Fasten Your Seat Belts: Managed Threat Detection Services Demand is About to Take Off

by Paula Musich, Research Director, Security and Risk Management


Although still in its infancy, the market for managed threat detection (MDR) and response services is drawing tremendous interest. Not to be confused with managed security services, outsourced MDR services provide advanced threat detection and response as well as threat hunting by skilled experts. Such services include remediation of detected threats and, more often than not, employ the use of sophisticated forensics technology.

As an increasing number of well-organized and well-resourced threat actors find their way past existing defenses, more IT security practitioners have come to realize that despite their best efforts to defend their organizations’ digital assets, the more accomplished attackers will most certainly find a way in. A common refrain among IT security professionals is that, “we know our networks are dirty, but we don’t know where to focus.”

In response to this dilemma, endpoint detection and response (EDR) vendors and now network detection and response vendors (NDR) created more sophisticated forensics tools designed to provide better visibility into the attackers’ tactics and techniques as they move along the steps in the Lockheed Martin cyber kill chain, looking for credentials to exploit and sensitive assets to steal. These tools are tremendously helpful in tracking down undetected threats in the right organizations and in the right hands, but that’s the rub. IT security operations teams that don’t have the right people, processes, and tools in place struggle to achieve the value the more sophisticated forensics technologies bring to the fight. Achieving the necessary security operations maturity is even more difficult in the face of a stubborn and widening gap in IT security expertise, along with a rapidly expanding threat surface through the broad adoption of cloud computing, IoT, and digital transformation initiatives.

Enter MDR providers

A rapidly expanding pool of MDR providers, whether pure-play startups, managed security service providers (MSSPs) adding MDR services to their portfolio, or EDR/NDR providers adding services on top of their products, is working to bridge the divide by offloading threat hunting and remediation activities from overburdened and understaffed security teams—and it’s none too soon. An EMA research project conducted earlier this year looked at MDR usage and interest. We found that among IT executives and contributor respondents whose organizations were not already using an MDR service, there was overwhelming interest in it. Ninety-four percent of those said their organizations were either currently evaluating (46%), considering adopting (33%), or planning to evaluate an MDR service in the next 12 to 18 months (15%). In comparing interest across enterprises (defined as having 5,000 or more employees), small-to-medium-sized enterprises (1,000 to 4,999 employees), and midmarket organizations (500 to 999 employees), 67% of midmarket organizations are further along the adoption curve in currently evaluating MDR services, followed by 43% of SMEs and 39% of enterprises.

Timelines for adoption of MDR services also varied by vertical industry. For example, while 58% of respondents representing healthcare organizations said they were currently evaluating MDR services, only 38% of those representing retail said the same thing.

The research report, titled “Managed Detection and Response: Selective Outsourcing for Understaffed SOCs and the Platforms That Enable MDR Services” also revealed that the top reason respondents gave for this high level of interest is that in-house security personnel are overwhelmed with the number of security layers or tools they had to manage, with 41% of respondents indicating that motivation. Another 34% of respondents indicated their organizations wanted to free up their in-house security experts to focus on more proactive security activities.

What MDR providers do and how well they do it

In looking at organizations already using an MDR service, at 67%, a solid majority use such services to augment, rather than replace, their existing in-house security practitioners. The activities MDR security experts carry out for their clients range from threat hunting and validation to alert triage, threat remediation, and reporting. Of course, large enterprises typically sign up for a broader range of services. Beyond table stakes basics, such as threat hunting and validation, 75% of large enterprises also have their MDR providers perform vulnerability hunting and remediation, risk reporting, and threat remediation.

Clients of MDR providers report success in detecting attacks that have gotten past existing defenses. Out of 12 major categories of attack types, the largest percentage of those clients said their MDR providers uncovered SQL injection attacks, command and control activity, and business email compromise/phishing attacks at 12%, 12%, and 11%. Clients also give their providers high marks for the services they receive, especially the availability of the MDR provider’s professionals, the level of expertise available to them, and the level of context provided to them in threat reports.

The small size of today’s market for MDR services belies the level of interest that exists in it. Given the level of satisfaction expressed by existing users of such services, it is likely to see a fast ramp up in demand over the next few year, as long as providers can scale their operations and maintain the level of service they provide to customers today.

Get highlights from this new research

I will be hosting a research webinar on Wednesday, July 29, revealing some of the findings from this new research. I hope you can attend.