Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
Most small and medium businesses are not equipped with 24/7 security operations to monitor threats while providing threat detection and response, leaving their infrastructures exposed to cyberattacks. Firewalls, endpoint security, identity access management (IAM) and network safety dominate their security budgets, providing preventative support, amounting to just 5% of annual IT spending, according to Gartner.
SMBs face the daunting challenge of trying to afford technologies needed to secure their applications, infrastructure and networks as software prices increase. Keeping their security operations center (SOC) staffed to monitor threats and provide detection and response support during a severe labor shortage is another. As a result, Forrester research found that 64% of SMBs running an SOC internally or in a hybrid internal/external model have ten or fewer employees operating their SOC, with 32% running one with five or fewer employees. In addition, while 81% of SMBs surveyed are monitored by an internal security operations center (SOC), more than half (57%) do not operate 24 hours a day, seven days a week.
The result is that nearly every SMB is shorthanded when it comes to achieving 24/7 threat detection and response, with many relying on managed detection and response (MDR) service providers to fill the gap. That’s why 53% of SMBs rely on external partners, including MDRs, to close their threat detection and response gaps.
SMBs are under cyberattack
Cyberattacks against SMBs have grown by 150% over the past two years. Forrester Consulting and Pondurance collaborated on the recent study, Attackers Don’t Sleep, But Your Employees Need To. The report found that 69% of SMBs feel they are facing critical and expanding cybersecurity threats this year, with 75% saying cyberattacks have increased in three years. As a result, improving detection and response by engaging with external security operations providers, including MDRs, is seen as a critical tactic by most SMBs for maturing their cybersecurity programs.
Signs an SMB needs to look for indicating it’s time to transition from running their own SOCs to having an MDR handle it includes the following, according to the report’s author Jeff Pollard, vice president and principal analyst at Forrester.
In a recent email interview with VentureBeat, Pollard said that “MDR purchases have external and internal drivers. The main external drivers are, first, cyber insurance requirements. Cyber insurers want 24/7 detection and response in an environment — second [is] customer requirements. A company customer requires 24/7 detection and response services or won’t work with the company, and the third is a compelling event [a breach].”
Pollard explained that internal drivers to watch for include “consider moving when adding or replacing an existing EDR tool since most EDR vendors offer MDR service now and/or when renewing an MSSP contract. Migrating from MSSP to MDR generally brings better outcomes, and MDR clients are happy than legacy MSSP clients ever were.”
Where MDRs close security gaps
Forrester’s study illustrates why SMBs need a solid strategy to reduce the time to detect and respond to incidents, beyond increasing their spending on preventative controls. Partially reducing the risk of a cyberattack by relying on firewalls, endpoint security, IAM and network security needs to be strengthened with detection and response company-wide. Gartner predicts that by 2025, 50% of organizations will use MDR services for threat monitoring, detection and response functions that offer threat containment and mitigation capabilities.
SMBs must also set the goal of reducing the time to detect and respond to incidents on a 24/7 basis. Yet, as the Forrester study shows, most SMBs struggle to find qualified cybersecurity experts to staff their internal SOC. Conversely, MDRs continually recruit threat analysts with detection and response expertise that can immediately help clients by reducing the risk of a cyberattack.
SMBs most value outside security partners that can collaborate closely during incidents (52%) while also filling internal skill gaps (47%). MDRs and security partners’ ability to help round out SMB cybersecurity capabilities not only mitigates risk to the business, but also helps satisfy cyber insurance requirements, according to 42% of respondents.
MDR adoption is increasing across small businesses because service providers are continually fine-tuning their threat containment and response services combined with advanced analytics and threat intelligence. Midsize enterprise CIOs and IT leaders are also looking for MDRs with an experienced team that can handle breach and risk detection, digital forensics and incidence response. Additionally, 38% of SMBs report that they plan to implement managed detection and response in the next 12 months, validating how important it is for MDRs to provide an experienced team that provides security and client support.
What to look for in an MDR provider
The MDR landscape is becoming more competitive, delivering greater value to SMBs who need the support. Defining detection and response use cases is a practical first step for identifying which services will be needed from an MDR and if their tech stack is a good fit with an SMB’s existing IT infrastructure.
MDR providers that can bridge security operations gaps and combine artificial intelligence (AI) and machine learning (ML) with experienced analysts are leading the market today. Of course, 24/7 response with automated alerts and experienced monitoring support is a given to look for in a provider.
Before adopting, SMBs should also evaluate MDRs on how well they can detect potential threats currently bypassing preventative controls. Leading MDR providers can also map to the MITRE ATT&CK framework and show their coverage, which is invaluable in improving detection and response tactics and strategies.
Knowing how response actions are managed, the success of a provider’s SOC analysts working with other clients and if they offer digital forensics and incident response on-site and remote are also essential factors to keep in mind.
Finally, check on how the MDR providers being considered recruit, retain and promote their threat analysts. The labor shortage in cybersecurity is particularly challenging, so it is important to know how MDRs consider to managing their businesses relative to that constraint.