MDR = RMR for Integrators

June 14, 2021
Managed Detection and Response presents an emerging business opportunity for security integrators
This article originally appeared in the June 2021 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.

As our world has advanced to a digital one, and so has the modern-day cybercriminal. While physical intrusions have not gone away, they are making way for cyberattacks targeting every size and kind of business imaginable.

They say history repeats itself, and I believe we have seen something like this before. Roll back to 1857 when Edwin Holmes began manufacturing the first burglar alarm system in Boston. Within a short period of time, Holmes’ business idea grew fast, and his alarm systems could be found in thousands of homes. By 1877, he saw the next big opportunity and expanded his offering to include alarm monitoring services by establishing the first central monitoring station based in New York.

Traditional burglar alarm monitoring has come a long way since the 1800s, and it would be rare today to find a commercial building without a basic intrusion alarm system installed. Over the years, criminal tactics became more sophisticated and therefore the technology deployed to protect facilities did as well. Today, many central monitoring stations not only provide burglar alarm monitoring, but also remote video monitoring, managed access control and concierge services – to name a few.

Last year alone it is estimated that cybercrime cost billions in losses, and news coverage of another successful cyber-attack is almost a daily occurrence. In the same way that monitoring services have advanced in the cat-and-mouse game played by criminals in physical intrusions, a new fight against cybercrime, incidents and breaches is underway.

Cyber Vulnerabilities and Attack Vectors

Protecting computers and networks with anti-virus and firewalls alone is akin to only installing a deadbolt and burglar alarm system with door sensors at a building. Cybercriminals have found numerous ways to infiltrate computer systems, networks and compromise accounts – quite often working around traditional protection with success. That is why we hear about so many incidents.

Cybercriminals today use a growing number of approaches, with seemingly endless options to succeed with their attempts to break in and breach systems. Some of the more regularly used methods include:

Phishing attacks: More than 90% of cyberattacks start with a phishing email sent to email users who get duped into visiting malicious websites or opening dangerous files. Sometimes adversaries use impersonation attacks that look like they are coming from company leaders, other times it comes in the way of spoofed correspondence from what appears to be a trusted vendor. These impersonations may look like they are coming from the company’s leader or key partner asking, for example, an employee to provide sensitive information, to wire money to a fraudulent customer account, pay an invoice, or make digital purchases on a company card.

Password attacks: System users continue to use weak passwords, or duplicate passwords on systems (a.k.a. password recycling), which has led criminals to use passwords as a key approach for their crimes. When you hear about a breach, you will often hear that cybercriminals stole account information including usernames and passwords. Today, there is a criminal market for trading and selling these passwords, which many call the Dark Web. With passwords in hand and often a lack of users enabling multi-factor authentication on their accounts, cybercriminals enter email and finance systems with ease, giving them a pivot point for further attacks and fraudulent activities.

Preying on vulnerabilities: Security weaknesses in software continue to enable adversaries to conduct attacks successfully. Once a security vulnerability is discovered in software, the manufacturer or software developer may release an update or patch to the software that addresses the known vulnerability; however, this introduces a bit of a catch-22. Of course, it is imperative the software get fixed, but at the same time from that moment of releasing the updates publicly – assuming the adversary has not discovered it prior (known as a zero-day) – cybercriminals work to reverse engineer the update and identify the weakness. Once identified, it is simply a game of time as cybercriminals work to find unpatched systems to compromise, while users aim to update systems if aware and often time taking too much time in doing so.

Disabling and bypassing protection: Cybercriminals work diligently to try to bypass protection systems installed on targeted infrastructure, and many test their malware and phishing emails against the top variety of anti-malware and email protection systems on the market. Recent cyber breaches have reported attackers using these tactics to identify and attempt to disable some of these common protection technologies. With the blocking and tackling disabled or bypassed, targets will need further detection methods to identify the attack to avoid a significant incident.

The Role of the Security Operations Center (SOC)

Since cybersecurity attacks can come in such a large array of style and approach, most large and enterprise organizations have built Security Operations Centers (SOC) with 24/7 monitoring staff and solutions in place to defend against these attacks. The enterprise SOC conducts many activities, including testing, monitoring, threat hunting, containment and response using people, process and technology.

One of the important roles of the SOC is to monitor and detect malicious activity. In most cases, Security Information and Event Management systems (SIEM) are deployed that aggregate signals from all IT resources, including computers, servers, firewalls and cloud applications. These systems are often coupled with threat intelligence feeds and artificial intelligence to assist in detecting suspicious activity.

There is a major human component required to its operation and success, where teams of cybersecurity experts are on staff to conduct ongoing threat hunting and analysis. These security analysts – or threat hunters – sift through signals and alerts looking for anomalous and malicious activity across systems, some of which may have gotten through the blocking and tackling of deployed baseline protection. If an alert is deemed to require escalation, the team works to investigate whether it is a positive threat or a false alert. If positive, incident response will be activated as required.

Many enterprise SOCs today are experiencing serious alert fatigue, as these arrive in massive numbers. Recent research stated that small enterprise organizations may navigate tens of thousands of events per day, and large enterprises perhaps in the millions.

Managed Detection & Response: Where SMB Meets SOC

Unfortunately, for small to midsize organizations, building an internal SOC is usually well out of reach. The cost of software, threat intelligence, integrations, ongoing maintenance and cybersecurity experts to operate even a small 24/7 center is well in excess of $1 million per year. Simply put, it is not affordable for a smaller organization to do it on their own; and with an estimated shortage of cybersecurity experts in the millions, a risky endeavor to invest in at that.

The hope for organizations without cybersecurity experts on staff or internal Security Operation Centers is to pay for similar protection by outsourcing to cybersecurity providers. Outsourced SOC services are often dubbed Managed Detection and Response (MDR), a solution that enables a company to employ a 24/7 SOC at a fraction of the cost of building it themselves.

MDR provides an organization the ability to have the same level of technology, monitoring, alerting and human investigation with a relatively affordable monthly payment. Some MDR providers will contact customers when activity is deemed malicious and valid, enabling the customer’s IT professionals to remediate themselves; others provide enhanced services including containment and incident response to analyze and solve every incident.

MDR providers may offer customers visibility into the monitoring activity through reports of activity, behavior escalations, and incidents coupled with a regular cadence of customer success meetings and reviews. By deploying MDR, an organization without security experts can quickly and efficiently add a suite of ongoing cybersecurity monitoring and response that is both robust and cost-effective.

The Opportunity for Security Integrators  

Security integrators are beginning to realize that the convergence between IT security and physical security that is happening presents a massive business opportunity. In developing a cybersecurity offering for an organization, integrators can choose to buy, build or partner with a reputable cybersecurity and/or MDR firm, with most integrators choosing the latter.

By partnering, an integrator can use the provider’s cybersecurity experience not only to establish a robust cybersecurity offering in short time, but also to learn how to market, sell and support a customer appropriately while leveraging the partner’s in-house expertise and clout.

Coupling other cybersecurity solutions such as scanning, testing, policy development and employee training with MDR can provide a comprehensive offering in the marketplace and may enable an integrator to separate themselves from the competition while generating significant recurring revenue.

The fact is, in most cases, security integrators have a seat at the table with IT decision makers who do not have cybersecurity experts in-house and who are looking for someone they can trust who can provide an ongoing cybersecurity solution they can count on.

Just like Edwin Holmes revolutionized burglar alarm monitoring with his visionary ideas, new concepts around MDR are quickly advancing and growing. It will not be long before most organizations will have some form of SOC protecting their digital assets, just like a central monitoring station does for their physical ones.

Rob Simopoulos ([email protected]) is the Co-Founder of Defendify, an all-in-one cybersecurity platform designed to help streamline how organizations without dedicated security teams can build comprehensive cybersecurity policies, plans, education, scanning, breach detection and more. Visit for details. 

About the Author

Rob Simopoulos

Rob Simopoulos is the Co-Founder of Defendify, the all-in-one cybersecurity platform that makes cybersecurity possible for Small Business. In his 20+ years in the security industry, he has received awards and recognition from many trusted industry experts and publications. Email him at [email protected].