Managed IT security might look as a pretty complicated landscape and it really is. However, difficult it might be for customer to understand what it’s being offered by a cybersecurity service provider, it goes without saying, that managed security simplifies life and business of customers, allows them to do business and make it very much more protected against cyber threats thriving it today’s world. To get to this safe place, customers have to comb through available service offerings and make a choice best meeting their urgent and potential needs in this area. The best first step to start this journey to cybersecurity is studying and understanding what major acronyms of managed cybersecurity world mean, such as MDR, MSSP, SOC-as-a-Service, Managed SIEM etc.

All of them are cybersecurity solutions or services designed to protect against security breaches, cyber attacks and eliminate or minimize their impact. But they all do with small or dramatic differences, so here goes short guide on types of managed cybersecurity solutions and services.

MDR: Managed Detection and Response aka SOC-as-a-Service

Managed Detection and Response or MDR is a managed cybersecurity service helping to quickly detect and eliminate such threats as intrusions, viruses and other malwares, as well as malicious activities in the network. MDR usually takes into account company’s structure, positions and roles, relies on its own proprietary technology stack and it involves assigned team of forensic analysts as well as in-house security team. It greatly reduces time to detect and eliminate incident, in many cases from months to literary hours, which makes MDR an effective cybersecurity solution. MDRs are all about response, which is not simply automated but is human or AI led. Note, that the upside of human analysts’ involvement also makes this solution relatively expensive.

Please note, that sometimes you can come across SOC-as-a-Service offering. In most cases that will be the same MDR service, possibly with limited detection functionality, so make sure it will meet your needs.

MSSP: Managed Security Service Provider

MSSPs offer security solution that relies on automation technologies and lets fully outsource cybersecurity to a security service provider. Traditionally, there is no need for in-house cybersecurity team of the customer but there will be used its technology stack. It makes MSSP offering cheaper than MDR’s but also assumes that support team will be customer’s internal.

MSSPs are quite flexible in relations with customer, adapt to its IT environment and will monitor security events in it, sending alerts on detected anomalies. But MSSPs as a rule do not investigate them or respond to threats. These functions can be made available with a special retainer.

MSSP vs MDR: Are They Really so Different?

MSSP is the most common name for cybersecurity service providers and, eventually, behind all of the acronyms mentioned in this article there hide this or that type of managed security service provider. But they should be distinguished. So, the answer to the title question would be ambiguous: yes, and no. Let’s go deeper into detail.

Historically MSSPs precede MDRs, however, the current trend is that the line between MSSPs and MDRs is blurring year by year. Some MSSPs partner with pure MDR providers or expand their portfolios to add incident detection and response capabilities. For instance, Trilight Security MSSP offers packages with MDR functionality, such as Professional and Enterprise. Vise-versa, some MDRs offer MSSP functionality to expand to new customer base.

Remember, that some MSSPs, especially those working with SMB, also provide such basic cybersecurity services as email encryption, antimalware, firewall management, backup & restore, identity & access management (IAM). In this regard, it looks as justified to say that MDRs tend towards large enterprises and MSSPs, though working with such customers as well, are more suited for SMB.

But this is not entirely true. While primary customers of MDRs are large enterprises with in-house security teams and its own cybersecurity technology stack, which want to improve its threat detection and response capabilities, in fact MDRs are also a good fit for SMBs with NO or almost no cybersecurity team and infrastructure. These are assets brought by MDR, while MSSP, as you should remember, rely on customers’ technological stack and offer no incident response functionality as a standard offer. With very big approximation one can claim that MDRs are fit for entities with small to no or big to perfect cybersecurity capability, while MSSPs are somewhere in between.

MSSP vs MDR: Differentiators

From the above said it becomes clear, that MSSP will be a good option for customers not using sensitive data. Also, this should be a customer ready to assume responsibility for handling detected anomalies, doing (or not doing) incident responses and investigations, eliminating false positives.

MDR services will be demanded by customers under the pressure of regulatory requirements, such as banks, insurance companies, healthcare service providers, food & beverages manufacturers etc. Those with no fully operational Security Operations Center or lacking IT security staff sooner or later will come to either eliminating these insufficiencies or hiring MDR service provider. Traditional MSSP services will not cover compliance demands of such customers. Somewhat paradoxically, MDRs will also be a good choice for SMB having only cybersecurity tasks and having no cybersecurity capacities. This is why Trilight Security, positioned as MSSP for SMB, offers robust MDR functionality as to incident response. It’s because it is in demand.

Gartner pointed out in 2017, the overlap between MSS and MDR is increasing and adding to the confusion of buyers. Ever since this process has only accelerated. Still, MDRs and MSSPs can be and should be differentiated by technological and process distinctions such as some of those mentioned by this agency:
• Security event log and context sources. MDR will rely on its own technological stack (provided to buyer for a fee) while MSSP will simply work with data selected and sent by customer.
• Remote device management, as a rule, is provided by MDRs for its own hardware & software service platform, while MSSPs cover intrusion detection or prevention systems, web gateways, firewalls, and more, getting logs and analyzing them irrespective of vendors involved.
• Cybersecurity service provider interaction in case with MDRs tends to be direct with SOC analysts, via voice or email. MSSP mostly interact with customers via portals and emails.
• Incident response support can be considered one of primary differentiators of approaches by MSSPs and MDRs. To sum it up, MDRs offer remote and basic incident response as a part of a typical service package and investigation or hands-on assistance in elimination of incident by a separate retainer. MSSPs offer both remote and on-site support, with active participation of security experts by a separate retainer, in most cases.
• During incident containment MDRs will work with their own technology stack plus some of the customer-owned technologies. Pure MSSPs will work mostly with available customer’s technological stack.
• Service-level agreements (SLA) for incident detection and response are usually provided by MSSPs and rarely by MDRs.
• Compliance reporting is rarely a subject area of MDRs, as they are usually hired for better threat detection, incident response and security monitoring capabilities, while MSSP usually cover requirements for reporting in different industries.

Let us reiterate again. Major difference between MDRs and MSSPs lies in manner and scope of incident response. Typical MSSP would detect and alert leaving the in-house security team responsible for handling. MDRs will typically provide at least some core remote support with incident handling. MDRs’ SOCs are populated rather by security analysts, than operators, which helps make incident response more personalized and intellectual.

Again, note, that boundaries between MSSPs and MDRs are blurring year by year.

Managed SIEM

In addition to classical MSS and MDR there also exist a relatively simpler (and cheaper) version of managed security such as Managed SIEM or Security Information and Event Management. Usually, it refers to provision of SIEM solution, on-site or cloud for a customer with the need to strengthen its security monitoring capacity. Managed SIEM service can also include administration and support of the SIEM solution and even collection and analysis of events in customer’s IT environment. This is where Managed SIEM service would start overlapping with MSS. Despite its relative “simplicity”, Managed SIEM service would help meet many regulatory requirements.

Learn About Benefits We Bring

Managed Security Service Providers have already become a new reality for businesses of all sizes. Indeed, partnership with true MSSP brings you and your security team more than just a few serious benefits. DOWNLOAD our whitepaper and find out more.

Download Whitepaper

Trilight Security

EU, Estonia, Tallinn,
Harju maakond,
Kesklinna linnaosa,
Vesivärava tn 50-201, 10126

[email protected]