Managed detection and response (MDR) has been a standard MSSP and MSP cybersecurity offering for years to help business customers fight cyberattacks, but a broader version of the protections, extended detection and response (XDR), has been growing in popularity in the marketplace.
And as that trend continues, MSSPs and MSPs that are only offering MDR services should be evaluating whether it is time for them to move quickly into offering XDR as well to improve cybersecurity protections for their customers while boosting their own sales revenue.
“The standard cybersecurity offering has been MDR, but now it seems like more [vendors] are introducing XDR,” Rob Enderle, principal analyst at Enderle Group, said. ”[XDR] is more attractive to [customers] that have existing security infrastructure, and these firms are generally better funded so it [can be] a large part of the available revenue stream” for MSSPs and MSPs in the future.
It is a top strategic concern for MSSPs and MSPs today, said Enderle. “Without XDR, they are not just leaving money on the table, they are cutting themselves off from the most potentially lucrative customers, those that can better fund security [spending]. Every moment they wait they are giving up share and revenue to someone else and it is unlikely they will be able to recover that revenue in the future as customers do not switch security vendors lightly.”
MDR and XDR Compared
MDR is used to monitor and manage endpoint devices, network devices and cloud services through technology and human expertise to detect threats and respond to them via a security operations center (SOC). MDR typically uses disparate security technologies that are often managed separately, providing active threat hunting, incident response, and remediation recommendations.
XDR involves broader coverage beyond just traditional endpoints and network data sources covered by MDR. To do that, XDR integrates multiple security layers, including email, network, server, cloud and endpoint data, providing automatic and comprehensive responses to threats using advanced analytics to better protect users. Those automated responses can include automatically isolating infected devices, blocking IP addresses, or other remedial actions across the integrated security stack.
A growing number of security vendors are offering XDR today, including Palo Alto Networks and its Cortex XDR; CrowdStrike and its Falcon platform with XDR capabilities and Sophos, which offers Sophos XDR. Other vendors offer both MDR and XDR, including Microsoft, McAfee, eSentire, Alert Logic, Rapid7 and Trend Micro.
For MSSPs and MSPs, these expanding product lines offer new sales and revenue opportunities to better help their customers protect their operations and businesses.
How MSSPs and MSPs Can Take Advantage of XDR Opportunities
Jonathan Ong, a cybersecurity analyst with Omdia, said that the market for XDR is heating up.
“A staggering 95% of security decision makers we surveyed last year are open to replacing discrete threat detection and incident response tools around endpoint, cloud, network, etc., with a comprehensive XDR offering,” said Ong. “This is because the present challenge is around normalizing and integrating the data from these discrete sources into a cohesive story of the organization’s security tapestry.”
For business users, Omdia recommends that customers move to XDR instead of more traditional MDR to gain the benefits of a unified approach, increased visibility across the tech stack, and improved analytics and automation, said Ong.
But there are things to watch out for as well, he said. “MSSPs should consider factors such as higher costs associated with more telemetry, potential rip-and-replace requirements, and client willingness to grant access to these domains, and tailor their offering and pricing accordingly,” he said. “MSSPs may need to wait out the client’s existing point solution contracts before making the migration to XDR, or offer attractive pricing to entice them,” he added.
Regardless of such challenges, he said, MSSPs and MSPs moving to provide XDR is a smart decision for them to make. “It is a good opportunity to offer a solution which the market has demonstrated interest in while reducing the workload for the [customer and MSSP] analysts” who would have to instead monitor multiple products. “Given the strong interest that we have seen from security decision makers, it would make sense to make the switch to XDR sooner rather than later.”
Still, MDR and XDR will likely both remain side by side in the market for some time due to varying business customer needs, said Ong.
“XDR and MDR address different market segments, “ he said. “Firms using XDR have in-house security to utilize the platform, whereas firms using MDR will rely on the MDR provider to a certain extent, [whether fully managed or co-managed].”
Eventually, though, Omdia does see XDR replacing MDR and EDR as the primary detection and response technology long term, said Ong.
Enderle, the other analyst we spoke with, said he sees this differently.
“Each tool addresses a fundamentally different class of customer, so the two tools must coexist,” he said. “As we move to even more automation, MDR will likely win out in the long term. XDR requires that manual labor largely remains in place, which is counter to the trend that AI is currently driving – for full automated replacement when possible.”
But this will not happen overnight, said Enderle. “I expect this trend to take one or two decades to mature so, for that time, XDR will enjoy a viable market.”
XDR will appeal more to businesses that have their own security teams “as that staff is generally a key decision maker in choosing a tool, and they would prefer a tool that would enhance, rather than replace, them,” said Enderle.