Buyers of cybersecurity are evolving and driving vendors and security services providers to deliver more robust prevention, detection, and rapid response actions in the fight against cyberattacks. As the managed security services (MSS) market evolves to meet customer expectations, managed security service providers (MSSPs), consultancies, and other providers are serving up managed detection and response (MDR) services to meet the demand. IDC recognizes MDR as the third maturity level of MSS, which now encompasses more efficient advanced detection and response capabilities.
Some security leaders are beginning to examine security from a strategic, business, and industry viewpoint — the right direction and context — to understand how they can be proactive and better prepared for attacks. A cybersecurity buyer priority is shortening detection and response times, but organizations also want to elevate their cybersecurity maturity and reduce risk. Many struggle to understand their current state and are unclear how to proceed. MDR providers are stepping up to help organizations solve these challenges.
In IDC’s 2020 MSSP and MDR Survey, organizations were asked about attributes of managed security SPs and MDR providers used during evaluations. Respondents noted the five most important MDR provider attributes: robust data security, superior threat detection and response, breadth of security capabilities, trusted brand, and excellent customer support (see Figure 2).
Q. What five attributes are most important when evaluating a managed security services provider (MSSP) and managed detection and response (MDR) providers?
Additional research and the findings in this IDC MarketScape study lead IDC to believe that the following capabilities align with the attributes most valued by buyers and will drive the MDR market forward while providing vendors with the opportunity to home in on a differentiated proposition:
In addition, cybersecurity buyers believe network traffic analysis, user behavior analytics (UBA), and deception technologies are core to detection and response. These areas represent opportunities for MDR providers to broaden and distinguish their services (see Figure 3).
In this 2021 U.S. IDC MarketScape for MDR services study, IDC explored how MDR providers are evolving their businesses, technologies, and offerings to detect and respond to modern cyberattacks. MDR providers were asked to demonstrate advanced capabilities that provide detection, not only from the endpoint but also from broader sources of telemetry, and deliver rapid, effective response actions.
Q. Which five core advanced detection and response technologies do you consider most important in an MDR offering?
IDC believes MDR is powerful and effective because it integrates technologies and services into a holistic detection and response capability. Optimally, MDR services enable organizations to maintain a consistent level of awareness and protection, along with the flexibility to reprioritize, reassess, and reconfigure their risk as well as detection and response tolerances and activities. Increasingly, security leaders view MDR as a necessity to help mature their cybersecurity programs.
The most complete MDR portfolios include the following capabilities:
The Market Definition section in the Appendix provides a description of what IDC believes is the minimum set of capabilities an MDR provider should offer.
Early versions of MDR were more endpoint focused. They did not ingest and correlate the broad telemetry that can be utilized to shorten time to detect attacks. The development of XDR was in part due to the need for detection and response platforms to have the ability to look at a variety of telemetry beyond the endpoint. Examples include the hybrid cloud data that organizations are increasingly generating, network telemetry, and the various flavors of IoT data such as IoMT and IIoT.
Buyers looking to improve their detection and response capabilities will likely see an improvement in these capabilities if they purchase an XDR platform or subscribe to an MDR service. Note the difference in language: XDR in its purest form is a platform that offers detection and response capabilities utilizing e(X)tended telemetry sources that is managed by the purchasing entity.
MDR in its purest form is an elevated managed service that utilizes the same features and functionality that an XDR platform offers. MDR providers either natively have the IP to look at various telemetry or utilize an XDR platform. Additional services, such as — but not limited to — 24 x 7 eyes-on-glass monitoring, detection and response services by a third-party managed security SP or MDR provider, human-led and automated threat hunting, and incident response capabilities, are added to improve detection and response capabilities.
IDC recognizes that the market is fluid, and confusion is inevitable as some XDR providers start to layer additional services onto their XDR platforms, blurring the difference between an XDR platform and an MDR service. Conversely, not every MDR provider has the capability or IP to ingest and correlate the types of telemetry that XDR platforms typically utilize. Potential buyers of a detection and response platform like XDR, or a service like MDR, need to clarify their current capabilities and desired business outcomes before evaluating MDR or XDR providers.
Prior to evaluating MDR providers and making investment decisions, IDC urges security leaders to identify their most valuable assets, determine their needs for continuous monitoring, and identify the levels of protection required for different areas of the business and types of data.
The following information provides context for security leaders to better understand and evaluate MDR capabilities:
In addition, buyers may want to consider cyberinsurance, which is nascent in the MDR market, and only a few providers offer it through partners.
IDC encourages buyers to evaluate MDR providers based on the outcomes they want to achieve related to day-to-day detection and response and cybersecurity maturity.
FireEye is positioned in the Leaders category in the 2021 IDC MarketScape for U.S. managed detection and response services. The evaluation of FireEye (Mandiant) was done prior to the June 3, 2021, announcement of the separation of the Mandiant offerings from FireEye. Henceforth, this vendor profile refers to the combined company as FireEye/Mandiant and the service offering by the Mandiant name.
FireEye was founded in 2004 and maintains headquarters in Milpitas, California. The company maintains SOCs in Reston, Virginia (global 24 x 7 x 365) and Dublin, Ireland; Singapore; and Sydney, Australia (all operate in the follow-the-sun model).
Mandiant Managed Defense is a managed detection and response service that includes four offerings: Managed Defense Nights and Weekends, Managed Defense for Endpoint Security, Managed Defense for Microsoft Defender for Endpoint, and Managed Defense for Operational Technology. All offerings include some combination of endpoint, network, email, and SIEM technology. The service provides 24 x 7 monitoring, alert disposition, containment, remediation recommendations, threat hunting (customizable by industry), rapid response, and guidance and insights.
Investigation and threat hunting are linked to Mandiant Threat Intelligence through the Mandiant Advantage Platform for added context and transparency. Active attacker–focused investigations can be conducted with or for customers on their behalf. Investigation reports and response activities are viewable in the portal.
MDR can be augmented with Mandiant Services, the Mandiant Advantage Platform offering, and Expertise On Demand, which provides access to Mandiant resources, supplemental intelligence, consulting, and training options. The Mandiant Advantage Platform enables customers to integrate their chosen offerings, such as additional threat intelligence, security validation, and automated defense.
Mandiant Managed Defense studies what attackers are doing and uses automation and ML to aggregate the threat intelligence into the Mandiant Intel Grid, which updates customers’ Mandiant Advantage products automatically with actionable threat intelligence. Constant data modeling provides technical indicators that customers can view, through either the Mandiant Advantage Platform or intelligence reports.
Mandiant Managed Defense collects OT and ICS telemetry directly and IoT and IIoT through partners. In addition, it offers Insider Threat Security as a Service.
Customers commented positively on Mandiant Managed Defense’s detection capabilities with integrated threat intelligence, ease of implementation, threat hunting, and dedicated threat consultants. One customer said the 24 x 7 support is “beyond expectations.”
Mandiant Managed Defense does not yet have MDR tiers, but customers can continue to add Mandiant Advantage and Mandiant Services.
According to a customer, Mandiant could be less technical, specifically related to the portal, which could focus more on the user experience.
Containment and isolation are not done automatically, and Mandiant has made the decision to have a human in the workflow of containment and/or response actions. In addition, not all of the response actions are fully automated.
Support via live chat is not offered. A customer expressed lack of clarity about and dissatisfaction with the FireEye support process — in particular, being sent to a Mandiant consultant who called support and the customer waited for a callback. Another customer commented that response time varies.
Organizations of all sizes interested in threat intelligence incorporated into all aspects of MDR, bot- supported analysts, and advanced threat hunting directed by the most impactful witnessed attack groups and techniques should consider FireEye (Mandiant Managed Defense).
Using the IDC MarketScape model, IDC studied 15 vendors that provide MDR in the United States and surveyed providers’ customers that utilize their services. Because MDR is considered a subset of MSS, many MDR providers could be evaluated. The vendors included in the study had to meet certain criteria to qualify for this vendor assessment:
For the purposes of this analysis, IDC divided potential key measures for success into two primary categories: capabilities and strategies.
Positioning on the y-axis reflects the vendor’s current capabilities and menu of services and how well aligned the vendor is to customer needs. The capabilities category focuses on the capabilities of the company and product today, here and now. Under this category, IDC analysts will look at how well a vendor is building/delivering capabilities that enable it to execute its chosen strategy in the market.
Positioning on the x-axis, or strategies axis, indicates how well the vendor’s future strategy aligns with what customers will require in three to five years. The strategies category focuses on high-level decisions and underlying assumptions about offerings, customer segments, and business and go-to-market plans for the next three to five years.
The size of the individual vendor markers in the IDC MarketScape represents the market share of each individual vendor within the specific market segment being assessed.
IDC MarketScape criteria selection, weightings, and vendor scores represent well-researched IDC judgment about the market and specific vendors. IDC analysts tailor the range of standard characteristics by which vendors are measured through structured discussions, surveys, and interviews with market leaders, participants, and end users. Market weightings are based on user interviews, buyer surveys, and the input of IDC experts in each market. IDC analysts base individual vendor scores, and ultimately vendor positions on the IDC MarketScape, on detailed surveys and interviews with the vendors, publicly available information, and end-user experiences in an effort to provide an accurate and consistent assessment of each vendor’s characteristics, behavior, and capability.
MDR, as a subset of MSS, combines the tools, technologies, procedures, and methodologies used to provide full cybersecurity detection and response capabilities for an organization. Service providers can deploy MDR services utilizing a mixture of customers’ existing capabilities, along with partner-supplied tools or services and private intellectual property. MDR services are typically supplied by a provider’s well-trained cybersecurity staff that works in one or more 24 x 7 x 365 remote SOCs.
Figure 4 depicts the MDR elements of greatest importance to delivering value, impact, and desired outcomes. IDC recognizes the following capabilities as a minimum set of MDR capabilities: