Alert Logic, Arctic Wolf, CrowdStrike Named Among MDR Leaders
The market for comprehensive MDR solutions continues to see double digit growth.
Shutterstock
Alert Logic customers commented on the simple deployment, ease of use, quick notifications, and “brilliant project support people.” Customers mentioned fast notifications of alerts.
Among challenges, Alert Logic ingests and correlates extensive telemetry sources using its own internet protocol. However, it doesn’t gather data for web content, or from IoT, IIoT or IoMT devices. It also doesn’t provide digital forensics services as part of its MDR offering.
Arctic Wolf has well-developed road maps in areas of managed service, managed detection and managed response. The breadth of visibility is excellent, and the company expects to invest in orchestration and automation, and to develop an enhanced MDR tier and offerings for specific customer segments.
Among challenges, the customer portal, which is designed with operational staff in mind, offers interactivity in areas such as configurations, endpoint health and gaps in monitoring, but not in-depth investigative capabilities. In addition, customers aren’t able to create, update or close tickets, or edit or customize reports themselves, although they can request any number of reports.
AT&T differentiates its deployment through activities such as the threat modeling exercise; configuration of sensors, agents, devices and other data sources; checking sensors to ensure proper visibility; and setting up custom filtering rules that are reviewed and updated on an ongoing basis.
Among challenges, AT&T offers tools to help prospective customers justify purchasing MDR, but these do not include an ROI tool or performance metrics. Threat hunting is done periodically based on customer preferences, while some companies may require continuous threat hunting.
CrowdStrike MDR can be implemented in days, and onboarding specialists and program managers help streamline the customer experience. A breach prevention warranty in certain regions covers costs should a breach occur.
Among challenges, CrowdStriks is largely endpoint-focused. It offers a single-tier MDR service that is not available to deploy on premises.
Deepwatch‘s MDR offering can support customers in multiple environments, including Splunk Cloud, the Deepwatch cloud and on-premises Splunk deployments. Customers maintain control of their licensed technologies, data and environment if they migrate to on premises or end their relationship with Deepwatch.
Among challenges, onsite incident response services are not available but can be obtained through deepwatch’s partners. Threat intelligence is built into the MDR/XDR capabilities, but it is not available separately.
eSentire assigns a cyber-risk advisor who understands the customer’s business and prioritizes business risk reduction. The company supports on-premises, hybrid and cloud environments, and provides automated blocking based on a global IP blacklist as well as response actions across network, endpoint and users.
Among challenges, eSentire doesn’t offer a curated threat intelligence service, and it does not collect telemetry from IoT, IIoT or IoMT devices.
Expel customers can self-onboard their security technology and cloud services, with assistance from support engineers, if required. Onboarding typically happens in hours. Expel can tune alerts to customers’ environments in a few days or less, and provide response actions, including isolation, containment and remediation.
Among challenges, Expel doesn’t provide incident-specific runbooks, but instead uses a defined investigative methodology focused on remediation and root-cause determination. The company does not offer curated threat intelligence or vulnerability assessment, scanning or management.
FireEye’s Mandiant Managed Defense studies what attackers are doing and uses automation and ML to aggregate the threat intelligence into the Mandiant Intel Grid. It updates customers’ Mandiant Advantage products automatically with threat intelligence. Constant data modeling provides technical indicators that customers can view, through either the Mandiant Advantage Platform or intelligence reports.
Among challenges, Mandiant Managed Defense doesn’t yet have MDR tiers, but customers can continue to add Mandiant Advantage and Mandiant Services.
GoSecure‘s tiered MDR services offer flexible consumption. The entry-level tier is fully self-service. Incident response runbooks are tailored to each client’s environment and industry. The inbox detection and response service is an automated anti-phishing solution added to the portfolio after the EdgeWave acquisition in 2019.
Among challenges, GoSecure doesn’t have a single portal. One is scheduled to launch this month. Also, the company doesn’t offer user behavior analytics.
Netsurion‘s co-managed and multitenant approach allows customers to tailor their MDR coverage, and the platform’s cloud-deployed controls scale with customer growth. The solution can be hosted by Netsurion or by customers. MITRE ATT&CK framework integration bolsters threat hunting, and one of the company’s strengths is Microsoft 365 security.
Among challenges, the lack of remediation capability requires a variable level of involvement by customers’ IT teams.
Rapid7 MDR is delivered by threat analysts with strong tenure in detection and response. Both MDR tiers include a compromise assessment, remote breach response assistance, intrusion traps and reviews with security advisers.
Among challenges, Rapid7’s onboarding allows for flexible scheduling, but customers are required to self-deploy the Insight Agent, which works with the Rapid7 cloud technology. Because of the requirement of Rapid7 agent deployment, there is no turnkey option.
Red Canary‘s architecture enables API integration with customer tools and workflows. A dedicated incident handler is assigned to each customer to provide incident support and security advice, as well as proactive preventative advice to better protect customer environments.
Among challenges, Red Canary’s number of telemetry sources varies depending on the intelligence requirement. In addition, the company doesn’t offer complementary services such as vulnerability assessment, vulnerability management, vulnerability scanning or XDR, although several services are available through partners.
Secureworks‘ onboarding specialists support customers via regularly scheduled calls. Within the past year, Secureworks set up a customer experience team and a customer success manager role. Threat intelligence comes from many sources beyond broad telemetry.
Among challenges, while its XDR solution can support any IT environment, the company doesn’t offer analytics and detections that are specific to IoT or OT environments.
With Sophos, onboarding can happen in as little as a day. A health check is included in both standard and advanced tiers to help organizations assess and improve the hygiene of Sophos Central endpoint configurations.
Among challenges, Sophos has a basic portal that doesn’t provide visibility into workflow tasks and analyst actions during investigations. In addition, it doesn’t integrate with third-party service desk and ticketing tools.
Verizon‘s strengths include strong, tenured talent, onsite response capabilities, an XDR platform, curated threat intelligence and content, and a cross-telemetry threat modeling architecture that’s based on the VERIS incident framework.
Among challenges, it has a basic portal that has limited integration only with some third-party service desk or ticketing tools, although further expansions are planned in the future.
Verizon‘s strengths include strong, tenured talent, onsite response capabilities, an XDR platform, curated threat intelligence and content, and a cross-telemetry threat modeling architecture that’s based on the VERIS incident framework.
Among challenges, it has a basic portal that has limited integration only with some third-party service desk or ticketing tools, although further expansions are planned in the future.
Alert Logic, Arctic Wolf, eSentire, FireEye and Rapid7 are among companies listed as leaders in the IDC MarketScape U.S. managed detection and response (MDR) services vendor assessment.
Also listed as leaders are CrowdStrike, Expel and Secureworks. In addition, IDC listed AT&T, Deepwatch, GoSecure, Netsurion, Red Canary, Sophos and Verizon among “major players.”
Craig Robinson is IDC’s program director for security services.
IDC’s Craig Robinson
“The market for comprehensive MDR solutions continues to see double-digit growth,” he said. “The industry has expanded MDR beyond traditional detection and response, incorporating next-generation machine learning/artificial intelligence (ML/AI) capabilities, threat hunting teams and customized threat intelligence to combat modern-day cyber threats. The companies named to the leaders category in this space are the vendors who seamlessly marry these capabilities into one streamlined managed service.”
In this MDR study, IDC explored how MDR providers are evolving their businesses, technologies and offerings to detect and respond to modern cyberattacks. IDC asked MDR providers to demonstrate advanced capabilities that provide detection and deliver rapid, effective response actions.
MarketScape Criteria
Using the IDC MarketScape model, IDC studied 15 vendors that provide MDR in the United States. It surveyed providers’ customers that use their services.
The vendors included in the study had to meet certain criteria to qualify:
Geographic presence. Each vendor needed a minimum of 70% of its MDR revenue within the United States.
Customer base. In 2020, vendors had to have a presence within the midsize to enterprise segment, with 100-plus customers.
MDR capability. The MDR service providers must have a well-trained cybersecurity staff in a 24x7x365 remote security operations center (SOC).
Scroll through our slideshow above for more on the 15 vendors (listed alphabetically) in the IDC study — including what makes them successful and where they fall a little short.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like