MSSP, MDR & the Future of SOAR

In the managed security services market, the well-established Managed Security Service Provider (MSSP) model is facing a challenge from the emerging Managed Detection and Response (MDR) model. While each provider offers their own set of services, there are some general differences between the two, and how they relate to incident response.

For the most part, MSSPs handle security alerts for their clients, making them akin to Tier 1 analysts. They monitor tools and triage alerts, but then bring genuine threats to the attention of the client’s team, instead of leading the incident response process.

MDRs are akin to Tier 2 and above analysts. They are more likely to own the incident response process from end-to-end, along with other advanced offerings, such as threat hunting. As the next generation of security tools improve their correlation capabilities and reduce the number of “dumb” alerts generated, its easy to see that the MDR model is where security operations is heading.


How SecOps is Changing

The cybersecurity market is experiencing a revolution. Chasing alerts is no longer enough. EDR vendors have built advanced platforms that can correlate alerts to produce contextual incidents. They combine this technology with ingestion of cloud data, network traffic analysis, and third-party analysis, creating an advanced solution for alert-handling.

Because of technological improvements of this nature, the market is moving away from solutions that address alert fatigue and toward the Tier 2 and above tasks that can’t be automated away by the latest tools. The tasks done by Tier 1 analysts will become less important, and organizations will need skilled incident responders that can perform detection and response based on the data provided by EDR and other advanced tools.

Skilled analysts are hard to come by, especially for small-and-medium-sized businesses. That’s why MDR is likely to continue to grab market share. MDRs can execute the investigations, threat hunting, remediation, and other tasks that will still require human intervention—long after the majority of alert triage has been automated. So it should be no surprise that Gartner estimates 50% of organizations will use MDR services by 2025.


D3 is the MDR of SOAR

The explosive growth of MDR isn’t limited to outsourced services. Companies need to be able to perform incident response, threat hunting, and forensics tasks, whether they are done internally or outsourced to an MDR. This is why we think D3 is to other SOAR platforms as MDRs are to MSSPs. While most SOAR platforms are focused on alert-handling and basic automation, D3 has the workflows to support Tier 2 and above activities.

As companies make the shift to MDR, D3 can support in three ways:

  1. Providing MDR-style functionality to internal SOC teams
  2. Enabling MSSPs to match MDR offerings
  3. Powering MDRs


MDR Functions for In-House Security Teams

As we said before, some companies will choose to keep its security operations entirely in-house, including capabilities that would otherwise be performed by MDRs. This will be especially attainable for larger companies. D3 can support these companies in several ways.

One way is through our advanced playbooks that support complex use cases. Simply put, many of our competitors require several playbooks to accomplish what D3 can in one. For example, when a phishing email is sent to dozens or even hundreds of employees, this would create hundreds of events in many SOAR tools. However, D3 is able to find all the related emails and groups them into a single investigation.

Similar to how an EDR tool might correlate three endpoint events and combine them into one enriched alert—where a legacy endpoint protection tool would just generate three alerts—D3 can execute a single playbook where are competitors might need four or five. This is because D3 can embed multiple nested playbooks that handle different branches of the investigation—such as searching firewall logs for network activity related to a phishing attack—while keeping the results in the same master playbook.

D3 playbooks also support advanced workflows with features like looping, parallel tasks, and dynamic contextual fields that can integrate user inputs mid-playbook.


Powering MSSPs with D3 SOAR

MSSPs are facing a growing challenge from MDRs. The expectations of their clients are likely to evolve and MSSPs will need to keep up or lose market share. MSSPs can enable more advanced services with D3’s advanced capabilities, such as the playbook features described in the previous section. D3 is also the leading independent SOAR vendor, meaning we can integrate equally well with any client’s tools.

To see an example of how D3 can impact MSSPs, check out our recent FinTech Case Study. The client had been working with an MSSP, but was getting very little out of the investment because the MSSP couldn’t handle most alerts without asking for input from the client’s security operations team. Once both the client and the MSSP were using D3 SOAR, the effectiveness of the MSSP went through the roof because D3 gave them the contextual information and codified best practices needed to handle most alerts.

It’s easy to see how this type of MSSP-client relationship could be scaled up to include full investigations conducted by the MSSP using D3, with remediation tasks executed across the client’s environment via D3’s integrations.


Supporting MDRs

D3 can also help MDRs improve their services, and not just through the obvious value-adds of automation and orchestration. D3’s status as an independent vendor is even more important to MDRs, who need a way to quickly and easily connect to their clients’ tools to investigate and respond to incidents. D3 streamlines these connections through hundreds of out-of-the-box integrations and a universal REST agent. Users can simply fill out a form with the tools they use and D3 will automatically incorporate those integrations into playbooks.

For small-and-medium-sized businesses in particular, one of the things they rely on managed providers for most is securing their cloud environments. So far, MDRs are probably weakest in this area. With integrations with O365, CASB, many AWS and Azure services, and much more, D3 is able support MDRs in improving their cloud threat detection and response capabilities.


Learn More About the Future of SOAR

To see D3 in action and learn about our major upcoming release, schedule a demo today. Or to learn more about what makes D3 a leader in the SOAR industry, read the recent Leadership Compass for SOAR Solutions by KuppingerCole.

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.