Recently, we (virtually!) sat down with Jeremiah Dewey, Rapid7’s VP of Managed Services, to chat about how managed detection response (MDR) services strengthen and improve on traditional security products. Here’s what he had to say:
Q: Tell us about MDR.
A: MDR is the Managed Detection Response service at Rapid7. When we first got it off the ground in early 2016, we were strictly a product company. We had a couple of consulting services, but that was really it, aside from the products. We realized we needed managed services for a couple of reasons. Our customer base sometimes needs what a product provides them, but they may not have the expertise in-house, or they may need to enhance or supplement their groups.
We created the service with a handful of customers to get it started. Managed Detection and Response is the name of the service and that’s exactly what we deliver. We have a team of people throughout the world using a “follow the sun” model with our SOC analysts positioned in the U.S., Ireland, and Australia. They monitor and use the detections to follow up and conduct investigations for customers and interface primarily through our Customer Advisors, who are the “face” of our service and provide crucial communications. It’s really a purpose-built service strictly for incident detection and response—more purposeful than say, a standard MSSP, which does have a wider range but tends to have a more diluted focus on specialized functions. It’s a great service, and has grown immensely in the four years it’s been here at Rapid7. I would say it’s certainly a material contributor to the company now.
Q: Who can most benefit from MDR?
A: The people who can best benefit from an MDR service are customers who are geographically situated in places where it’s hard to hire detection and response professionals to really dig in and do the specialized work, or those who simply find that they need a partner who just has a greater extent of reach.
For individual companies with an inward focus on their security, understanding the greater threat landscape is far more advantageous to them. And having us, with a MDR customer base of over 500 globally, gives them that wider-ranging view. Also, the force-multiplier effect with the research group out of our CTO’s office, and other teams at Rapid7, provides a greater breadth and depth to our customers. So those who are looking for a wider, global, more proactive view of the threats greatly benefit by having this service, as well as those who may find it hard to hire true detection and response experts.
Q: Would you say MDR is more about leveraging existing products for greater cybersecurity hygiene, or does it offer a different kind of security foundation?
A: It’s going to depend on the provider. In many cases, you’re trying to leverage the technology that’s already there. You have to look at the difference between a managed SIEM and an MDR service. We have a unique approach in that ours is delivered through Rapid7’s SIEM, InsightIDR. InsightIDR goes beyond just being a SIEM. It has SIEM functionality, but it also has much of the functionality of an EDR. A managed SIEM would be a team who tunes the rules of the product and focuses on that functionality.
We’re a detection and response service delivered through our product, so MDR customers are able to use the SIEM fully. They can jump in a ride along to whatever extent they feel comfortable. They use the SIEM for what a SIEM does (including log management and IT operations functions). Our service utilizes the EDR functionality, plus the SIEM logs and whatever sources customers have that point into InsightIDR to deliver the service. Yes, it’s tied to our technology, but our technology is fairly all-encompassing in that it has its foundation as a SIEM and they can point whatever they want to it as an event source.
Q: Say you’re leveraging your existing security controls effectively already (or at least think you are). How might MDR add value?
A: Some of that is going to depend on why security companies implement security controls in the first place. If they’re utilizing controls mostly as a compliance exercise, because they’re going through a framework that has a catalog they need to follow, I think having a service like ours is an important addition to that because, as is often said, compliant doesn’t necessarily mean secure. And vice versa—just because you consider your network to be secure doesn’t always mean you can check the box for compliance.
Checking the boxes and addressing the controls is a big part of it, but the real value lies in putting layers of defense in place so that when those controls are circumvented you have somebody watching who can immediately alert you and drive a more effective response. MDR supplements our customers’ controls—it is very much a partnership with shared responsibility. If they come in with a Wild West approach and they have no controls, I don’t know that a service like ours would be the best thing for them. There are fundamental things they need in place for an MDR service to give them a well-rounded experience.
Q: So it’s not meant to be a substitution for effective security controls.
A: Exactly. I would never look at MDR as “Hey, I’m going to outsource these functions completely.” I think it’s more of a supplemental service.
In terms of what people do, within a typical SOC you tend to have Level One, Level Two analysts to do the initial work. Many of your MSSPs that exist in the world provide the L1/L2 level for their customers. That can be an outsourced type thing. When multiple layers of security controls are circumvented or when problems require a higher level of expertise—the L3/L4 realm—that’s where it’s harder to find that talent. And that’s where MSSPs can find themselves topping out and needing help. That’s where a good MDR service provides a great supplement to a customer—no matter if they have an MSSP, or if they’re running security in-house—going to that higher level to reduce the dwell time that attackers are in, to increase the confidence customers they have to address threats, and condense the time needed to respond to incidents. Really, if they do this well, that equals cost-savings for them.
Our most successful customers, we find, are those who want to grow with us, and build their capabilities. Not those who simply want to toss tasks over the fence. I must repeat what I said before, and I will likely say it again in this conversation, it is very much a partnership.
Q: Can you speak to the importance of deploying deception technologies—like honey credentials or honey files—to strengthen your security posture?
A: Full disclosure: I’m a bit skeptical of deception technologies in a standalone sense. I wouldn’t bet the farm on them as a primary defense, but I will say there is an advantage to using them as part of your overall detection program. Deception technology gives you a view of what the attackers are doing, where they’re going. Essentially you’re setting up decoys to see if attackers fall for it. So you can find out if they’re trying to get in, how they’re trying to get in, how they’re poking and prodding to look for openings.
I think of deception technology as somewhat of a canary in a coal mine. It’s nice to have. You would much rather see those alerts fired to let you know something may be coming, rather than finding out when somebody’s already in.
Q: Is there anything else you’d like people to know about the benefits of an MDR service?
A: You get more than simply the technical expertise. Everybody has technical people—that’s a great thing to have, right? But if an MDR service is doing this properly, they’re going to have the right people advising the customers on the service as well. For instance, in our MDR service, we view the value of our Customer Advisors beyond the boundary lines of Rapid7 products and the service they are contracted to provide. They aim to be truly trusted advisors to our customers, to help them with security in general, not just in terms of what our technology can do.
It’s not simply an exercise to accomplish tasks and check boxes. You know it’s a partnership. You want to look back as a customer, a year after you’ve signed up for the service, and fully believe you’ve gotten better. You’re not often going to get that with an MSSP. You’re not going to get that with most of your managed services, with most of your outsourcing. Yes, it could be a partnership in some aspects, but if you view them as simply accomplishing some tasks for you, then you’ve really just hired a staff augmentation firm. If you as an organization want to get better at your security, and you want to mature, I can’t think of a better partner for you to have than an MDR service.
Learn more about Rapid7’s MDR
Thanks again to Jeremiah for sharing the benefits of supplementing controls with MDR. If you want to develop a more mature, well-rounded security posture, learn more about Rapid7’s MDR, or register for the upcoming Sayers MDR webinar.