What We Can Learn From the 2023 Gartner® Market Guide for MDR Services

As one of the fastest growing areas of cybersecurity, Managed Detection and Response (MDR) has become a critical part of many organizations’ efforts to become more cyber resilient. The benefits of MDR are many, including helping organizations augment their internal security teams with real-time threat monitoring, detection, investigation via trained cybersecurity staff to monitor 24x7, and threat intelligence and threat hunting and more.

Selecting an MDR provider, however, can be a challenge, as it’s a crowded market with hundreds of vendors to choose from. To help cut through the noise when selecting an MDR provider, one tool a buyer should leverage is the Gartner Market Guide for Managed Detection and Response (MDR). This important report is full of key insights that help organizations become better and more informed buyers when selecting an MDR provider.

Not only does Gartner offer insights on how the market is moving, but it also provides information on what successful MDR services look like, what a buyer should expect from MDR services, the questions to ask, and how to avoid common pitfalls.

We’ve collected some of the most important points from the Market Guide report and offered insights from Bitdefender Senior Director of Product Management, Managed Detection and Response, David Shen.

What buyers can expect (and what success looks like)

One of the most important elements a buyer should know when considering MDR services is knowing what outcomes to look for to ensure effective cybersecurity and resiliency.

From Gartner: “Buyers should not expect distinct or specific customization that would be available in more consultancy-led services as part of the core MDR service, as this may possibly be offered as an add-on or adjacent service capability.”

Bitdefender Take: “For purposes of scalability, efficiency and repeatability, most MDR services are indeed designed to not provide distinct or specific customization. However, there are ways that successful MDR service providers can still deliver business-centric capabilities with respect to detection, investigations and response. For example, Bitdefender MDR utilizes a comprehensive onboarding process that captures detailed information about not only the customer’s infrastructure but also key business attributes like industry vertical, locations, etc. By doing so, Bitdefender can tailor threat hunts, threat intelligence, and threat models to the specific customer – thereby providing customization within the context of a standard service without additional consultant or professional services fees.”

How companies can avoid buyer’s remorse

As is often the case in the cybersecurity industry, there is a lot of marketing noise to parse through. The same is true with MDR services so it’s important to have clear expectations and know how to avoid MDR services that might look good on paper but may not actually deliver the services required from an MDR vendor.

From Gartner: “Buyers have faced challenges with service naming and marketing language that has often overpromised and under delivered. Core service capabilities and components should broadly be the same for all providers in this market. However, some providers describe and offer their services as MDR, when they are not delivered as a buyer might expect or in alignment with how MDR is described in this guide.”

Bitdefender Take: “Cybersecurity is an alphabet soup of thousands of point solutions and hundreds of MDR vendors, which is the result of non-standard service and performance definitions. Given the spectrum of MDR providers, it is important to evaluate the underlying technology (e.g., EDR/XDR) but equally important to evaluate and trust the humans delivering the service itself. For example, Bitdefender MDR analysts are selected among the most experienced and certified cyber experts, many with military and government cybersecurity backgrounds. Someone sending you an email/ticket about an alert is not MDR. Someone who analyzed a detection, investigated, and stopped it before an incident is MDR.”

From Gartner: “There is no mandated technology type choice, nor set of telemetry that is required to deliver an MDR service. However, for most engagements, a breadth of experience with endpoint-, network-, cloud SaaS- and application-driven detection platforms and telemetry is preferable for most. Extensions into Internet of Things (IoT) and cyber-physical security (CPS) systems or operational technology (OT) are available, but rarely called out separately from core IT security requirements; organizations recognize that cyberthreats are cyberthreats, no matter the system they reside in.”

Bitdefender Take: “While the underlying technologies and breadth of EDR/XDR continue to expand, and with it the coverage of MDR service, the reality is that many companies have yet to embrace EDR, much less XDR, and even less so extensions in OT/IoT, except perhaps for the largest, most complex enterprises. Bitdefender MDR is focused on delivering superior MDR service on top of EDR/XDR, where new and transitioning customers have the greatest need, while also understanding market movements to extensions.”

Why it’s important for MDR to adapt to modern threats (but can’t be the sole decision maker when it comes to remediation)

From our point of view, MDR services should be available to alleviate the burden an organization’s IT and cybersecurity teams face on a daily basis. If a solution requires more time and management than they’re saving, they’re likely not the right MDR solution for you. However, as Gartner explains, there is a balance to be had and buyers should set their expectations accordingly.

From Gartner: “Organizations that depend on MDR services for the bulk of their security operations functions have reported that they are highly likely to reject MDR providers that cannot take mitigative response actions against threats on their behalf.”

“When buyers are uncomfortable with the providers directly performing the actions, they want easy mechanisms to approve or initiate any threat disruption or containment actions themselves. The full response to a threat is not typically something performed by MDR providers. However, security and risk management leaders should be demanding threat disruption and containment from their service providers. Remediation activities should be a logical set of well-established follow-on internal processes that are put into action once MDR providers have disrupted or contained threats. Remediation must be internal because it is difficult for an MDR provider to carry out full response activities and know, categorically, that it won’t impact legitimate business functions unnecessarily. As an additional service, some MDR providers that offer incident response retainers may also assist with the recovery phase, this is not the same as the mitigative response included in MDR.”

Bitdefender Take: “Proactive response actions are a must-have in any MDR service. However, successful MDR service providers understand that proactive actions can also have business impacts and need to allow for exceptions. Bitdefender MDR provides a comprehensive list of pre-approved actions (PAAs) that encompass endpoints, network, cloud, and applications – allowing analysts to rapidly mitigate and contain possible incidents. Given their specific risk profiles, customers are given the option to turn off specific PAAs. Moreover, customers can document exceptions to existing PAAs that require written/verbal confirmation before actions are taken. As such, customers can have the precise amount of proactive response they need.”

How buyers can ready themselves for MDR

From Gartner: “As MDR services are “consumable,” buyers must develop and operate their own internal incident response policies and procedures, to ensure that full value of the MDR service can be obtained. Relevant, internal business understanding is critical for the “right” response to a discovered threat. Some MDR providers are positioned to help their customers develop policies and processes if they don’t exist or require updating. Internal departments, such as HR and legal, may need to be involved as may incident response service providers.”

MDR services are flexible enough that they can come in and appropriately work with an organization whether they have a robust cybersecurity team or a small IT team with minimal cybersecurity knowledge and resources. We believe this Market Guide report is a great start on knowing how to look for MDR services, but organizations should also take the time to assess their internal capabilities to know what they need from an MDR provider.

By mobilizing their organization and coming in with the right questions, expectations, and understanding, they’ll make a better decision when it comes to choosing an MDR provider while also ensuring they’re maximizing the use of that MDR.

To learn more about Bitdefender’s MDR services, check out Bitdefender Managed Detection and Response - Inquire and Demo.

Gartner, Market Guide for Managed Detection and Response Services, Pete Shoard, Al Price, Mitchell Schneider, Craig Lawson, Andrew Davies, 14 February 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.