Brings us to our next session, Managed Detection & Response Leadership Compass. We will have Warwick Ashford running us through that. Warwick is a senior analyst who resources cybersecurity and identity-related topics, including emerging technologies and trends. He has been writing IT news and analysis as a journalist and editor since 23, long time, I didn't think about security at this point in time, specializing in cybersecurity and privacy since 2012.
Warwick, the stage is all yours. Thank you, Carsten. Good morning. It's great to see all of you here. A big personal welcome to cyberevolution, to those of you who are in the room, and to those of you who are joining us online. We're not wanting to forget you at all. As Carsten said, I represent the analyst side of the house, so this event that you're experiencing is a result of the tremendous hard work that our events team has put together. They've put together three tremendous days, and I hope you agree with me that yesterday was a super day.
It set up a lot of what I'm going to be talking about, and has discussed a lot about the problem space that we're all quite familiar with, but the nice thing about the MDR market, it's looking at some of the solutions.
I'll give a brief overview of the market, and then I'll look at some of the key findings from the research report, but the idea is this morning that it'll pique your interest enough to go and read that research, and it's one of three that have been published over these couple of days that we're here at the conference, so just to kind of try and showcase the research work that we do here at Cooping a Coal.
And then I'll give a brief overview of the evaluation methodology, how we actually go about doing that, and then I'll look at the innovation, and I'll be joined by a representative of one of the vendors who took part in this year's MDR show. So I guess this is an attempt at a graphic representation of what a lot of you do on a day-to-day basis. They're all coming at you, and we've heard that from Lucas now.
It's kind of a daily struggle, but I couldn't, like one of the previous speakers, I couldn't get the AI to cooperate too much, because I wanted to try and put some element of AI in there to get an idea, okay, so the SOC room is facing these people from outside, but also from within, and they've got help. So just to get an idea of who we've got in the room, how many of you are from organizations that already have an MDR solution that you're using, an MDR service that you subscribe to or you're using? Anyone?
Okay, we've got one, two, couple in the room. So okay, so that's good. Then this presentation is probably, I'm assuming that the rest of you don't, and also, because this is quite a mature market, those of you who do may be considering changing, and that's what a lot of the vendors that I spoke to during the course of the research told me is that they're not dealing with so many first-time buyers now.
They're not having to evangelize so much around the MDR market, because these people that they're seeing, the prospects that they're seeing, have already got an MDR provider in, but they're wanting to know more. So just to frame the discussion, I thought I'd start off with this quote, that MDR are essential to today's cybersecurity landscape, providing organizations with the expertise and continuous monitoring needed to detect and respond to threats effectively.
So I think that's one of the things that I've learned over the years that I've been writing about cybersecurity, is that really continual monitoring is essential. And this was by Bruce Schneier. There was a time when you couldn't go to a conference, either in the US or in London, and Bruce was not on the agenda. So I think this is kind of a good way to frame the conversation, and I think that that is essentially true. This is just a graphic representation of how I see the MDR solution space.
It kind of is the bridge between all the noisy information that you've got, what Martin likes to refer to as the zoo of tools that everyone has in their organizations, feeding information. But the focus is, for the people wanting to consume it, is the outcomes at the bottom. You're wanting threat detection, you're wanting incident response, you're wanting alert management, and then we've now just heard from Lucas this idea of continuous improvement. And for me, that is one of the most important things about MDR services. It's not really a passive interaction.
It shouldn't be a passive interaction where you just hand over everything and they kind of sort it out, you hope. It's a partnership. It's a dialogue. They help you get better at what your cyber posture is. It's not just a one-way street. So I just thought I'd look at some of the main aims of MDR. So as I said, monitoring is very important. So this is about strengthening your ability to monitor and detect and respond to threats. So that's obviously the bread and butter of MDR.
We've spoken about the continuous improvement, about strategy and posture, and when I talk to the vendor later, I'm sure this will be something that we'll explore even further. But also it's about providing a comprehensive view across your security environment. I think this is one of the things that people struggle with. They've got so many systems that they've bought over the years to deal with this problem, this threat, this set of threat actors, or this particular vulnerability, but they haven't got a good overall view.
Also it's about enabling in-house teams to focus and manage on their strategic security initiatives so that they're not doing the firefighting. It's not only about the firefighting, but it's about thinking at that strategic level to be able to take it further. And then it's also about increasing the value from existing investments, because I think this is one of the biggest challenges that CISOs have is, well, what's the ROI? How are you going to prove that this investment that we're making is going to give us a good return?
And so here, again, the partnership with the MDR service can help you realize better return on your investments. And then also to help you manage the systems, many organizations that have EPDR, SOAR, SIM, and maybe even XDR are struggling to manage these systems. They don't have the in-house expertise to deal with that.
But again, a partnership with an MDR provider can perhaps help them to get more out of that. So the typical outcomes, everyone in the room that's joined up is going to get a copy of the slides, so don't worry about that. A lot of these slides are just for your reference, so you will get a copy, and this will help you to look over that. So this slide is to tell you that MDR comes in many different flavors and forms, so you have lots of different forms, and it can be confusing and difficult to choose.
So that's one of the reasons that we do our leadership compass reports, is to help organizations orient themselves towards the market that we've discussed, and to get them to identify what it is that their needs that they have, and then enable them to make the match with the things that are available on the market. So here is a list of the vendors who took part in this year's leadership compass, and then we also include vendors to watch. So these are vendors that we think are interesting, but decided not to participate for whatever reason.
And this is also just a good idea for you to get an idea of who is playing in the market and who participated this time around. So what are the key findings? I've kind of alluded to this already. There's a wide range, but it goes right from SOC as a service. We initially did a SOC as a service report as a standalone report, but it soon became obvious that there is a big spectrum of these services available. So all the way from SOC as a service to full MDR, and that's including incident response.
A key element of MDR is, as I said, a focus on this continual improvement, so it's not a passive relationship. It's going beyond what the traditional MSSPs do. And so MDR services, they cater for all sizes of organizations, provide the opportunities even for small organizations, because I think this is the important thing to understand about the MDR market is that it's not one size fits all, and that some cater for the full range, and some are focused on the small market, and some are focused on the enterprise market.
So it's all about understanding who does what for whom, and making your RFP list that much more sensible. So they now reach a range of use cases. So on the biggest side of the organizations, they may just want someone to supplement their skills, to hold their hands during a crisis, or just to help them over any particular area, but not completely take over, whereas the smaller organizations may not have the internal resources, and so they will need to be able to hand over as a SOC replacement. So you need to decide where you are fitting in that.
It typically helps fill the skills gap, because most organizations have limited resources in terms of the skills, and as we know, there is kind of a worldwide shortage of people with the correct skills. So this is a way of having the correct skills on tap whenever you need them, and not having to rush out in an emergency. There's also one of the other findings was that there's a concerted effort to focus on risk management, and this was something that I picked up with a guy from the Deutsche Burse yesterday.
He said that risk management in terms of financial markets is fairly well understood and well managed, but when it comes to cyber, he said it wasn't so well managed. And that's why I find it really interesting and good that a lot of MDR providers are now putting more focus on the risk management side of it, because we are keeping a call to when we advise organizations, we help them to manage the risk, and that's why this is a good development.
Increasingly organizations realize that they cannot manage alone against all these threats, and we've heard over the past day and a bit how AI is now helping a lot more, and so that's becoming more and more challenging. So for many organizations, MDR is kind of the only way that they can bring everything together and see what exactly is going on across their landscape and have that single point of control. But how is the market performing? What is the growth like?
Well, we ask many questions in our questionnaires, and some of those are the finance side of things, and from that we were able to extrapolate and get a good idea of how well this market is developing and growing, and it seems that there is really robust growth. We calculate that there is a 22.5% compound annual growth rate on this market, so potentially by 2027 we could be all the way up to $7.9 billion a year, so that's a significant market and it is growing. So what are the drivers? More stuff is going into the cloud that's critical, so that needs to be protected.
There's also an increase in the severity and frequency of ransomware attacks. We'll hear more about that later in this conference, but I think people tend to think that, well, oh, ransomware, that was a thing a year or two back, but yeah, we've moved on from that. Not so. There's still something that you have to take care of.
And then, of course, there's the growth in data protection regulations. These are more and more territories, states, regions are introducing these regulations that CISOs are having to contend with, so if you are unable to prove what you're doing, that you've got a monitoring system, I mean, a lot of these regulations require this 24-hour monitoring, so this is beyond the scope of most organizations, and so this is where MDR can fulfill a very important role.
Then, of course, we talk about the rapidly expanding attack surface, and so that spawned a whole new market that we're also looking at of attack surface management, but here MDR can help because it is enabling you to monitor across that expanding attack surface. And then, of course, thanks to the pandemic, we've got this shift to remote working, so now that's another component that many organizations that I'm sure you realize are having to take care of, and that's where the MDR can also help.
There's also a rising threat of data breaches, especially from state-sponsored cyber attacks, and I was interested to read that yesterday the UK's National Cyber Security Center put out an alert saying that in their considered opinion, UK business and organizations are not really appreciating how much of a threat there is out there from cyber threats, and in their view, well, not in their view, from their stats, the number of severe incidents is three times more this year than it was last year.
So the number of events that they dealt with at a national level was roughly about 110 up from the previous year, but of those, there were three times more severe incidents. So it is something that you can't ignore and that they're encouraging all organizations and businesses to be aware of. So part of that, obviously, is the escalation of cyber espionage campaigns, and it's targeting personal information. We've heard that because that are the keys to the kingdom.
The other problem is, of course, we as organizations are producing way more data than we used to and that's, again, contributing to the expanding attack surface, and because of board mandates to the cyber security reporting is that, well, they need to know more about what's going on. So MDR presents an opportunity for the cyber security teams just to have that constant reference to be able to say, look, this is where we are, this is the state of play, this is how well we've got it covered.
Another interesting development is that it's a requirement by cyber insurance companies that there be this level of monitoring and this level of oversight, and I quite like this idea that the cyber insurance industry has got the potential to drive good practice and to make sure that, as a whole, countries and industry sectors as a whole are more cyber secure. So our research, we send out a questionnaire, it's a hefty questionnaire, we analyze and evaluate that information and then it goes back to the vendor for fact check and then we publish it. So that's what we're doing this week.
A set of capabilities, required capabilities, go out to the vendor. I won't go through this. This is just for your reference. So when you're looking for an MDR provider, you can use this as a way of assessing, well, do they cover all the key posts? For this particular research, I identified seven areas to look at specifically and so obviously I looked at coverage, I looked at container support, authentication support, detection, response, threat intelligence and support for the end user customer.
And so for each, when you look at the report, and I sincerely hope you do, for each vendor there'll be a write-up evaluating them across those categories and then you get this spider chart so you can say, well, look, for me, cloud or container support is really important. We're doing a lot in Kubernetes. Maybe this provider, whom I named, is not the one for me. In addition to those categories, we look at nine other things like security and I'm just going to single out that one. When you look at that, security doesn't mean how secure or the level of security that it provides.
It's about the internal security, about the practices of the service within. So these are the nine categories and so we use that then to filter down to a product leadership, so hence leadership compass, market leadership, innovation leadership and then, of course, overall leadership. So this is where we put all nine categories together and with different weightings and then we come up with a graph that looks something like that.
So this is kind of the overall leadership for this year and although you'll see, so the two interesting things about that is at the top end on the right-hand side, you can see that the vendors are very close together and so what this tells me is that it's a highly competitive market. We actually struggled to find differentiators between the leading ones, the most comprehensive solutions. And then on the other end, this doesn't mean that these are woefully unfeatured or whatever, but I think if you look at the upticks on Tenure and ThreatLocker, these are what I would call niche players.
They all support particular stacks, particular approaches to security. So this is why it's important to A, understand your need and then B, understand what the market offers so that you can put these two things together and hopefully our report will help. So this is the QR code which hopefully should take you through to the report today and that will show you how to get access to it. You'll see on the extreme right-hand side is eSentire. They scored the highest across all categories.
