Security leaders at SMBs — whether CISOs or IT leaders wearing too many hats — dream about security. 

But not good dreams. 

Many are losing sleep about a growing backlog of tasks, making the business vulnerable to incidents and less able to deal with the fallout. 

If you’re in charge of cybersecurity for your company, you know you need to shore up defenses, train teams to avoid scams, create response and business continuity plans, and upgrade hardware. 

But SMB IT and cyber teams rarely have the bandwidth for it all, and your backlog of strategic projects gets longer every day. It’s a vicious cycle because the less time you have to do strategic work upfront, the more time you need to fight fires — and creating even less time for the strategic stuff that prevents fires. 

It leaves your organization unprotected and you in a state of permanent dread. And then one day, the nightmare becomes reality: You get the call that your systems are shutting down or your company has experienced a massive data breach. 

We don’t have to preach to the choir. You know this. But how are you supposed to get a really good handle on everything you need to protect your company when daily incidents keep growing and threats keep evolving? 

It’s at this point that many people in charge of security realize you can’t do these things in house, at least not efficiently. Many pick a partner who does managed detection and response services, or MDR.

We’re going to explain exactly what MDR means and what types of companies it works best for.

MDR in a nutshell

Most people know MDR is like having your own security operations center but at a more manageable cost. It includes a combination of technology like EDR with round-the-clock experts monitoring it — and responding quickly when threats occur to minimize damage. 

Bonus: You never have to tell anyone on your team they’re working on Thanksgiving. 

A lot of organizations have an EDR and SIEM to monitor attacks, but as these systems grow more sophisticated to cover a growing attack surface, they also produce a lot more alerts. Very few SMBs can actually do anything with all these alerts — it takes time and expertise to know which ones matter. MDR experts not only monitor alerts, they also help on-the-ground teams better understand which alerts are critical and require action. Context is everything, and MDR analysts specialize in context. 

A lot of organizations have an EDR and SIEM to monitor attacks, but as these systems grow more sophisticated to cover a growing attack surface, they also produce a lot more alerts.

Typical MDR staff have a thorough understanding of what type of alerts are emerging in your landscape, as well as patterns specific to your organization, so they can detect anomalies that machines might not catch. And it’s not just detecting threats — an MDR team is also ready to jump in during the crucial window of time when a threat actor has gained access to your systems but often before they’re able to do real damage. 

The difference between MSSP and MDR

While many managed security service providers (MSSPs) offer MDR services, they are part of a broader service offering, which may cover several security tools and functions at the same time. MDR, on the other hand, focuses specifically on detection and response, dedicating specialized resources to this critical function. 

MDR services offer: 

• Round-the-clock experienced analysts 

• Fast help with incident response — response time service-level agreements in minutes rather than hours 

• Proactive threat mitigation, not just responses 

• The ability to manage more pieces of your security stack than just endpoints: think networks, email, cloud, and so on

SMBs tend to choose MDR when:

1. Security is a big priority for their organization, and they need the best technology and dedicated people to handle it

2. Their security operations need a boost: another set of eyes and coverage for when internal teams can’t do it

3. They need to bolster security but don’t have the budget for a security operations center, and MDR is usually more effective and cost-efficient 

But what a lot of cyber security teams — or the overworked IT leader who is the de facto CISO — don’t think about is how much value the security function can add to their organization. 

While many MSSPs offer MDR services, they are part of a broader service offering, which may cover several security tools and functions at the same time. MDR, on the other hand, focuses specifically on detection and response, dedicating specialized resources to this critical function. 

Putting down the little stuff so you can pick up the big stuff

When you can put down the daily work of responding to alerts and immediate problems, you have more time to think long-term and big picture. 

From conducting tabletop exercises to planning for business continuity, security teams can mature their threat posture. You can also spend more time training staff how to avoid phishing scams and other social engineering tactics. 

Beyond protecting your organization, you can think about how to save money through strategic IT investments and even contribute revenue. Articulating and proving your security measures can help marketing and sales teams seal the deal with security-conscious customers.   

The role of security leaders is shifting 

The pace of cybersecurity change is never going to slow down. With more endpoints and a growing attack service, the role of the security leader will naturally shift as the old ways stop working. 

The complexity hits a point where ad-hoc security measures just aren’t effective enough, and you need time to rethink how you’re working. 

Our final blog in this series about alert burnout talks about the shifting role of the CISO — or anyone leading security — at small and medium-sized businesses.