Why Managed Discovery and Response (MDR) adoption is growing among small businesses

Couldn’t attend Transform 2022? Check out all the top sessions in our on-demand library now! Look here.


Most small and medium-sized businesses are not equipped with 24/7 security operations to monitor threats while providing threat detection and response, exposing their infrastructure to cyber-attacks. Firewalls, endpoint security, identity access management (IAM), and network security dominate their security budgets and provide preventative support, which amounts to just 5% of annual IT spending, according to Gartner.

SMBs face the formidable challenge of affording the technologies needed to secure their applications, infrastructure and networks as software prices rise. Keeping their Security Operations Center (SOC) staffed is another matter to monitor threats and provide detection and response support during a severe labor shortage. As result, Forrester research found that 64% of SMBs running a SOC internally or in a hybrid internal/external model have ten or fewer employees running their SOC, and 32% have one with five or fewer employees. In addition, while 81% of SMBs surveyed are monitored by an Internal Security Operations Center (SOC), more than half (57%) are not operating 24 hours a day, seven days a week.

As a result, almost every SMB is understaffed when it comes to 24/7 threat detection and response, with many relying on managed detection and response (MDR) service providers to fill the gap. That’s why 53% of SMBs rely on external partners, including MDRs, to close their threat detection and response gaps.

SMBs are under attack by cybercriminals

Cyber ​​attacks against SMEs have grown by 150% The past two years. Forrester Advice and pondurance contributed to the recent study, Attackers don’t sleep, but your employees do. The report found that 69% of SMBs feel they are facing critical and growing cybersecurity threats this year, with 75% saying the number of cyberattacks has increased in three years. As a result, improving detection and response through collaboration with third-party security providers, including MDRs, is seen by most SMBs as a critical tactic to mature their cybersecurity programs.

Signs an SMB should look for to indicate it’s time to move from running their own SOCs to having an MDR handle include the following, according to report author Jeff Pollard , vice president and chief analyst at Forrester.

In a recent email interview with VentureBeat, Pollard said that “MDR purchases have external and internal drivers. The main external drivers are cyber insurance requirements first. Cyber ​​insurers want 24/7 detection and response in an environment — second [is] customer requirements. A corporate customer needs 24/7 detection and response services or does not cooperate with the company, and the third is a compelling event [a breach].”

Pollard explained that internal drivers to watch out for are: “Consider moving when adding or replacing an existing EDR tool, as most EDR vendors now offer MDR service and/or renew an MSSP. Migrating from MSSP to MDR generally yields better results, and MDR customers are more satisfied than older MSSP customers have ever been.”

SMBs are known for prioritizing their security spending for preventive controls and not having the budget or staff to achieve 24/7 threat monitoring, detection and response.  They partner with MDRs to reduce the risk of cyber attacks disrupting their business.
SMBs are known for prioritizing their security spending for preventive controls and not having the budget or staff to achieve 24/7 threat monitoring, detection and response. They partner with MDRs to reduce the risk of cyber attacks disrupting their business.

Where MDRs Close Vulnerabilities

Forrester’s research illustrates why SMBs need a solid strategy to reduce the time it takes to detect and respond to incidents, as well as increasing their spending on preventive audits. Partially reducing the risk of a cyber-attack by relying on firewalls, endpoint security, IAM, and network security needs to be reinforced with detection and response across the business. Gartner predicts that by 2025, 50% of organizations will use MDR services for threat monitoring, detection and response capabilities that provide capabilities to contain and mitigate threats.

SMBs should also aim to reduce the time to detect and respond to incidents 24/7. But, as the Forrester study shows, most SMBs struggle to find qualified cybersecurity experts to staff their in-house SOC. Conversely, MDRs are constantly recruiting threat analysts with detection and response expertise who can help customers immediately by mitigating the risk of a cyber attack.

SMBs most value external security partners who can work closely together during incidents (52%) while filling internal skills gaps (47%). The ability of MDRs and security partners to complement SMB’s cybersecurity capabilities not only reduces risks to the business, but also helps meet cyber insurance requirements, according to 42% of respondents.

Responding to endpoint and network-based infrastructure threats are the most challenging areas for SMBs, along with gaining greater understanding of digital forensics and post-breach investigations.
Responding to endpoint and network-based infrastructure threats are the most challenging areas for SMBs, along with gaining greater understanding of digital forensics and post-breach investigations.

MDR adoption is increasing in small businesses as service providers continually refine their threat management and response services along with advanced analytics and threat intelligence. Mid-sized enterprise CIOs and IT leaders are also looking for MDRs with an experienced team that can handle breach and risk detection, digital forensics, and incident response. Additionally, 38% of SMBs report that they plan to implement managed detection and response in the next 12 months, confirming the importance for MDRs to provide an experienced team that provides security and customer support.

What should you pay attention to with an MDR provider?

The MDR landscape is becoming more competitive and delivering greater value to SMBs in need of support. Defining detection and response use cases is a practical first step in determining what services are required from an MDR and whether their tech stack is a good fit with an SMB’s existing IT infrastructure.

MDR providers that can bridge security gaps and combine artificial intelligence (AI) and machine learning (ML) with experienced analysts are leading the market today. Of course, 24/7 response with automated alerts and experienced monitoring support is a given to look for in a provider.

Before proceeding, SMBs should also evaluate MDRs on how well they can detect potential threats that currently bypass preventive controls. Leading MDR providers may also refer to the MITER ATT&CK frame and display their coverage, which is invaluable in improving detection and response tactics and strategies.

Knowing how response actions are managed, the success of a provider’s SOC analysts collaborating with other customers, and whether they provide on-site and remote digital forensics and incident response are also vital factors to keep in mind.

Finally, review how the MDR providers under consideration recruit, retain, and promote their threat analysts. The cybersecurity workforce shortage is particularly challenging, so it’s important to understand how MDRs feel about managing their business in the face of that constraint.

The mission of VentureBeat is a digital city square for tech decision makers to gain knowledge about transformative business technology and transactions. Learn more about membership.