correlate multiple signals
• 
Integrated advanced threat detection capabilities
Importantly, vendors in this space have complete visibility and • 
Integrated machine learning and behavioral processes
typically deliver full fidelity including log, NetFlow, PCAP,
• 
Deep-level fidelity
endpoint, vulnerability and cloud data outside of logs.
• 
Limited false positives
• 
Integrated remediation recommendations
MDr-FT providers are commonly established in the MDR market,
• 
Deep-level portal visibility
with proven advanced detection capabilities supported by machine
• 
Supports multiple regulatory measures
learning and behavioral processes. MDr-FT has the potential to
deliver full coverage; however, the cost can escalate as visibility
WEAKNESSES
increases, putting more technologies in play and greater burden
on SOC analysts. • High client-side resources required for containment
and response
MDr-FT is also limited in IR Lifecycle coverage, putting responsibility • Higher service cost compared to SOCaaS,
on the client for timely threat containment. This category is a viable EDr and MDr-MT models
option for organizations looking for complete threat coverage • Limited IR Lifecycle coverage
among on-premises and cloud workloads and that have in-house • Possibility of longer threat actor dwell time due to
capabilities to complete the IR Lifecycle. client-side requirements

COVERAGE
• 
Endpoint: process visibility, East/West (internal lateral)
• 
Network: things in motion, ingress/egress
• 
Log: breadth across network signals and technologies
• 
Vulnerability
• 
Cloud (beyond logs)

41
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions
4. MD-LITTLE-r (Full Telemetry) Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

24x7 Monitoring
MDr-FT is a viable option for organizations looking for
complete threat coverage across all environments and that
End-to-End Management have in-house capabilities to complete the IR Lifecycle.
Endpoint Visibility

Network Visibility (PCAP)

VISIBILITY
Log Visibility (on-premises and cloud)

Additional Cloud Visibility (beyond log,

endpoint and vulnerability)

Vulnerability Management

Automated Known Threat Response Varies—carefully review contracts and SLAs

Proactive Threat Hunting

DETECTION
Active Threat Hunting RESPONSE
CAPABILITY
Forensic Investigation

False Positive Reduction

Managed Remote Host Tactical Threat Containment Client responsibility

Managed Remote Network Tactical Threat Containment Client responsibility

Managed Remote Cloud-Based Threat Containment Client responsibility

SIGNAL
Unlimited Remediation Support Typically requires IR retainer FIDELITY

42
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

QUESTIONS AND CONSIDERATIONS:

• 
Do we have adequate budget for the provider’s services • 
Do we have the appropriate resources to cover
4. MD-LITTLE-r (Full Telemetry)

and in-house requirements without sacrificing our overall components of the IR Lifecycle not covered by
security posture in other critical areas? the provider?
• 
Does the provider have integrated automated response • 
What are the provider’s SLAs for alerts and remediation?
for known threats available via APIs? Do they meet our requirements?
• 
Does the provider have adequate detection capabilities to • 
Does the provider have adequate visualizations and
enable detection of known and unknown threats? reporting to support our internal teams and to meet
• 
Do we have the internal resources required to hunt, to regulatory requirements?
correlate data from the provider with existing data from
other technologies, to conduct forensic investigation and
to confirm threat presence in a timely manner?
• 
What in-house resources are required to quickly
contain a confirmed threat, including people, process
and technology?

43
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

5. ED-BIG-R (Single Telemetry)

PROFILE STRENGTHS
Similar to EDr, outlined previously, ED-big-R (EDR) is an evolution of • 
Use of best-in-class endpoint technology
a subset of the MDR vendor landscape. Virtually all EDR vendors • 
Can include endpoint prevention under singular agent,
own, manage, monitor and respond to their own proprietary end- eliminating sprawl/redundancy
point software. Deep machine learning and behavioral processes • 
Offers value-add for organizations that have already
are highly integrated, thereby facilitating threat hunting and rapid invested in endpoint software
• 
High level of expertise with endpoint threats
response to elusive endpoint threats.
• 
Advanced endpoint threat detection capabilities
• 
Deep-level fidelity into endpoint
Management, monitoring, hunting and containment capabilities • 
Limited false positives
were developed secondary as value-adds for clients who lack • 
Full IR Lifecycle coverage
adequate in-house resources. • 
Deep-level portal visibility into endpoint threats
• 
Lower cost of service
Many EDR vendors provide an EPP in addition to EDR, alleviating the
need for multiple agents. Additionally, next-generation antivirus data
empowers threat hunters with data that can expedite investigation WEAKNESSES
and response by providing important additional context. • Newer entrants to MDR market; relatively inexperienced
• Reliance on single security signal
EDR vendors are a viable option for organizations that lack the • Unproven SOCs
resources specifically to monitor, investigate and respond to • Limited visibility beyond endpoint
endpoint threats, but have in-house resources to correlate endpoint • Limited signal fidelity outside of endpoint
data from the MDR vendor with network, log, cloud and vulnerability • No hunting capabilities outside of endpoint telemetry
telemetry to detect and respond to threats out of provider scope.
• Response support limited to endpoint only
• 
Requires client-side team to hunt, investigate,
COVERAGE
confirm and respond to threats outside of scope
• 
Process visibility
• 
East/West (internal/lateral)

44
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions
5. ED-BIG-R (Single Telemetry) Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

24x7 Monitoring
EDR vendors are a viable option for organizations that
lack the resources specifically to monitor, investigate and
End-to-End Management respond to endpoint threats, but have in-house resources
to correlate endpoint data from the MDR vendor with network,
Endpoint Visibility
log, cloud and vulnerability telemetry to detect and respond
Network Visibility (PCAP) to threats out of provider scope.

Log Visibility (on-premises and cloud)

VISIBILITY
Additional Cloud Visibility (beyond log,
endpoint and vulnerability)

Vulnerability Management Varies—and limited to endpoint only

Automated Known Threat Response

Proactive Threat Hunting

Active Threat Hunting

DETECTION
Forensic Investigation Limited to endpoint telemetry RESPONSE
CAPABILITY
False Positive Reduction Limited to endpoint telemetry

Managed Remote Host Tactical Threat Containment

Managed Remote Network Tactical Threat Containment Client responsibility

Managed Remote Cloud-Based Threat Containment

Endpoint only

Unlimited Remediation Support SIGNAL

FIDELITY

45
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

QUESTIONS AND CONSIDERATIONS:

• 
Does endpoint data alone provide appropriate visibility • 
Do we have the internal resources required to hunt, to
5. ED-BIG-R (Single Telemetry)

across our current and future network infrastructure? correlate data from the provider with existing data from
What else is required to manage and provision to other technologies, to conduct forensic investigation and
complete missing visibility? to confirm threat presence in a timely manner?
• 
Does endpoint data captured provide the appropriate • 
What are the provider’s SLAs? Do they meet our
depth of data to cover our contextual threat landscape? requirements?
• 
Does the provider have integrated automated response • 
Does the provider have adequate visualizations and
for known threats available via APIs? reporting to support our internal teams and to meet
• 
How will our team correlate endpoint data with data from regulatory requirements?
technologies across the network? Do we have adequate
internal resources to do so?
• 
How can data be ingested into existing technologies and
processes to facilitate additional investigation?
• 
Does the provider have adequate detection capabilities to
enable detection of known and unknown threats?

46
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

6. MD-BIG-R (Multiple Telemetry)

PROFILE COVERAGE
MD-big-R (Multiple Telemetry), or MDR-MT, options are typically built Varies, but typically two of the following options (note that cloud
around a log-based and EDR service stack. In some instances, MDR visibility outside of endpoints, logs and vulnerability varies by provider):
vendors will offer endpoint and network components without log visibility; • 
Endpoint: process visibility, East/West (internal lateral)
however, this approach is rare. • 
Network: things in motion, ingress/egress
• 
Log: breadth across network signals and technologies
In MDR-MT, it’s increasingly common to see legacy MSSPs evolve their
service offerings to include as their MDR service model an integrated STRENGTHS
response to EDR. Other services—such as vulnerability management or • 
Higher level expertise
visibility into cloud services beyond log, endpoint and vulnerabilities— • 
Commonly a proven vendor in the MDR marketspace
may also be included, but could come at incremental costs. • 
Use of best-in-class technologies, typically SIEM plus EDR
• 
Greater level of visibility in comparison to EDR
• 
Able to correlate multiple signals
Fundamentally, the difference between MD-little-r (Multiple Telemetry)
• 
Advanced threat detection capabilities
and MDR-MT is that the latter includes managed remote threat • 
Integrated machine learning and behavioral processes
containment and full IR Lifecycle support. • 
Deep-level fidelity into certain visibility, typically endpoint
• 
Improved ability to limit false positives
The EDR component of these solutions typically represents the ability to • 
Full IR Lifecycle support
contain on the client’s behalf. However, organizations are encouraged • 
Typically has ability to contain threats at endpoint level
to carefully read SLAs and/or incident response retainers, which can be • 
Deep-level portal visibility
misrepresented as big-R in this category. Buyers are also encouraged to • 
Supports multiple regulatory measures
investigate the level of integration between the services that comprise
the Multiple Telemetry MDR solution, as some vendors silo particular WEAKNESSES
services rather than including them within a single MDR platform. MDR • Higher-level service cost compared to EDR
(Multiple Telemetry) is a viable option for organizations with higher • Limited visibility in comparison to MDR (Full Telemetry)
budgets, lower risk tolerance and limited in-house capabilities to • Limited signal fidelity in certain network components
respond to endpoint threats. • Incomplete signals required for correlation and forensic investigation
• Hunting limited to in-scope visibility
• Requires client-side team to hunt, investigate, confirm and
respond to threats outside of scope
• Limited response capabilities in comparison to MDR
(Full Telemetry)
47
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions
6. MD-BIG-R (Multiple Telemetry) Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

24x7 Monitoring
MDR (Multiple Telemetry) is a viable option for organizations
with higher budgets, lower risk tolerance and limited in-house
End-to-End Management capabilities to respond to endpoint threats.
Endpoint Visibility Typically 2 of 3 visibility options

Network Visibility (PCAP) Typically 2 of 3 visibility options

VISIBILITY
Log Visibility (on-premises and cloud) Typically 2 of 3 visibility options

Additional Cloud Visibility (beyond log,

Varies
endpoint and vulnerability)

Vulnerability Management Varies—and limited to endpoint only

Automated Known Threat Response

Proactive Threat Hunting

DETECTION
Active Threat Hunting RESPONSE
CAPABILITY
Forensic Investigation Limited to visibility

False Positive Reduction Limited to visibility

Managed Remote Host Tactical Threat Containment

Depends on visibility

Managed Remote Network Tactical Threat Containment

Depends on visibility
SIGNAL
Managed Remote Cloud-Based Threat Containment
Depends on visibility
FIDELITY

Unlimited Remediation Support

48
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

QUESTIONS AND CONSIDERATIONS:

• 
Does included visibility appropriately account for our • 
Do we have the internal resources required to hunt, to
6. MD-BIG-R (Multiple Telemetry)

current and future network infrastructure? What else is correlate data from the provider with existing data from
required that will have to be managed and provisioned? other technologies, to conduct forensic investigation and
• 
Does the level of data captured provide the appropriate to confirm threat presence in a timely manner?
depth to cover our threat landscape? • 
What are the provider’s SLAs for response? Do they
• 
Do we have adequate budget for the provider’s services meet our requirements?
and in-house requirements without sacrificing our overall • 
Does the provider have adequate visualizations and
security posture in other critical areas? reporting to support our internal teams and to meet
• 
Does the provider have integrated automated response for regulatory requirements?
known threats available via APIs?
• 
Does the provider have adequate detection capabilities to
enable detection of known and unknown threats?

49
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

7. MD-big-R (Full Telemetry)

PROFILE STRENGTHS
MD-big-R (Full Telemetry), or MDR-FT, represents the MDR indus- • 
High level of expertise across multiple telemetry
try’s most complete offerings. • 
Highly proven MDR vendor
• 
Use of best-in-class technologies
Full visibility across on-premises and cloud environments, coupled • 
Complete visibility across attack surface
with integrated machine learning and behavioral analysis, feeds • 
Ability to correlate multiple signals
threat hunters with vital information and facilitates near real-time • 
Integrated advanced threat detection capabilities
threat detection and containment. Additionally, SLAs strictly outline • 
Integrated machine learning and behavioral processes
potential threat actor dwell time, limiting client-side requirements for
• 
Deep-level fidelity
IR Lifecycle coverage.
• 
Limited false positives
• 
Full IR Lifecycle support
Accordingly, the cost to remove those requirements for in-house
• 
Integrated managed remote threat containment
capabilities across people, process and technology is typically hefty.
• 
Deep-level portal visibility
• 
Supports multiple regulatory measures
Importantly, organizations looking to outsource to MDR-FT providers
must have complete trust in the provider’s capability to deliver on
SLAs, or else the organization could be put at risk without adequate
WEAKNESSES
internal resources to address gaps. MDR-FT is a viable option for
organizations that have substantial security budgets and are • 
Higher service cost relative to SOCaaS,
EDr and MDr-MT models
looking for complete threat and IR Lifecycle coverage among
on-premises and cloud workloads.

COVERAGE

• 
Endpoint: process visibility, East/West (internal lateral)
• Network: things in motion, ingress/egress
• Log: breadth across network signals and technologies
• Vulnerability
• Cloud (beyond logs)

50
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Red Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MDR
Visibility Fidelity Response Other Criteria
Definitions Flags Managed SIEM (Multiple Telemetry) (Full Telemetry) (Multiple Telemetry) (Full Telemetry)

MDR-FT is a viable option for organizations that have

7. MD-big-R (Full Telemetry)

24x7 Monitoring
substantial security budgets and are looking for
End-to-End Management complete threat and IR Lifecycle coverage across
any environment.
Endpoint Visibility

Network Visibility (PCAP)

Log Visibility (on-premises and cloud) VISIBILITY

Additional Cloud Visibility (beyond log,
endpoint and vulnerability)

Vulnerability Management

Automated Known Threat Response

Proactive Threat Hunting

Active Threat Hunting

DETECTION
RESPONSE
Forensic Investigation CAPABILITY

False Positive Reduction

Managed Remote Host Tactical Threat Containment

Managed Remote Network Tactical Threat Containment

Managed Remote Cloud-Based Threat Containment

Unlimited Remediation Support SIGNAL

FIDELITY

51
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

QUESTIONS AND CONSIDERATIONS:

• 
Do we have adequate budget for the provider’s services
7. MD-big-R (Full Telemetry)

and in-house requirements without sacrificing our overall

security posture in other critical areas?
• 
Does the provider have integrated automated response
for known threats available via APIs?
• 
Does the provider have adequate detection capabilities
to enable detection of known and unknown threats?
• 
What are the provider’s SLAs for response? Do they
meet our requirements?
• 
Does the provider have adequate visualizations and
reporting to support our internal teams and meet
regulatory requirements?

52
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

Summary and Recommendations

As threat actors continue to evolve their techniques and Ultimately—and in pursuit of appropriate and informed
activities in response to workload proliferation across digital decisions—we encourage organizations to analyze business
landscapes, organizations will continue to be at risk. As a result, objectives and to determine subsequent risk to those objectives,
MDR vendors will quickly adapt coverage and capabilities in which could be due to prolonged threat actor dwell time.
response in an effort to expedite detection and containment Following this methodology will guide organizations down the
regardless of workload residency. path to determine which category of MDR vendor effectively
and efficiently provides appropriate business protection.
As more MDR vendors enter the market and align to the
categories in this guide, personnel involved in risk management
and security operations should take care in selecting an MDR
provider that:

• 
Aligns to organizational risk tolerance levels
• 
Complements internal capabilities across people,
process and technology
• 
Addresses visibility gaps in current and future
network activity
• Addresses the organization’s threat landscape
• 
Scales with organizational growth and digital expansion
(e.g., cloud, IoT, IIoT, etc.)
• 
Advances detection of both known and unknown threats
• A
 ccelerates the time frame from detection to containment
and remediation
• 
Meets regulatory, third party and partnership requirements

53
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

Glossary
dwell time Incident Response Lifecycle (IR Lifecycle)
The amount of time threat actors go An organized approach to addressing and managing the
undetected in an environment aftermath of a security breach or cyberattack, the goal of which
is to standardize an effective process for limiting damage and
Endpoint Detection and Response (EDR) reducing recovery time and costs
Tools and actions focused on detecting, investigating and
responding to suspicious activities (and traces of such) on hosts/ Managed Detection and Response (MDR)
endpoints; in this ebook, we distinguish between EDR and EDr A service which arose from the need for organizations, that
based upon who holds direct responsibility for containment and often lack sufficient internal resources, to improve their ability
remediation support: to detect and respond to threats—MDR services typically add
24x7 threat monitoring, detection and response capabilities
• EDR: containment and support (i.e., response) is largely
to security operations capabilities via an outcome-oriented
or entirely the responsibility of the vendor
approach; in this ebook, we distinguish between MDR and MDr
• EDr: containment and support is largely or entirely based upon who holds direct responsibility for containment
the responsibility of the client and remediation support:

• 
MDR: containment and support (i.e., response) is largely
endpoint protection
or entirely the responsibility of the vendor
An approach to protecting computer networks which are
remotely bridged to client devices by focusing on the hosts • MDr: containment and support is largely or entirely
and devices themselves, rather than the network; endpoint the responsibility of the client
protection provides crucial defense against threats which can
readily bypass traditional antivirus solutions managed security service provider (MSSP)
A company that provides outsourced security services, typically
Endpoint Protection Platform (EPP) including the remote monitoring or management of IT security
A solution deployed on endpoint devices to prevent functions delivered via shared services, from remote security
file-based malware attacks, detect malicious activity operations centers
and provide the investigation and remediation capabilities
needed to respond to dynamic security incidents and alerts NetFlow
A network protocol, developed by Cisco and extended over
Traditional endpoint protection platforms (EPPs) were delivered
the years, for collecting summarized IP traffic information
via a client agent managed by an on-premises server; modern usually for the purpose of monitoring network traffic by system
solutions utilize a cloud-native architecture, which shifts administrators, for handling particular requests and situations
management, as well as some of the analysis and detection
workload, to the cloud
54
 Criteria for Managed Detection and Response Providers The Seven Categories of Managed Detection and Response
Current Market Spotting Potential Detection SOCaaS/ ED-little-r MD-little-r MD-little-r ED-big-R MD-big-R MD-big-R
Visibility Signal Fidelity Response Other Criteria
Definitions Red Flags Capabilities Managed SIEM (Single Telemetry) (Multiple Telemetry) (Full Telemetry) (Single Telemetry) (Multiple Telemetry) (Full Telemetry)

Network Detection and Response (NDR) Security Information and Event Management (SIEM)
Glossary

Tools and actions focused on detecting, investigating and An approach to security management that combines security
responding to suspicious activities (and traces of such) on information management (SIM) and security event management
computer networks (SEM) functions into a single security management system

PCAP Security Operations Center as a Service (SOCaaS)

An API for capturing network traffic; the name derives from A service that provides real-time monitoring, detection
an abbreviation of “packet capture” and analysis of cybersecurity threats

Ponemon telemetry
(Dr. Larry Ponemon) The Chairman and Founder of the Ponemon The collection of measurements or other data and their
Institute, a research “think tank” dedicated to advancing privacy, automatic transmission to receiving equipment for monitoring
data protection and information security practices; publishes
security reports that are often colloquially referred to as the threat actor
“Ponemon Report’ A person or entity responsible for an event or incident that
impacts, or has the potential to impact, the safety or security
runbook of another entity
A compilation of procedures and operations, typically carried
out by system administrators, for handling particular requests
and situations

Security Operations Center (SOC)

A centralized unit (which may or may not be located in a single
“center”) that deals with security issues on an organizational and
technical level

55
eSentire, Inc., the global leader in Managed Detection and Response (MDR), keeps organizations safe from constantly
evolving cyberattacks that technology alone cannot prevent. Its 24x7 Security Operations Center (SOC), staffed by
elite security analysts, hunts, investigates and responds in real-time to known and unknown threats before they become
business disrupting events. Protecting more than $5.7 trillion AUM in the financial sector alone, eSentire absorbs the
complexity of cybersecurity, delivering enterprise-grade protection and the ability to comply with growing regulatory
requirements. For more information, visit www.esentire.com and follow @eSentire.

© November 2019