1 Introduction / Executive Summary

Industrialized cyber-criminal operations and increased nation state sponsored cyber espionage activities mean that most organizations are under continual cyber-attack, but the worldwide shortage of cybersecurity skills means many organizations are struggling to keep up with attackers, and security teams are often overwhelmed by the number of security alerts being generated by a multitude of security systems.

These and other related factors are driving the growth and evolution of the Managed Detection & Response (MDR) market for solutions that manage a collection of cybersecurity technologies or an integrated platform for a client organization to provide advanced cyber threat detection and response capabilities, including Security Operations Center as a Service (SOCaaS) solutions.

MDR solutions are typically backed by teams of security experts that provide round-the-clock monitoring, analysis, and support, as well as advice on how to improve the client organization’s cyber security posture. MDR solutions, therefore, go beyond traditional Managed Security Services (MSS) from Managed Security Service Providers (MSSPs), which typically focus on compliance reporting and helping customer organizations to meet security compliance requirements.

In previous Market Compass reports, KuppingerCole has focused on SOCaaS as a discrete market which emerged as a result of the evolution of MDR solutions by including coverage of all cloud environments, being built on cloud-based platforms, and including the services and guidance of human analysts. However, many standard MDR solutions now have these characteristics. Therefore, SOCaaS vendors have been included in this more in-depth Leadership Compass analysis of the broader MDR market.

All organizations, regardless of size, face similar cyber threats and therefore need advanced cybersecurity detection and response capabilities. Smaller organizations often lack the budget and skills to do this, while all organizations struggle to fill cybersecurity positions.

MDR solutions mean that even smaller organizations can tap into the benefits of having a large team of experts continually on call to detect and respond to incidents and help guide investments, strategies and processes without the cost and challenges of finding and retaining people with the necessary skills.

Where there is little or no in-house threat detection and response capability, MDR solutions help enterprises to outsource the majority of their security operation, including security related management of networks, endpoints, applications, websites, databases, and security logs. Many MDR services enable organizations to outsource their SOC completely if they do not have the resources to act on recommendations for containing threats, and in a growing number of cases, MDR services support automated response capabilities.

Where there is some in-house security capability, MDR can be used to supplement this whenever necessary to ensure that an organization has at its disposal all the cyber security skills and capabilities required to deal with high-risk threats and critical incidents. This is also relevant for very large organizations, given the volume of cyber-attacks and the skills gap in the market, making it challenging to develop long term security strategies, while keeping on top of daily cyber threats and incidents.

Even large organizations with in-house security teams find it challenging to manage SIEM, NDR, EDR, SOAR, and even IAM systems to deliver the required security outcomes. As a result, they are turning to MDR service providers to help with this, as well as provide rapid automatic containment capabilities for common threats. Some vendors report a growing demand for MDR services from the world’s largest organizations due to the global lack of cybersecurity skills and high churn rates that make it challenging to run an in-house SOC and maintain the desired quality of service (QoS) levels.

The main aims of MDR are to:

• Strengthen organizations’ ability to monitor and detect security threats and respond to security incidents 24/7.
• Continually improve overall security strategy and posture.
• Provide a comprehensive view across the security environment.
• Enable in-house security teams to focus on and manage strategic security initiatives.
• Increase value from existing security investments.

MDR solutions are also aimed at:

• Helping customer organizations deal with high volumes of security alerts.
• Reducing the time that it takes to identify and mitigate security incidents.
• Providing advanced analytics of threats and user behavior.
• Rationalizing, updating, and integrating/coordinating security tools.
• Improving visibility and governance of business IT environment across the whole enterprise.
• Providing tools and expertise to deliver or augment endpoint detection and response (EDR), eXtended Detection and Response (XDR) capabilities, and Security Orchestration, Automation, and Response (SOAR) capabilities.

1.1 Highlights

• Increasing cyber threats, alert overload, and the worldwide shortage of cybersecurity skills are among the top drivers for the ongoing evolution and growth of the Managed Detection & Response (MDR) market.
• MDR solutions include a wide range of cybersecurity services, ranging from simple alert triage to Security Operations Center as a Service (SOCaaS) to full MDR, including Incident Response.
• A key element of MDR is the focus on continual improvement of cybersecurity posture, going beyond traditional Managed Security Services from Managed Security Service Providers.
• MDR solutions that cater for all sizes of organizations provide the opportunity for even small companies to get the benefit of enterprise-level Security Operations Centers.
• Most MDR solutions now meet a range of use cases from assistance of in-house SOCs and security teams to full outsourcing of security operations.
• MDR solutions typically help organizations to maintain round-the-clock monitoring of IT assets and deal with large volumes of alerts across increasingly complex business IT environments.
• The Overall Leaders in Managed Detection and Response (in alphabetical order): Arctic Wolf, eSentire, ESET, IBM, Kroll, Proficio, ReliaQuest, and Sophos.