MXDR eBook Gate (FR)

beazley.security

Les points clés à connaître à propos du service de détection et réponse managées (MDR)

Un guide complet sur les fonctionnalités de l'outil de détection et réponse managées, les tendances, les points à améliorer, etc.

Commencer

What is business email compromise?

How BEC occurs

Common forms of BEC

How to protect against BEC

How can you reduce the risk of financial losses?

In-House or Outsource?

The need for detection and response is unavoidable, but its form can vary.

Very large organizations often build and maintain these capabilities in-house. While this is expensive and difficult, it can be worth the investment for organizations with sufficiently large and complex IT environments, specialized requirements, and the capacity to hire and retain the necessary expertise. However, most organizations lack the resources or inclination to invest so heavily in a function outside their core competencies. This is unsurprising given the logistics of building and maintaining an effective function and the resources needed to staff and maintain it. It’s for these organizations that Managed Detection and Response (MDR) exists.

You may notice that monitoring isn’t prominently featured in the NIST Core Functions. That’s because monitoring isn’t an outcome. Despite this, it’s a fundamental requirement, and without it, the Detect, Respond, and Recover Functions are impossible. All detection and response functions must be built on top of a comprehensive and continuous monitoring capability that covers the entire IT environment. This means monitoring data from all tools and systems, including endpoints, networks, identities, email systems, and cloud services, applications, and containers.

There’s No Detection or Response Without Monitoring

Defining Managed Detection and Response (MDR)

The term Managed Detection and Response (MDR) has been used and abused to sell a wide range of services, from technology offerings with minimal human intervention to fully outsourced SOCs. However, MDR does mean something specific — even if it’s frequently misused.

According to Gartner, MDR “provides customers with remotely delivered security operations center (SOC) functions”. This isn’t a great definition, which may explain why the term has been so misused. However, a closer reading of recent Gartner reports finds that — while there is wiggle room — criteria must be met for an offering to truly constitute MDR.

This must be delivered remotely, and threats must be identified, investigated, contained, and remediated rapidly to minimize harm to the client’s IT systems and resources. MDR offerings invariably use technologies such as Endpoint Detection and Response (EDR). However, the heart of true MDR is a fully staffed and experienced Security Operations Center (SOC). While technology-centric offerings are often sold as “MDR,” they don’t meet the criteria. Note: MDR offerings frequently include additional services such as threat hunting and Cyber Threat Intelligence (CTI). These are value-added services rather than core MDR functions.

Continuous monitoring that covers all endpoints, networks, identities, cloud instances and applications, containers, etc.

Rapid threat detection to uncover malicious or dangerous activity within the client’s environment.

Investigation and analysis to understand the extent of discovered threats and determine the best course of action.

Containment of threats to prevent further spread and harm.

Response actions to eliminate all traces of the threat and enable the client to return to normal operations.

At a minimum, MDR must include:

There is no definitive “best” way to implement detection and response. It comes down to each organization’s circumstances and needs.

Three Models for Detection and Response

Building an internal SOC or IR function gives total control over all tooling, processes, and resources. Large organizations generally favor this, as they have the economies of scale to fund and staff a detection and response capability that includes all necessary skills and experience and is tailored to their IT environment and threats. The drawback to this approach is cost. Often, organizations cannot maintain a 24/7/365 function, leaving them vulnerable to attacks outside office hours. Since many attacks are initiated out-of-hours — at night, over the weekend, and on public holidays — this poses an unacceptable risk.

Build an Internal SOC or IR Function

Fully bespoke and customized to need Potentially highly effective for risk reduction Potential for full integration and data ingestion

Usually more expensive than outsourcing May not be feasible 24/7/365 No “second set of eyes” to validate effectiveness

Benefits

Challenges

Since most organizations can’t afford to (or choose not to) build in-house, outsourcing to an MDR provider is common. Gartner estimates that in 2025, 50% of organizations will use MDR services. This offers several benefits. MDR is generally delivered 24/7/365, includes most — if not all — of the technology required, and is far lower cost than building in-house. Some MDR providers can deliver a full solution using the client’s existing technology stack.

Outsource to an MDR Provider

However, there are potential pitfalls. Some MDR providers structure their pricing and delivery in ways that don’t serve the client. For example: “Black box” services that provide little insight into what the provider is doing. “Nickle-and-dime” pricing models that disincentivize full coverage and data ingestion. Limited threat analysis that misses deeper indicators and threat trends. All this can be avoided by organizations choosing the right provider for their needs — but they should be considered when evaluating vendors.

Many MDR providers use “nickel-and-dime” price models where clients pay extra for integrations, data volume, and storage. Since clients want to keep costs down, they frequently opt to minimize the sources and quantity of data their provider ingests. This is a problem for two reasons:

MDR should include detailed analysis of incidents and threat patterns, but this is only possible if the provider has access to all relevant telemetry data. Lacking this data means potentially missing the underlying cause of attacks, making it impossible to draw conclusions and harden protective controls. Lack of access to critical data sources can mean missing threats altogether until they have already gained a foothold — by which time, some degree of harm is inevitable.

Generally delivered 24/7/365 Usually more cost-effective than building in-house Access to a fully equipped and staffed SOC May come with provided technology (e.g., EDR) Full detection and response life cycle expertise Full integration and data ingestion (some providers) The most hands-off option

Some pricing models disincentivize full coverage Data may be “held hostage” (lost if switching away) Deep threat analysis is usually not provided Some providers can’t respond on client’s behalf Often a “black box” service that’s opaque to clients Technology-first solutions often mislabeled MDR

Benefits

Challenges

How Pricing Can Disincentivize Full Coverage (and Why it Matters)

May fit the client’s use case Potentially the lowest cost option No two-way access to the client’s environment

Increased risk of gaps and human error Requires significant in-house expertise Risk of time delay in responding to threats Additional risk for “out of hours” attacks

Benefits

Challenges

Hybrid MDR

Many offerings sold as MDR are really a “hybrid MDR”, where duties are shared between the provider and client. There are several forms of hybrid MDR that may suit some organizations. The most common is where providers handle monitoring, detection, and analysis, and provide response recommendations to the client as a ticket. At Beazley Security, we call this “small R” response: providers supply guidance on containing and remediating incidents, and clients complete response actions themselves.

Other variants of hybrid MDR include:

Note: This was the dominant form of MDR until recently. Many organizations saw allowing providers to take action inside their environment as an unacceptable risk. They preferred to respond themselves, accepting the alternative risk that the inevitable time delay might lead to additional harm. Client preferences have changed radically, and most now prefer to allow MDR providers to respond on their behalf.

These technology-led offerings are usually provided by EDR vendors or system integrators. Typically, these are the lowest-cost MDR-style offerings and provide the least human expertise. As a result, clients must have more internal staffing and expertise to make this approach work, and will have to take response actions internally.

While briefly popular a few years ago, SOCaaS has largely been overtaken by modern MDR. SOCaaS is a managed monitoring and advice service, often with consultancy and staff augmentation components. These offerings are often heavily customized, may include dedicated staff and technology, and come with a high price tag. SOCaaS providers generally do not have access to respond directly.

Co-Managed Security Monitoring

SOC-as-a-Service (SOCaaS)

Preemptive identification of threats before they gain a foothold and become an incident or breach. This could take the form of hypothesis-driven threat hunting.

Identification of threat trends and guidance to support and enhance protective controls. By analyzing past incidents, MDR providers can help clients understand their threat profile and take action to manage threats.

Assessment of security controls and configuration can enable MDR providers to advise clients on changes and additions that will meaningfully reduce risk.

Proactivity

While detection and response are reactive, they can and should support proactive security. Gartner states: “Increasingly, MDR buyers are asking providers to extend their requirements beyond the detection of and response to threats to include the proactive identification of threat exposures and preemptive security responses.” There are several opportunities for MDR providers to be more proactive, including:

“Big R” Response

Gartner highlights the importance of MDR providers that can “remotely initiate measures for active containment or disruption of a threat”.

Until recently, customers had little desire for MDR providers to act directly inside their environment. However, the prevalence of ransomware and other destructive attacks — many of which occur outside business hours — has led to a change in preference. The reason is simple: speed in response can dramatically reduce the impact of serious incidents.

If a provider can only create a ticket for the client’s internal team to action, the same response could take hours — even days if an attack occurs over the weekend. Meanwhile, MDR providers acting directly within a client’s environment can contain and remediate an attack within minutes.

Going Beyond the Endpoint

The MDR market has historically been closely tied to Endpoint Detection and Response (EDR) tools. Gartner rightly lambasts offerings that are merely managed EDR tools, which it calls “misnamed technology-first offerings that fail to deliver human-driven MDR services”.

Another undesirable artifact of dependence on EDR was an unhealthy obsession with threats affecting endpoints, to the exclusion of other asset classes. As EDR has evolved into XDR (eXtended Detection and Response), organizations have sensibly looked for MDR providers that can monitor and detect threats across a much broader range of assets and systems.

MDR providers should monitor the client’s entire environment, including endpoints, email, identities, cloud instances, containers, IoT/OT, edge devices, and SaaS applications like Microsoft 365.

Continuous Threat Exposure Management (CTEM) and Attack Surface Management (ASM)

Many organizations struggle to understand their attack surface in real time, which seriously hinders monitoring, detection, and response. If an organization is unaware of assets and systems, it cannot monitor them, creating risk. Gartner believes MDR will increasingly include CTEM and ASM to ensure coverage of the client’s full environment and enable effective monitoring, detection, and response.

Going beyond traditional vulnerability analysis

Basic incident analysis is essential for MDR providers to understand what has happened and how to contain and prevent any harmful effects. A deeper analysis can help them understand why an incident occurred and recommend ways to prevent similar issues in the future. MDR providers can uncover valuable insights into a client's risk profile through deeper incident analysis (e.g., using digital forensics) and hypothesis-driven threat hunting. In turn, they can recommend proactive risk management strategies and security controls appropriate to the client. Note that deeper analysis often requires tracking activity across multiple log sources, so MDR providers must have access to logs from all relevant tools and systems.

Expansion into Security Operations

This is another way MDR providers can support clients with increasingly proactive security measures. It falls mainly into two categories:

Black box services

MDR offerings are often opaque, meaning organizations have little visibility into the actions and analyses taken on their behalf. For example, a provider may determine an incident is a false positive and take no action, but provide no rationale. This makes it impossible for the client to know if appropriate investigations have occurred or to spot-check past activity.

Exorbitant data storage costs

In addition to pricing structures that disincentive full coverage, some providers charge far too much for data storage beyond a minimum term. This leads clients to opt for the minimum storage period, severely limiting how much trend analysis the provider can conduct — and reducing value for the client.

Holding client data storage

Data co-management should be a feature of all MDR offerings. Clients should always have access to review and analyze data held on their behalf. However, some providers do not allow the client access, and others even delete data if a client leaves — with no option for data to be transferred to a client-owned system or another provider.

Data Management and Transparency

This trend is based on our experience, client interactions, and industry observations. There are several negative practices related to data and transparency that harm the value clients receive from MDR offerings, including:

Trend 1

Trend 2

Trend 3

Trend 4

Trend 5

How MDR is Changing To Reflect Client Needs

Building an internal SOC is not feasible for most organizations. Hybrid MDR fits some use cases, but falls short of the full value proposition. That’s why organizations are increasingly opting for MDR.

Still, several aspects of MDR have left clients wanting more — and some corners of the market are responding. In its MDR Market Guide, Gartner highlights some significant evolutions organizations should consider when choosing a provider.

11 Capabilities You Should Expect from MDR

Discover the 11 essential components to look for when choosing an MDR provider.

MDR solutions must be based around the right tooling (e.g., EDR, XDR) for your needs — whether from your technology stack or sold as part of the offering.

Modern tooling

The offering must integrate with all relevant tools, systems, and logs in your IT environment. Data should be retained for long enough to enable trend analysis.

Complete coverage

Both the provider and your internal team must have access to all data stored and used for detection and response.

Co-managed data

“Nickle and dime” pricing models (e.g., based on data volume or integrations) are a warning sign. A flat price is ideal.

Simple pricing that incentivizes full coverage.

For most clients, providers must be able to contain and remediate threats directly to prevent harm from ransomware and other destructive attacks.

Big "R" Response

Speed is crucial for harm reduction. Look for a provider that can demonstrate a track record of rapid response.

Rapid containment and remediation

MDR providers should routinely conduct detailed analyses of incidents (individual and group) to identify learning points and recommend improvements.

Detailed investigation

You should have complete visibility of all actions taken on your behalf and their rationale. This enables spot-checking and allows you to conduct additional analyses.

Transparency

MDR is often bought in response to a serious incident, but even if that’s not the case, MDR providers should be able to onboard new clients promptly.

Fast onboarding

When the worst happens, your MDR provider should go beyond response to help your organization fully recover and return to normal operations.

Recovery capabilities

Hypothesis-driven threat hunting, forensic analysis, BAS, and other consultancy-style services should be available as part of the offering or as additional services.

Value-added services

MDR Capabilities

The MDR Life Cycle as It Should Be

The table below shows the full detection and response life cycle and highlights which steps are covered by different levels of MDR.

Not all offerings are equal. “MDR” has been used (and misused) to describe a wide range of offerings — many of which aren’t fit for purpose. When choosing a provider, make sure you understand precisely what you’re getting. To maximize risk reduction, choose an MDR provider that covers the entire life cycle, conducts deeper analyses, and recommends ways to improve your wider security program.

Detect suspicious activity

Small "R" MDR

Standard MDR

Full MDR

Alert received or activity detected via threat hunting

Analyze to determine the issue and next steps

Identify ransomware on an endpoint, escalate to incident, and create a ticket

Contain threat

Isolate endpoint to prevent spread of infection

Remediate threat

Reimage endpoint to remove infection and restore functionality

Deeper investigation to identify cause

Review and cross-reference relevant logs

Identify learning points

Infection occurred because a user downloaded a Microsof Office file containing a malicious macro

Determine actions to prevent future incidents

Consider turning off macros by default in Office 365

Implement actions

Alert client to the risk posed by malicious macros and suggest changing Office 365 settings

Identifying Deeper Trends

Detection and response shouldn’t end with per-incident analysis. MDR providers should analyze past incidents to uncover broader trends and identify the highest-value actions to reduce risk. For instance, a single incident caused by malicious macros may not warrant action. However, if multiple incidents have the same cause over time, turning off macros by default may be a priority.

MXDR: Detection & Response that Fuels Your Security Program

Beazley Security’s MXDR is a complete detection and response solution that covers the entire MDR life cycle. Built around the industry’s most advanced XDR platform, our service helps your organization withstand any cyber threat — and ensures you don’t make the wrong kind of headlines. In addition to everything recommended in this guide, MXDR provides:

Continuous Threat Exposure Management

(CTEM) to help you understand your entire IT environment and track changes in your attack surface over time.

Proactive risk management

recommendations based on in-depth analysis of both individual incidents and broader trends in incidents and threats.

Hypothesis-driven threat hunting

to uncover evidence of malicious activity, preventing attackers from dwelling in your IT environment or expanding their access.

Expert recovery support

delivered by our crisis management team, which handles over a dozen serious incidents per day, every day of the year.

Designed to Address Common MDR Shortcomings

MXDR was specifically designed to provide a complete detection and response solution while eliminating the most common MDR weaknesses and frustrations.

Comprehensive Visibility

24/7 Monitoring across the threat landscape (Cloud, Identity, Endpoint, etc)

No Nickel & Diming

All Integrations at no additional cost

Data Retention Included

3 months of data retention included

In-Depth Multifaceted Investigations

Multifaceted investigations across Endpoint, Email, and identity data

MDR Client Portal

Instant visibility into Cases, SLOs, Advisories, & Real time reporting

Managed XDR

beazley.security

We help clients build cyber resilience

Beazley Security is a global cyber security firm committed to helping clients develop true cyber resilience: the ability to withstand and recover from any cyberattack.

We combine decades of cyber security protection, detection, response, and recovery expertise with the actuarial precision and risk mitigation capability of our parent company, Beazley Insurance.

Find out more about our cyber security solutions.

Pourquoi mettre en place un service de détection et réponse managées (MDR) ?

La sécurité cyber est fondamentalement un travail de protection. Pour garantir une protection cyber optimale, toutes les activités malveillantes et dangereuses devraient être neutralisées à leur source. Malheureusement, intervenir à un stade si précoce est impossible.

Bâtissez votre stratégie en vous inspirant des 5 piliers du Cadre de sécurité cyber du NIST(CSF) 2.0 : Gouverner, Identifier, Protéger, Détecter, Répondre et Récupérer. Environ un incident cyber sur deux survient après l'échec des mesures de protection. Les menaces évoluent constamment pour contourner les mesures de sécurité, et les erreurs humaines offrent aux pirates informatiques la possibilité d'accéder à des systèmes critiques. Face à une telle évolution, même les meilleures solutions de sécurité cyber deviennent insuffisantes pour garantir une protection cyber optimale. C'est pourquoi les services SOC et les équipes de réponse à incident jouent un rôle central en matière de sécurité cyber.

Détection et réponse managées (MDR) :

Les leçons tirées de la détection et de la réponse à indicent doivent être intégrées dans la stratégie de sécurité globale pour mieux prévenir les menaces cyber similaires à l'avenir. En suivant ce cycle continu, les organisations deviennent plus sûres et apprennent à administrer plus efficacement leurs ressources en matière de sécurité cyber.

Assurer la continuité de la sécurité cyber au-delà des contrôles préventifs

Identifier, analyser, contenir et remédier aux menaces cyber

Limiter les dommages causés par les menaces cyber

Accélérer la reprise d'activité après chaque incident cyber

Protection cyber en interne ou externe ?

La détection des menaces cyber et la réponse à incident sont indispensables, et il existe plusieurs façons de les mettre en œuvre.

Généralement, les très grandes organisations conçoivent et déploient leurs dispositifs en interne. Bien qu'un investissement en sécurité cyber soit coûteux et difficile, il peut s'avérer rentable pour les organisations qui disposent d'environnements informatiques vastes et complexes, qui ont des exigences particulières, la capacité à recruter et à retenir leurs talents. Cependant, la plupart des organisations n'ont ni les ressources, ni le désir d'investir de lourdes sommes dans un domaine apparemment éloigné de leur activité principale. Cela n'est pas surprenant si l'on tient compte de la logistique nécessaire à la mise en place et au maintien d'une protection cyber efficace. Aux ressources matérielles, s'ajoute la nécessité d'un budget loin d'être négligeable pour constituer une équipe d'experts en sécurité cyber capable de relever les défis proposés. C'est à ces organisations que le service de détection et réponse managées (MDR) s'adresse.

Comme vous l'avez probablement remarqué, la surveillance n'est pas un élément clé du cadre de sécurité cyber du NIST. C'est parce que le suivi n'est pas un résultat en soi. Pourtant, il s'agit d'un prérequis essentiel pour garantir le succès de piliers fondamentaux tels que la détection, la réponse et la récupération. La conception des outils de détection de menaces cyber et de réponse à incident doit prendre en compte la surveillance continue de tous les dispositifs de l'environnement informatique. Cette tâche implique l'analyse approfondie de toutes les données issues de tous les outils et systèmes, y compris les postes/serveurs, les réseaux, les identifiants, la messagerie électronique, les services cloud, les applications et les conteneurs.

Il n'y a pas de détection de menace cyber ni de réponse à incident sans surveillance.

Qu'est-ce qu'un service de détection et réponse managées (MDR) ?

Le terme « service de détection et réponse managées » ou MDR est utilisé, parfois de manière abusive, pour vendre une large gamme de services, par exemple des solutions automatisées ou des services SOC intégralement externalisés. Cela dit, bien qu'il soit parfois mal employé, le terme MDR désigne quelque chose de spécifique

Selon Gartner, le MDR « fournit aux clients des fonctionnalités de service SOC à distance ». Cette définition manque peut-être de précision, ce qui pourrait expliquer son mauvais usage. Cependant, les derniers rapports de Gartner apportent plus de clarté. Ils mettent en lumière plusieurs critères indispensables que doit réunir un service de détection et réponse managées (MDR) performant.

Ce service doit être livré à distance, et les menaces doivent être identifiées, examinées, circonscrites et corrigées rapidement afin de minimiser les dommages causés aux infrastructures et ressources IT du client. Tous les services MDR utilisent des technologies telles que les outils EDR. Cependant, le secret d'un MDR efficace réside dans son service SOC composé d'experts en sécurité cyber. Bien qu'il existe sur le marché plusieurs solutions technologiques commercialisées comme MDR, elles ne réunissent pas tous les critères exigés. À noter : Les services de détection et réponse managées (MDR) comprennent souvent des services supplémentaires tels que la chasse aux menaces et le renseignement sur les menaces cyber. Il s'agit de services à valeur ajoutée qui viennent compléter les fonctionnalités principales du MDR.

Surveillance continue de tous les postes/serveurs, les réseaux, les identifiants, les services cloud, les applications, les conteneurs, etc.

Détection rapide des menaces cyber pour identifier les activités malveillantes ou dangereuses au sein de l'environnement du client.

Enquête et analyse pour comprendre l'étendue des menaces identifiées et déterminer la meilleure stratégie à adopter.

La mise en quarantaine des menaces cyber pour éviter la propagation et les dommages.

Mécanismes de réponse à incident pour éradiquer la menace cyber et faciliter la reprise d'activité du client.

Un MDR efficace doit inclure au moins tous les éléments suivants :

Pourquoi mettre en place un service de détection et réponse managées (MDR) ?

Trois modèles de détection de menaces cyber et de réponse à incident

Comment le MDR évolue pour répondre aux besoins des clients

Les 11 garanties d'un outil de MDR performant

Le cycle de vie idéal de l'outil MDR

(MXDR) : Des capacités de détection et de réponse pour dynamiser votre programme de sécurité cyber

Contactez-nous

Pour accéder au rapport complet, veuillez saisir vos coordonnées.

Commencer

Les points clés à connaître à propos du service de détection et réponse managées (MDR)

Un guide complet sur les fonctionnalités de l'outil de détection et réponse managées, les tendances, les points à améliorer, etc.

Pourquoi mettre en place un service de détection et réponse managées (MDR) ?

Bâtissez votre stratégie en vous inspirant des 5 piliers du Cadre de sécurité cyber du NIST (CSF) 2.0 : Gouverner, Identifier, Protéger, Détecter, Répondre et Récupérer. Environ un incident cyber sur deux survient après l'échec des mesures de protection. Les menaces évoluent constamment pour contourner les mesures de sécurité, et les erreurs humaines offrent aux pirates informatiques la possibilité d'accéder à des systèmes critiques. Face à une telle évolution, même les meilleures solutions de sécurité cyber deviennent insuffisantes pour garantir une protection cyber optimale. C'est pourquoi les services SOC et les équipes de réponse à incident jouent un rôle central en matière de sécurité cyber.