Why XDR must include MDR

Technology alone isn't enough; organizations need help with security operations.

puzzle pieces / network / connections / component parts of a whole / microservices
Thomas Vogel / Matjaz Slanic / Getty Images

In my last blog post, I described how the market for eXtended Detection and Response (XDR) is evolving and how CISOs should approach this new and promising technology. It was good and useful information, if I do say so myself, but it didn't directly address the question why security professionals should care about XDR in the first place.

The answer: Because XDR has the potential to accelerate threat detection/response while streamlining security operations. 

I’ve been writing about security operations and analytics platform architecture (SOAPA) since 2016.  From its inception, SOAPA was designed as an interoperable security operations technology architecture, using APIs, messaging buses, vendor co-development, and custom coding as a means for integration.  The vision for XDR is that it will deliver an out-of-the-box SOAPA.  Large enterprise organizations will still operate other specialized security operations technologies like threat intelligence platforms (TIPs) and security orchestration, automation, and response (SOAR) platforms, but XDR will integrate with these systems while acting as a central hub for security operations.

Can XDR tilt the playing field?

In theory, XDR can deliver good security operations progress, but it may not be enough to give an advantage to cyber-defenders.  One reason is that security operations are increasingly complex, driven by a growing attack surface, massive security data growth, and a dangerous threat landscape.  XDR vendors get this, but they are fighting an uphill battle against complexity.  Making rocket science easier could help accelerate space exploration, but it’s still rocket science and requires rocket scientists. 

Then there’s the global cybersecurity skills shortage.  According to research from ESG and the Information Systems Security Association, 70% of cybersecurity pros say that their organization has been impacted by the cybersecurity skills shortage, leading to an increasing workload on cybersecurity staff.  Additionally, 29% of organizations claim that their biggest cybersecurity skills shortage is in security analysis and investigations.  XDR or not, we still need skilled professionals for threat detection and response, and there just aren’t enough of these men and women to go around. 

The case for MDR

These pervasive issues are driving increasing use of MDR services at organizations large and small.  For example, recent ESG research finds that 35% of organizations are already using MDR services, 38% are actively engaged in a project to adopt MDR services, 15% plan on adopting MDR services, and 6% are interested in adopting MDR services in the future.  Some are outsourcing threat detection and response to a third party, some need after-hours support for their 5 days per week/8 hours per day SOCs, and some want an expert looking over the shoulders of the SOC staff to help them with complex tasks like forensic investigations and threat hunting.  The key here is that MDR services provide advanced skills as 52% of organizations believe that MDR service providers can accomplish threat detection and response tasks better than they can.

The research data on MDR services leads me to the following conclusions:

  1. XDR must include MDR. XDR technology alone is not enough;  XDR vendors must have their own services or need to partner with MSSPs that can add expertise and value to their offerings.  Vendors like CrowdStrike, FireEye, Secureworks, and Trend Micro that offer an integrated portfolio of XDR and MDR services are in the best position.
  2. Pure play MDR vendors will be the biggest XDR competitors. If I pay someone to mow my lawn, I really don’t care what type of mower they use.  Rather, I care about the outcome—a manicured lawn on a weekly basis.  Similarly, CISOs buy security technologies like XDR as a means to an end—in this case, better cyber-threat detection and response.  As organizations increase their reliance on services, MDR vendors may be successful in elbowing out XDR technology in favor of their own homegrown technology + services solutions.  If they can deliver continuously improving threat detection and response results, who cares how they do it?
  3. MDR vendors will differentiate themselves based on specialties. Since all MDR vendors perform the same basic services, leaders will excel in niche security operations areas like threat intelligence, incident response, or support for IoT and OT.  Others will build expertise in vertical industries to focus on threats to health care clinical systems, autonomous vehicles, or online commerce applications (likely combined with anti-fraud services).
  4. Competition for security operations talent escalates. This would likely happen anyway, but the onset of XDR and growing MDR demand will exacerbate the cybersecurity skills shortage and salary inflation. 

XDR vendors truly believe that this technology could be a game changer for security operations.  Hmm, maybe but XDR success still seems to be based on human expertise making XDR dependent upon and vulnerable to MDR.  Based upon the ESG research, the best services rather than the best security technology widget, will ultimately win. 

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline