Johannesburg, 31 Aug 2023
Advanced managed detection and response (MDR) overcomes challenges and vulnerabilities associated with traditional managed security service provider (MSSP) and DIY approaches. This is driving a shift in the way MSSPs go to market and making an MDR platform built for scale the choice of security-conscious enterprises.
This is according to Jason Oehley, Regional Manager at Arctic Wolf South Africa, who says: “When Arctic Wolf launched in EMEA two years ago, a lot of partners simply resold the solution. However, we now see a shift in the market, with MSSPs starting to wrap their own offerings – such as maintenance and penetration testing – around our MDR service to strengthen their portfolio and overcome challenges. It’s a more efficient way to offer full security management, managed detection and response and security operations, balancing resources, tools and people effectively.”
Andre den Hond, Senior Systems Engineer at Arctic Wolf South Africa, notes there are distinct differences between advanced MDR and traditional MSSP models. In a fast-evolving risk environment, traditional DIY and MSSP models are proving costly, complex and incomplete, he says.
“In a DIY approach, a customer might try to manage all security tools, including a security information and event management (SIEM) solution, on-premises in their own environment. This brings with it a lot of complexities and requires a lot of resources. In-house security operations must also manage a range of additional tools, such as endpoint detection and response (EDR), case management systems, network anomaly detection tools, security orchestration, automation and response (SOAR), and they must create their own runbooks and playbooks,” he says. “It’s all very complicated, expensive and time-consuming. It can easily take six months to a year to build your own security operations capabilities in-house, even if you can recruit the necessary expertise to run it. This is why we see organisations tending to offload the challenge to MSSPs.”
Den Hond says many managed security service providers are looking to enter the MDR space as customer demand soars. “Traditional MSSPs have to contend with a variety of tools, grapple with managing a stream of data from threat intelligence feeds, and they must also source and retain scarce security skills to offer a comprehensive service.”
“One major difference between MDR and MSSPs is that the MSSP’s main focus is on managing existing security tools on behalf of customers, generally with less time spent on continuous threat detection and response. A key challenge is they typically rely on SIEM to collect logs from multiple security tools, analyse the log data for suspicious events and help customers put all this log data in one place for compliance. SIEM tools are resource- and capital-intensive – and they need a lot of oversight and tuning,” he explains.
“Because SIEM tools are typically deployed in a single tenanted model, traditional security providers don’t get global visibility of data across all customers, so they don’t benefit from what we call the ‘network effect’. In addition, SIEM pricing can be unpredictable, as it is based on the amount of data that is analysed over a period. Since the amount of data is always increasing, so will the cost. To cut costs, some customers might opt to exclude certain telemetry data, which results in blind spots.
“Traditional security providers often lack incident response and forensics capabilities, and generally cannot do threat hunting as well as an MDR provider can. And because traditional security providers don’t have a common delivery model for customers, they cannot be sure they are offering comparable service levels."
In contrast, a purpose-built MDR platform for security operations at scale overcomes complexity and improves security, with the added advantage of a common delivery model, comparable service and predictable pricing, he says.
Den Hond notes the Arctic Wolf MDR service continuously improves the customer’s security posture, offers a skilled, dedicated concierge security operations team and benefits not only from commercial sources of threat intelligence, but builds its own intelligence into the service offering through the Arctic Wolf Labs division, allowing the business to inoculate all customers from detected threats.
“Importantly, our purpose-built platform has a lot of API integrations into endpoint solutions and public cloud services such as Azure, AWS and Google to monitor e-mail and collaboration tools and protect against risks like business e-mail compromise and data exfiltration. Because of these APIs, the MDR provider can easily perform remote containment and remediation,” he explains.
He highlights a number of Arctic Wolf differentiators: “A named security team works with customers as trusted security advisers, who are also responsible for a security hardening process. Our hybrid approach leverages AI and human security expertise for faster detection and better results. We also focus heavily on eliminating false positives. Another strength is predictable pricing based on the number of employees, servers and network sensors, with unlimited data.”
Den Hond says continuous improvement is important in proactive security. “Security is only as good as your ability to constantly improve your security posture. You can’t just focus on threat detection and containment; you need to assess risk, identify vulnerabilities and provide ongoing guidance on how to improve. The Arctic Wolf security journey designed by our security experts is a structured, tailored approach to ongoing security posture improvement.”