Program Vice President, Security Services
Program Director, Security Services
Leaders
Alert Logic
Arctic Wolf Featured Vendor
CrowdStrike
eSentire
Expel
FireEye
Rapid7
SecureWorks
Major Players
AT&T
Deepwatch
GoSecure
Netsurion
Red Canary
Verizon
Participants
Sophos
Buyers of cybersecurity are evolving and driving vendors and security services providers to deliver more robust prevention, detection, and rapid response actions in the fight against cyberattacks. As the managed security services (MSS) market evolves to meet customer expectations, managed security service providers (MSSPs), consultancies, and other providers are serving up managed detection and response (MDR) services to meet the demand. IDC recognizes MDR as the third maturity level of MSS, which now encompasses more efficient advanced detection and response capabilities.
Some security leaders are beginning to examine security from a strategic, business, and industry viewpoint — the right direction and context — to understand how they can be proactive and better prepared for attacks. A cybersecurity buyer priority is shortening detection and response times, but organizations also want to elevate their cybersecurity maturity and reduce risk. Many struggle to understand their current state and are unclear how to proceed. MDR providers are stepping up to help organizations solve these challenges.
In IDC’s 2020 MSSP and MDR Survey, organizations were asked about attributes of managed security SPs and MDR providers used during evaluations. Respondents noted the five most important MDR provider attributes: robust data security, superior threat detection and response, breadth of security capabilities, trusted brand, and excellent customer support (see Figure 2).
Q. What five attributes are most important when evaluating a managed security services provider (MSSP) and managed detection and response (MDR) providers?
Additional research and the findings in this IDC MarketScape study lead IDC to believe that the following capabilities align with the attributes most valued by buyers and will drive the MDR market forward while providing vendors with the opportunity to home in on a differentiated proposition:
In addition, cybersecurity buyers believe network traffic analysis, user behavior analytics (UBA), and deception technologies are core to detection and response. These areas represent opportunities for MDR providers to broaden and distinguish their services (see Figure 3).
In this 2021 U.S. IDC MarketScape for MDR services study, IDC explored how MDR providers are evolving their businesses, technologies, and offerings to detect and respond to modern cyberattacks. MDR providers were asked to demonstrate advanced capabilities that provide detection, not only from the endpoint but also from broader sources of telemetry, and deliver rapid, effective response actions.
Q. Which five core advanced detection and response technologies do you consider most important in an MDR offering?
IDC believes MDR is powerful and effective because it integrates technologies and services into a holistic detection and response capability. Optimally, MDR services enable organizations to maintain a consistent level of awareness and protection, along with the flexibility to reprioritize, reassess, and reconfigure their risk as well as detection and response tolerances and activities. Increasingly, security leaders view MDR as a necessity to help mature their cybersecurity programs.
The most complete MDR portfolios include the following capabilities:
The Market Definition section in the Appendix provides a description of what IDC believes is the minimum set of capabilities an MDR provider should offer.
Early versions of MDR were more endpoint focused. They did not ingest and correlate the broad telemetry that can be utilized to shorten time to detect attacks. The development of XDR was in part due to the need for detection and response platforms to have the ability to look at a variety of telemetry beyond the endpoint. Examples include the hybrid cloud data that organizations are increasingly generating, network telemetry, and the various flavors of IoT data such as IoMT and IIoT.
Buyers looking to improve their detection and response capabilities will likely see an improvement in these capabilities if they purchase an XDR platform or subscribe to an MDR service. Note the difference in language: XDR in its purest form is a platform that offers detection and response capabilities utilizing e(X)tended telemetry sources that is managed by the purchasing entity.
MDR in its purest form is an elevated managed service that utilizes the same features and functionality that an XDR platform offers. MDR providers either natively have the IP to look at various telemetry or utilize an XDR platform. Additional services, such as — but not limited to — 24 x 7 eyes-on-glass monitoring, detection and response services by a third-party managed security SP or MDR provider, human-led and automated threat hunting, and incident response capabilities, are added to improve detection and response capabilities.
IDC recognizes that the market is fluid, and confusion is inevitable as some XDR providers start to layer additional services onto their XDR platforms, blurring the difference between an XDR platform and an MDR service. Conversely, not every MDR provider has the capability or IP to ingest and correlate the types of telemetry that XDR platforms typically utilize. Potential buyers of a detection and response platform like XDR, or a service like MDR, need to clarify their current capabilities and desired business outcomes before evaluating MDR or XDR providers.
Prior to evaluating MDR providers and making investment decisions, IDC urges security leaders to identify their most valuable assets, determine their needs for continuous monitoring, and identify the levels of protection required for different areas of the business and types of data.
The following information provides context for security leaders to better understand and evaluate MDR capabilities:
In addition, buyers may want to consider cyberinsurance, which is nascent in the MDR market, and only a few providers offer it through partners.
IDC encourages buyers to evaluate MDR providers based on the outcomes they want to achieve related to day-to-day detection and response and cybersecurity maturity.
Arctic Wolf is positioned in the Leaders category in the 2021 IDC MarketScape for U.S. managed detection and response services.
Arctic Wolf Networks, which was founded in 2012 and initially offered SOC as a service, is headquartered in Eden Prairie, Minnesota. The company’s stated mission is to end cyber-risk by helping its customers switch their thinking from a tools focus to an operational mindset. This switches the paradigm to focus on the business outcomes that an MDR service can enable.
Three priorities support the switch: optimize existing technology stacks and send them to the cloud, focus on a complete security operations framework that covers attack types and attack surfaces, and build resilience with expert guidance and 24 x 7 protection (storage, enrichment, correlation, analysis, and investigation) and implementation of tactics and strategies. Arctic Wolf owns security outcomes that align with identify, protect, detect, respond, and recover.
The company aims to provide simple, easy, personalized consumption that hides complexity and doesn’t require a rip-and-replace approach. To this end, a concierge engagement model defines roles and responsibilities for Arctic Wolf and customers in areas such as activation, deployment, customization, service delivery, ad hoc requests, and scheduled interactions.
The cloud-native Arctic Wolf Platform supports solutions including MDR, managed risk, managed cloud monitoring, and managed security awareness. Telemetry ingestion, detection, investigation, and ticketing are automated through the platform, which leverages a combination of the Arctic Wolf Platform with the customers’ technology stacks to provide visibility across endpoint, network, cloud, identity, and users. A dedicated triage team investigates alerts, and the team provides tactical support and guidance to customers and the concierge team during security events.
Arctic Wolf has well-developed road maps in areas of managed service, managed detection, and managed response. The breadth of visibility is excellent, and the company expects to invest in orchestration and automation and to develop an enhanced MDR tier and offerings for specific customer segments.
The four current United States–based SOCs will be supplemented in the near future, with SOCs in Germany, APAC, and North America to expand Arctic Wolf’s capabilities to address customers in these geographies, both with the Arctic Wolf Platform and with its triage and concierge teams. Having a team that is closer to the customer is a benefit, as the company does not send an incident to a customer until it has been looked at by a human during what Arctic Wolf calls the “the last human mile of triage.”
The concierge team, which provides unlimited support, works with each customer to build and execute a security journey aligned with organizational goals and objectives. A customer commented that the level of service is “off the charts.”
The customer portal, which is designed with operational staff in mind, offers interactivity in areas such as configurations, endpoint health, and gaps in monitoring but not in-depth investigative capabilities. In addition, customers aren’t able to create, update, or close tickets or edit or customize reports themselves, although they can request any number of reports.
Threat hunting is not continuous; however, Arctic Wolf intends to add staff to this function. And while the company aspires to provide response “across everything,” a few areas, including identity and access management (IAM), do not yet have a response beyond alerting.
A customer noted that the company’s rapid growth has resulted in growing pains in areas such as new service deployments and quality assurance.
SMB and midmarket companies — generally without SIEM systems — that prefer a concierge approach, a robust sales/support structure, and the advantages of SaaS consumption should consider engaging Arctic Wolf.
Using the IDC MarketScape model, IDC studied 15 vendors that provide MDR in the United States and surveyed providers’ customers that utilize their services. Because MDR is considered a subset of MSS, many MDR providers could be evaluated. The vendors included in the study had to meet certain criteria to qualify for this vendor assessment:
For the purposes of this analysis, IDC divided potential key measures for success into two primary categories: capabilities and strategies.
Positioning on the y-axis reflects the vendor’s current capabilities and menu of services and how well aligned the vendor is to customer needs. The capabilities category focuses on the capabilities of the company and product today, here and now. Under this category, IDC analysts will look at how well a vendor is building/delivering capabilities that enable it to execute its chosen strategy in the market.
Positioning on the x-axis, or strategies axis, indicates how well the vendor’s future strategy aligns with what customers will require in three to five years. The strategies category focuses on high-level decisions and underlying assumptions about offerings, customer segments, and business and go-to-market plans for the next three to five years.
The size of the individual vendor markers in the IDC MarketScape represents the market share of each individual vendor within the specific market segment being assessed.
IDC MarketScape criteria selection, weightings, and vendor scores represent well-researched IDC judgment about the market and specific vendors. IDC analysts tailor the range of standard characteristics by which vendors are measured through structured discussions, surveys, and interviews with market leaders, participants, and end users. Market weightings are based on user interviews, buyer surveys, and the input of IDC experts in each market. IDC analysts base individual vendor scores, and ultimately vendor positions on the IDC MarketScape, on detailed surveys and interviews with the vendors, publicly available information, and end-user experiences in an effort to provide an accurate and consistent assessment of each vendor’s characteristics, behavior, and capability.
MDR, as a subset of MSS, combines the tools, technologies, procedures, and methodologies used to provide full cybersecurity detection and response capabilities for an organization. Service providers can deploy MDR services utilizing a mixture of customers’ existing capabilities, along with partner-supplied tools or services and private intellectual property. MDR services are typically supplied by a provider’s well-trained cybersecurity staff that works in one or more 24 x 7 x 365 remote SOCs.
Figure 4 depicts the MDR elements of greatest importance to delivering value, impact, and desired outcomes. IDC recognizes the following capabilities as a minimum set of MDR capabilities: