Professional Documents
Culture Documents
Response Services
Published: 11 June 2018 ID: G00334680
Analyst(s): Toby Bussa, Kelly Kavanagh, Sid Deshpande, Craig Lawson, Pete Shoard
Key Findings
■ MDR services are filling the need of organizations of all sizes that lack internal security
resources and expertise, and want to expand their investments beyond preventative security
technologies to address their detection, response and 24/7 monitoring gaps.
■ Managed EDR is one of the most visible offerings within the market, available from MDR
providers, MSSPs and the EDR technology vendors leveraging their own solutions.
■ Response capabilities are evolving toward faster reactions once a threat is detected. The ability
to disrupt and contain threats is becoming a standard offering. However, incident response
retainers are still needed when an incident reaches a threshold that requires significant support.
■ Many MSSPs are adding MDR-type services to their portfolios to compete against MDR service
providers. This trend will continue over the next 12 months.
Recommendations
IT security and risk management leaders responsible for security monitoring and operations:
■ Use MDR services to add threat detection, lightweight incident response, and 24/7 monitoring
capabilities when they don't exist or are immature within an organization. Incident response
retainers will still be required when significant support for large incidents and recovery is
required.
■ Use MDR services offering a turnkey technology approach so that your organization can focus
on the outcomes delivered by a provider.
■ Scrutinize how providers deliver services to ensure the technology stack fits well with existing
security technology investments and the entire IT environment, from on-premises to cloud.
■ Embrace threat disruption and containment as an incident response feature of MDR service
providers, particularly where you do not have 24/7 operations to respond to threats that require
immediate attention.
Market Definition
This document was revised on 11 July and 11 June 2018. The document you are viewing is the
corrected version. For more information, see the Corrections page on gartner.com.
Managed detection and response (MDR) providers deliver 24/7 threat monitoring, detection and
lightweight response services to customers leveraging a combination of technologies deployed at
the host and network layers, advanced analytics, threat intelligence, and human expertise in
incident investigation and response. MDR providers undertake incident validation, and can offer
remote response services, such as threat containment, and support in bringing a customer's
environment back to some form of "known good."
Market Description
MDR providers deliver services for buyers looking to implement or improve their threat detection,
response and continuous-monitoring capabilities. Many MDR providers' services leverage
technologies at the host and network layers that generate and collect security event and contextual
data that support both the detection of threats and incident investigation (such as forensic data).
Additionally, there is a focus on threat analytic detection techniques, threat intelligence and incident
response activities, all of which can be expensive, difficult to obtain and hard to sustain for many
organizations (midsize enterprises [MSEs] as well as larger enterprises). For large-enterprise-
oriented MDR providers, the focus may be on leveraging the customer's existing technologies.
However, this is only if the enterprise can provide the necessary data, context and functionality to
detect, investigate and respond to threats, as well as augment security expertise and cover gaps in
customer's security technologies.
MDR services are characterized by the following attributes, many of which are distinct from
managed security services providers (see Figure 1 and Note 2):
■ A focus on threat detection, geared toward attacks that have bypassed existing security
controls. Use cases such as vendor-agnostic security technology management and compliance
monitoring and reporting are not a focus of MDR services and are rarely addressed.
Market Direction
MDR Is a Dynamic Market
The MDR market is growing, as Gartner observes continued interest in the market. Approximately
25% of all inquiries in 2017 related to acquiring security event monitoring services were specifically
about MDR. The market today is characterized by acquisitions by firms looking to enter the MDR
market, and general dynamism as new ideas and approaches are introduced by providers. MSSPs
are reacting to customer demand and the MDR provider competition by adding or expanding
managed EDR and threat hunting-as-a-service offerings. However, some claim they have MDR
offerings, with minimal evidence to support those claims.
Key observations of the dynamism of the market include over the last 12 months:
■ Demand from midsize enterprises has been particularly strong, as MDR services are viewed as
a better fit than procuring security event monitoring services from an MSSP. Buyers' lack of
investment in threat detection technologies, processes and people continues to drive demand.
Gartner clients with little to no investments in threat detection and response technologies report
that outsourcing security event monitoring to an MSSP has led to unmet expectations and
negative experiences. Clients often question why they have little to show for the money spent.
These capabilities are very appealing to midsize and smaller enterprises, as they lack 24/7
operations to respond when threats are detected outside of business hours. MSEs indicate a
greater acceptance of containment actions where and when threats represent business-level
impact. Larger enterprises that have 24/7 IT operations and a security operations team to handle
response activities currently tend to be less interested in containment being done by the provider.
However, they are interested in having the technical capability to initiate the containment
themselves, such as through a button in a portal that will initiate containment through an EDR agent.
Disruption and containment of threats can take various forms, and MDR providers are trying
different options. There is no one winning approach, although isolation of a host via an EDR tool and
blocking traffic on a firewall appear more frequently. Example methods include:
Adoption of the term "MDR" by MSSPs should be met with healthy skepticism by buyers, as
Gartner has observed increasing use of the term in the last 12 months. In some situations, the use
of the term is legitimately warranted. In other cases, there is little evidence that a service is really
aligned to the characteristics defined in this note. Those exploring MSSPs for these services should
assess the MSSPs' technology stacks (or supported technologies) and the availability of threat-
hunting skill sets.
Market Analysis
Since Gartner defined MDR services in 2016, the number of providers claiming to be MDR has
increased dramatically. A survey of the Representative Providers section shows the breadth of
providers available across different regions and home markets. North America has a large
population of providers, followed by Europe, in particular the Nordics region. Asia/Pacific and the
rest of the world have few regional providers visible in the market today.
■ It is a dynamic market, with new providers entering and trying to differentiate themselves
against existing providers, which in turn are adjusting their branding and offerings.
■ Acquisitions are occurring as firms without MDR offerings seek to enter the market (for
example, Booz Allen Hamilton acquiring Morphick and ADT acquiring DATASHIELD).
■ MDR is seeing investments from venture capital and private equity, indicating support of MDR
as a growth market (see Note 3).
■ Endpoint protection platform (EPP) and EDR vendors are increasingly adding services to
provide 24/7 threat detection (either in real time or via threat-hunting capabilities) to address
customer demand.
■ MSSPs actively attempt to compete in the MDR space, as evidenced by the new offerings
being added, as well as by the maturation of more established offerings.
■ Proactive capabilities are starting to enter the picture for some MDR providers that support
MSEs and are looking to extend their services to help address other "security hygiene" gaps
(such as vulnerability management).
Over the next 12 months, Gartner expects to see MDR providers continue to segment their offerings
to these distinct buyers. MDR providers focused on MSE and less mature organizations will drive
packaged offerings that include the necessary technology backed by the provider's experts and
processes. Larger enterprises and more mature enterprises will look to adopt MDR services when
there are options available that allow the provider to address the specific situation of each customer.
One example is the ability to leverage existing security technology investment where appropriate (if
the enterprise has already invested in EDR or network forensic technologies, whether it's for a short
duration as the enterprise gains experience with the solution, or as a long-term relationship). The
provider can then segment its offerings to fill gaps in the customer's threat detection and response
capabilities (such as using managed EDR only).
The Technology Stacks Employed by the MDR Providers Are Starting to Mature, but
Still Have Gaps
The following characteristics of the technology stacks employed by MDR providers are being
observed in the market:
■ EDR agents have become the common technology employed for MDR — especially those
offering containment capabilities. Most providers are aligned with a single EDR vendor, but we
increasingly see MDR providers support two to three vendors. A number of EDR vendors are
using their own proprietary technology. However, these are a work in progress for several
vendors, and many don't yet support the response capabilities required to contain a threat (see
"Market Guide for Endpoint Detection and Response Solutions").
■ Network-monitoring capabilities using on-premises deployed sensors (physical or virtual) are
being extended to include other vectors, such as DNS traffic and NetFlow data.
■ Email monitoring is available from few providers, but it is appearing on more providers'
roadmaps to shift threat detection capabilities earlier in the attack life cycle — for example, to
the delivery phase — rather than focusing solely on the command and control (C2) phase (see
"Addressing the Cyber Kill Chain").
■ Deception technologies are offered by a few providers to address such challenges as
accelerating service implementation and concerns about deploying EDR agents onto endpoints.
■ Technologies to monitor industrial control systems (ICS), supervisory control and data
acquisition (SCADA) and other operational technology (OT) environments is available in the
market, and offerings are increasing based on MDR provider roadmaps. Europe, in particular,
has several examples of providers with OT security monitoring offerings.
The ability to collect large volumes of data also helps the MDR providers' incident investigation and
response activities. Investment in log and data capture and analysis capabilities enables MDR
providers to invest in smaller teams of experienced analysts focused on incident investigation and
response. It also allows many providers to perform automated and manual threat hunting through
their customers' logs and data, looking for IOCs.
A few MDR providers take the approach of leveraging commercial security information and event
management (SIEM) solutions for security analytics and threat detection that are deployed on the
customer's premise. Most MDR providers rely on a central, multitenant platform for analysis. This
does not necessarily imply that a lack of advanced analytics and machine learning is an impediment
to doing more precise threat detection (especially as many commercial SIEM solutions have
advanced analytic capabilities). However, buyers should ask potential providers what tools and
methods they employ, and how they differentiate their services from those of their competitors.
Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to
provide more understanding of the market and its offerings.
Market Introduction
The MDR market has a variety of service providers around the globe. Representative providers
listed in this section are referenced by the region where their corporate headquarters are located.
However, many have a strong presence in multiple regions, ranging from a sales presence through
to having regional headquarters and in-region SOCs. Buyers interested in specific providers should
confirm their geographic presence in the buyer's region, especially as Gartner has witnessed many
providers expanding, or planning to expand, their footprint outside of their home regions.
Booz Allen Hamilton McLean, Virginia Booz Allen Managed Threat Service
Kudelski Security Cheseaux-sur-Lausanne, Switzerland Kudelski Security Managed Endpoint Detection and
and Phoenix, Arizona Response Service and Managed Attacker Deception
Market Recommendations
■ Organizations that have not yet invested, or are underinvested, in detection and response
technologies and internal capabilities should consider MDR services. MSE buyers should look
for providers with comprehensive technology stacks, while larger enterprises should look for
providers that have flexible technology options.
Deployment time scales Simple deployment and setup, service Complex deployment, significant
delivery usually in days or weeks. infrastructure changes and setup required,
service delivery usually within months.
Security event log and Proprietary technology stack provided by Event-source-agnostic. Data sent to the
context sources the provider and deployed at the provider is determined by the customer.
customer's premises, which is included in
the service price.
Remote device Only for their own technology stacks. Yes. Vendor-agnostic for most common
management security controls — e.g., firewalls, intrusion
detection systems (IDSs), intrusion prevention
systems (IPSs) or web gateways — or tools
deployed with MDR-type services.
Interface to service Rely on more direct communication Portal and email acts as the primary
(voice, email) to analysts, rather than interface, with secondary access to analysts
portals. provided via chat functions and phone.
Incident response Lightweight, remote, incident response Both remote and on-site provided by a
support support typically included in basic separate retainer.
services. On-site incident response
provided by retainer.
Incident containment Provided using provided technology stack When remote, full management of security
or customer-owned technologies, controls is managed for a customer and
leveraging scripts and APIs to MDR-type services are offered — e.g.,
programmatically make changes. managed endpoint detection and response
(EDR).
■ A reported investment of over $100 million in eSentire by Warburg Pincus was announced in
August 2017. See eSentire, "eSentire Announces Growth Equity Investment From Warburg
Pincus" and Fortune, "Term Sheet, Monday, August 21."
■ Arctic Wolf Networks raised an additional $16 million of funding in January 2018, increasing
their investment to over $43 million. See Business Wire, "Arctic Wolf Secures $16M in New
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096
Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM
© 2018 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This
publication may not be reproduced or distributed in any form without Gartner's prior written permission. It consists of the opinions of
Gartner's research organization, which should not be construed as statements of fact. While the information contained in this publication
has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of
such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice
and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner Usage Policy.
Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research
organization without input or influence from any third party. For further information, see "Guiding Principles on Independence and
Objectivity."