Managed detection and response (MDR) is a cybersecurity service that provides organizations with a team of experts who monitor your endpoints, networks and cloud environments and respond to cyberthreats 24/7. The team uses a combination of expertise, processes and technology to reduce risk, stop attacks and improve the effectiveness of your security operations center.
The level of remediation may differ depending on the vendor, service tier or customer needs.
MDR services are delivered remotely and often using a predefined technology. The MDR collects relevant logs, data and other telemetry from the customer environment and then analyzes this telemetry using analytics, threat intelligence, automation and human expertise to deliver continuous monitoring, high-fidelity threat detection, containment and investigation. Additionally, proactive threat hunting is carried out to detect new types of threats and multistage attacks.
MDR benefits include:
Managed security service providers (MSSPs) typically focus on alerting, security management and monitoring, leaving response actions to the customer. MSSP services are mostly focused on more passive activities and are designed to be highly automated, including interactions with customers typically via a portal.
MDR includes both reactive (continuous monitoring) and proactive activities, such as proactive threat hunting that is done real time by a team of human experts. MDR provides alert and indicators of compromise (IoC) triage, and includes alert response, investigation and remediation.
Many EDR/XDR vendors provide MDR services built on their own technology and offer customers a full solution of both product and service from a single vendor. Additionally, these vendors have a deep understanding of their own technology and its latest capabilities and best practices. Alternatively, MSSPs with MDR services typically offer customers a broader array of managed services covering a wide range of multivendor technologies as well as additional specialized services, industry niches and regional language capabilities.
Combining requirements from industry analysts with customer expectations, Palo Alto Networks has identified a list of criteria for fully developed MDR. An MDR service provider must be able to:
EDR refers to endpoint detection and response and solutions that record endpoint level behaviors via installed agents or sensors and use data analytics to detect suspicious or anomalous activity and block it.
XDR is extended detection and response that gathers data from any source (endpoint, cloud, network, identity and others) for comprehensive visibility and to stop known and unknown threats on more than just the endpoint.
MDR is a managed service that is layered on top of an EDR or XDR solution to provide 24/7 monitoring, detection and response, including expertise, threat hunting, remediation and prioritization of alerts.
The Unit 42 MDR service is an MDR service for Cortex XDR, delivered by the Palo Alto Networks Unit 42 team. Palo Alto Networks world-renowned Unit 42 experts work for you to detect and respond to cyberattacks 24/7, allowing your team to scale fast and focus on what matters most. We use Cortex XDR so our analysts have unmatched visibility into all data sources (endpoint, network, cloud, identity, etc.) to quickly identify and stop malicious activity most likely to impact your organization.