“The Forrester Wave™: Managed Detection And Response, Q1 2021” is now live — and this is a seriously impressive group of vendors. I want to give a sincere thanks to them all for the effort and work they put into it.
Vendors don’t always agree on things — especially with competitors. But one thing quite a few agreed on is that if they ever were an MSSP (managed security services provider) in a previous life, don’t call them one now. So we decided to paraphrase the late, great comedian George Carlin for the title of this blog, since “MSSP” has become a bit of a dirty word.
But MDR (managed detection and response) isn’t MSSP. We all agree on this point.
MDR vendors emerge from plenty of different backgrounds. That’s a history we’ve covered in our prior research — let’s get to the present. The bar to make it into this Wave evaluation was high. For every dedicated set of practitioners out to find badness in client environments, like the 15 vendors in this Wave, there are opportunists, charlatans, and dilettantes focused on transferring money from customers’ accounts payable to the vendor’s accounts receivable out there. So these vendors deserve kudos, because they are committed to delivering what they promise. Having a collection of vendors that committed to clients made this Wave evaluation a great experience as an analyst.
To even qualify for inclusion in this Wave, vendors had to meet the following criteria:
- Offer MDR since 2017
- Leverage an EDR (endpoint detection and response) tool that participated in a MITRE ATT&CK evaluation
- Support telemetry beyond an EDR tool (XDR, or extended detection and response)
- Provide detailed threat-hunting descriptions
One of the most appalling aspects of the MDR market is how few vendors can explain threat hunting — and at Forrester, we consider it a must-have for any MDR provider. When we say threat hunting, we mean threat hunts performed by humans, with a hypothesis as described by Rob Lee and David Bianco back in 2016. Every vendor evaluated in the Wave stood out with how they were able to articulate their approach to threat hunting.
The Client References
As part of the Wave evaluation, vendors provide client references to Forrester. In this Wave, we surveyed them (more on that data coming in a future infographic). We also connected via phone with a subset of those references. These customer references were savvy, capable practitioners with immense amounts of passion for their craft. They were also passionate about the vendors they partner with. The references work for midsize and enterprise organizations across the globe.
These were by far and away the best customer reference conversations that Claire O’Malley and I have experienced in a Wave. I always try to keep the conversations to under a half hour, because these folks are busy and they are helping us — immensely — by giving us time to share their thoughts. On most of these calls, however, we could’ve talked for hours to these practitioners — and I think they would’ve been OK with that.
The Demo Scenarios
Forrester isn’t a technical testing firm. That’s not what we do, and it’s not the audience we write to. We write at the altitude of the chief information security officer, so our focus is how these vendors execute their activities within the security leader’s portfolio of tools. But this is detection and response — and that’s TECHNICAL — so we crafted some demo scenarios. All of the scenarios were based on actual incidents. We didn’t, however, specify exactly what real-world events they came from. It wasn’t hard to figure out, and most of these examples have played out time and again. The Wave kicked off well before SolarWinds and the most recent round of Exchange exploits were discovered, so no, they weren’t part of our scenarios.
- Scenario 1 featured the compromise of a hardware-based VPN appliance.
- Scenario 2 featured web shells planted on an unpatched internet-facing server. In addition, we wanted to see how the vendor handled discussing LOLBins and signed tools.
- Scenario 3 featured an oldie but a goodie: the well-crafted spear-phishing email. It included PowerShell and used cloud storage and email APIs for C2. It also included the ability to detect modification of common open source toolkits by threat actors.
As part of the demo, we also asked how the vendors would hunt for these TTPs (tactics, techniques, and procedures), threat intelligence related to these scenarios, and what the lifecycle of detection, investigation, and response would look like from the client perspective.
During the demos, we paid attention to what the vendors focused on, where they dug in, and when they did deep dives, etc. Naturally, all vendors think they are great at detection and response. When walking through detection stories, however, it became apparent that some vendors could identify intrusions at multiple stages, while others depended on catching an intrusion when attackers executed specific actions. Subtle and nuanced things like that really separate the great vendors from the good ones.
And we will confirm — all 15 participating vendors in this Wave go well past simply being good.