How to Determine the Best Managed Cybersecurity Model for You

In today's environment — rife with threats ranging from phishing scams to data breaches and serious ransomware attacks — organizations have the unenviable task of trying to protect themselves against a plethora of online threats and doing so in the most efficient and cost-effective manner possible.

Two popular options for managed cybersecurity include the managed security service provider, or MSSP, model, and the managed detection and response, or MDR, model. I've had the benefit of working on both models within the government and commercial sectors, which has allowed me to see what works and what doesn't — and most importantly, why.

What's the Difference Between MSSP and MDR?
I often refer to MSSPs as providing a bespoke service. Typically, in the MSSP model, the provider uses the tools a customer has to provide a service. The solution tends to be independent of what the provider preferences are and is very tailored to a customer’s existing tools and infrastructure. (I examine more in depth about various ways a MSSP arrangement can be tailored in my previous post, "Optimizing Your Managed Security Services Provider.") MSSPs are traditionally less hands-on when it comes to dealing with an incident. They monitor alerts and forward them to the customer's security team to resolve or are handled through a retainer.

With the MDR model, the customer sends its data to the provider's curated stack. The alerts the customer then receives are based on what the provider's stack delivers. There's less customization than with the MSSP model because customers will leverage the provider's stack.

MDR providers typically use a centrally managed, multitenant platform for service delivery. But there's also no need to "rip and replace" what customers have in-house because they're effectively outsourcing their threat detection and response to an external provider. MDR providers also perform a good portion of the incident response process to include deeper investigations and validation of an attack, as well as taking actions to disrupt or contain the threat.

Which Option Is Right for Me?
Companies or organizations with complex systems might need a customized MSSP service. If an organization is heavily regulated and doesn't want data leaving the building, such as an organization that routinely handles sensitive information — including law firms or certain government agencies and contractors — then it might need the bespoke aspects of MSSP. For whatever reason, if a company has a strong need to rely on its own tools and equipment but doesn't have the staff available, it might need an MSSP. Just expect to pay more for that level of service.

MDR is a more streamlined solution, at least from the provider perspective. From a customer perspective, it's also typically the more cost-effective solution. Companies that are experiencing a shortage of cyber talent, have gaps or problems with existing tools, or are focused only on using a particular set of data versus another could benefit from the MDR model.

Problems with tools might include a lack of expertise, which translates into a security team being overwhelmed by the number of alerts that it can't prioritize, a shortage of skilled analysts to properly use those tools, or a lack of automation leveraging AI/ML to identify true threats to their environment and allow analysts to focus on the most important ones. To be effective, the provider needs to ensure that analysts have visibility into systems that are on the customer's premises as well as in the cloud.

The efficiencies of using a provider's stack aren’t just cost-related. With the MDR model, the provider can normalize data across customer sets, so it tends to have better visibility into finding a threat that's hitting one customer and then immediately apply a rule to all customers. Ultimately, the provider can more quickly and efficiently detect and respond for all of those customers. That common rule benefit isn't something that is found in a more bespoke MSSP arrangement. Further, companies also don't have to worry about tuning alerts in an MDR arrangement because they're relying on the provider's tools and expertise.

While the customer will have less direct control of the tools detecting and managing response to threats, the provider's use of a curated tech stack coupled with threat intelligence, advanced analytics, and threat validation lead to better security outcomes for an organization.

Steps for Evaluating MDR and MSSP Options
Step 1: Determine requirements and the services wanted.

As mentioned, if a company requires broader support (such as device management), has certain data residency restrictions, or doesn't have a robust staff and in-place tools, that would lead toward one type of service versus another.

Step 2: Pick the right model.

Does an organization already have certain tools (for example, EDR) and want to keep them, or does it need a full technology stack? Does it have a security team and just need some augmentation, or is it looking for a provider to perform end-to-end investigations and remediation actions? Providers can run the spectrum of the level of service they offer, so make sure that it matches what the company needs.

Step 3: Pick the service needed.

Using an MDR to fill skills and technology gaps or a MSSP to provide skilled analysts who can leverage a great technology stack are two methods organizations can explore for the best security outcome.

At Raytheon Intelligence & Space, we have a 30-question scoping questionnaire to understand what customers are seeking. Learn more about Raytheon Intelligence & Space's full range of MSSP services.

About the Author: Dylan Owen, Associate Director for Cyber Services, Raytheon Intelligence & Space

Dylan Owen has almost 20 years of cybersecurity experience. As Associate Director for Cyber Services, Dylan provides Managed Detection and Response to government and commercial customers. Previously, Dylan supported the National Geospatial-Intelligence Agency, including managing its insider-threat monitoring program and CERT