Managed Detection & Response: 4 Key Terms to Know

I recently watched a trailer for a reality show where they follow Dutch couples having a baby, including parts of the delivery and the interaction with the doctors. During this particular trailer, one of the doctors used the Dutch translation of the phrase: “we’ll use this balloon, and it will exert traction.” I’ll spare you the details of where the balloon went; the thing that stood out to me was that the word used is “tractie” in Dutch. The word itself is almost never used in my native language, except apparently by doctors and perhaps race car mechanics. This made me wonder why a doctor, talking to people in an already stressful situation, would use words like “traction” instead of just saying the inflated balloon will push (or pull) a bit.

The doctor used words that she learned in medical school and during her training. Doctors do that often, and cyber security experts are just the same. How are the doctor’s patients supposed to understand what she’s talking about? Sure, they can guess what “traction” means in this context, just as people probably have an idea of what an MSSP does. But how does an MSSP differ from an MDR service provider? 

In this article, I will explain some of these abbreviations, acronyms, and terms within cyber security that are important to understand but that no one ever seems to explain. 

Managed Security Service Provider, or MSSP.

MSSPs originated as a service provider that could make sense of the vast amount of emerging security service suppliers and their generated alerts.

Using the services of an MSSP was the first step in getting help as a business in the cyber security landscape.

Managed Detection and Response, or MDR.

An MDR service provider distinguishes itself by improving the efficiency and effectiveness of a business’s security team. The service solution sets up services that detect attacks and has experts on hand to perform analysis for the company.

MDR cuts down on the number of false-positive alerts communicated to the company. It gives the context of the attack to the security team and offers advice to the security team on how to contain or remediate the attack.

MDR utilizes a number of cyber security services based on constraints and the scope of what needs to be protected. The constraints and the scope are based on the risk appetite and risk profile of the business and resource constraints such as budget.

At the heart of MDR is the Security Operations Center (SOC).

Automated systems primarily do the detection using use-cases provided by frameworks and technology. Alerts flow into the SOC from connected services and are investigated by analysts.

Analysts enrich detection and subsequent investigation with intelligence and advice.

Further advice on how to mitigate the attack and which precautions to take to prevent further and future damage is offered. If things are especially troublesome, businesses need their MDR service providers to provide a response option that involves forensic investigation or emergency readiness teams.