Understanding MDR vs. MSSP
By Marissa "Reese" Wood,
The comparison of MDR vs. MSSP has been a topic of conversation for a long time in cybersecurity circles. At one point in time, there were stark differences between the two, but as the industry has evolved, the two have melded closer and closer together.
Nowadays, it’s less MDR vs. MSSP then it is Big R (a relevant response to a detection notification) vs Little R (detection notification). But as these two concepts follow along the classic MDR/MSSP lines, it’s still important to know the difference between the two types of services.
What is the difference between MDR vs. MSSP?
MDR and MSSP services share a similar goal in that they both alert and protect your organization from cyber threats, but they differ in how they go about putting that goal into practice.
While the two are similar, here’s a short breakdown of each type of service:
- MDR: Services that proactively search out, validate and alert organizations of detected, current or incoming threats. This 24/7/365 threat monitoring features AI, machine learning and (in Deepwatch’s case) our SecOps platform to monitor, triage and act on data and events.
- MSSP: Services that reactively respond to security events and focus primarily on defending vulnerabilities through passive technologies like firewalls. MSSPs send out alerts to IT teams when anomalies are detected but do not investigate them.
Sound a little too similar to each other? Yes, we know. My colleague, Ryan Benson, came up with a good analogy that I find helpful: “Think of it as the difference between buying a car and being able to make the most out of actually driving a car.
Signing on the dotted line for that slick, red Ferrari is great, but if you didn’t know how to drive a stick, well, (back in the day) you wouldn’t have been able to get it off the lot. If you bought an SUV for your large family but all the seats were gone, you couldn’t really get anyone safely to the baseball game. When you’re speeding 100 down the highway, you’d feel safer if a NASCAR driver was behind the wheel rather than your buddy from high school.”
In the same fashion, just because you have security tech doesn’t mean you’re getting the full value from it. MSSP is simply buying the Ferrari, technically fitting everyone into an SUV or having someone, just anyone behind the wheel as you fly down the highway. MDR on the other hand means you know what you’re doing, you’re using your tech to its fullest capacity and that you can keep it running smoothly even when things are going more than a mile a minute.
Read more: My Squad: Nothing You Could Say Could Tear Me Away From My Squad
What are common MDR services and benefits?
One of the key benefits of an MDR service is the filtration and immediate response they provide compared to MSSPs.
If your IT team got an update for every single little thing that happened across your network, they’d never be able to focus on anything and would be inundated with information. By only being alerted to important and verified information with remediation steps, your IT team doesn’t have to spend additional time working on solving the problem. This means less time for your hacker to cause damage to your business.
When thinking about MDR vs. MSSP, MDR relies more on personal communication and connection versus typical MSSP services. While traditional MSSPs are designed to send alerts and updates automatically via email or a portal, MDR services are usually managed by talented and trained professionals who will analyze data and provide specific guidance on how to proceed based on an alert. The number one goal of Deepwatch’s MDR squad is to keep your business running and not worrying about what’s going on in cyberspace.
Some of Deepwatch’s valuable MDR services include:
- 24/7/365 alert monitoring, validation and escalation
- Platform management
- Active threat hunting
- Curated threat intelligence
- Proven “design for failure” cloud architectures
- Compliance assistance (GDPR, HIPAA/HITECH, SOX, PCI DSS & more)
What are common MSSP services and benefits?
You’ll usually see the lack of context as one of the main reasons why some people struggle to get behind traditional MSSPs. Whereas MDR notifications come analyzed and with next steps right in hand (Big R doing its thing), MSSP alerts often leave the detective work for the IT team who receives them to handle (classic Little R). So while an MSSP might manage an effective firewall, they may not provide as much research, data or analysis to make the most out of what your firewall comes up against.
Essentially, MSSPs can say “Hi! There’s been an issue. You should look into it,” but they do not provide the necessary information to remediate any vulnerabilities.
Traditionally, MSSPs have been based on providing technology services (think firewalls, patch updates and antivirus programs). That being said, many have started to take on services that look more and more like MDR services in order to keep up in the competitive cybersecurity landscape.
Some classic MSSP services include:
- Firewall management
- Log management
- SIEM management
- Vulnerability scanning
- Intrusion detection
- Antivirus services
Read more: Why Aren’t You Outsourcing Your Cybersecurity Operations?
How do I know if I need MDR vs. MSSP services?
Most businesses will require either MDR (Big R) or MSSP (Little R) style services. Some maybe even require or wish for both. Figuring which works best for your business can be a struggle, but usually, you can break down who needs which style of service into two rough categories:
Those Who Need MDR Services
- Organizations that have invested in security tools but have not fully integrated them and are not getting their full value
- Organizations with compliance or regulatory requirements
- Companies that want to use their monetary resources for things other than staffing a security team and managing a SOC
- Security is managed and customized for the customer
- Outsourced services free up internal teams and monetary resources
- Notifications are filtered so the team doesn’t have to respond to false positives
- Remediation recommendations included in alerts and by a team of professionals
Those Who Need MSSP Services
- Institutions that have a large internal IT or security staff that can manage the large quantity of data and respond to alerts in a timely manner
- Establishments that do not have compliance or regulatory requirements or who do not have highly sensitive data
- Security management
- Security information and remediation is handled by internal teams
- Notifications for all security events
- Personalized responses to alerts
Whether you fall into the first or secondary category, you’ll be able to find a partner in Deepwatch. We’re changing the way managed security is provided and have what you need to up your cyber defenses. Between our MDR, MEDR and Vulnerability Management services, our team of experts will help you find what you need. Contact us today.