now tech: managed detection and response services

Now Tech: Managed Detection And Response Services Providers, Q4 2020Forrester’s Overview Of 42 Managed Detection And Response Providers

by Jeff PollardDecember 16, 2020

LicenseD for inDiviDuaL use onLy

FORReSTeR.cOM

Key Takeawaysestablish Threat Hunting With Managed Detection And ResponseMost soc teams find themselves far too overloaded to ever reach the promised land of becoming proactive with their threat hunting. MDr can give teams this boost by handling hunting via managed detection.

Select Vendors Based On expertise And Response Actionsan MDr provider’s expertise in threat intelligence, investigations, and resolutions is far more important than ease of purchase. MDr providers should offer comprehensive response actions that leverage existing infrastructure, not a limited set of already available eDr aPi integrations.

expect XDR By Default From MDR VendorsDuring the explosive growth period in the last few years, the definition of MDr remained malleable as the market matured. Today, comprehensive MDr capabilities require extended detection and response (XDr) visibility to augment investigations and accelerate response actions.

Why read This reportyou can use managed detection and response (MDr) to attain significant expertise to help drive detection and response, become proactive rather than reactive, and choose what the security team will focus on. But to realize these benefits, you’ll first have to select from a diverse set of vendors that vary by size, functionality, geography, and vertical market focus. security and risk pros should use this report to understand the value they can expect from an MDr provider and to select one based on expertise and response actions.

This PDf is only licensed for individual use when downloaded from forrester.com or reprints.forrester.com. all other distribution prohibited.

2

2

6

13

14

© 2020 forrester research, inc. opinions reflect judgment at the time and are subject to change. forrester®, Technographics®, forrester Wave, Techradar, and Total economic impact are trademarks of forrester research, inc. all other trademarks are the property of their respective companies. unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378

forrester research, inc., 60 acorn Park Drive, cambridge, Ma 02140 usa+1 617-613-6000 | fax: +1 617-613-5000 | forrester.com

Table of contents

Establish Threat Hunting With Managed Detection And Response

Select Vendors Based On Expertise And Response Actions

MDr Market Presence segments

MDr functionality segments

Align Individual Vendor Solutions To Your Organization’s Needs

recommendations

Expect XDR By Default From MDR Vendors

Supplemental Material

related research Documents

The forrester Wave™: european Managed security services Providers, Q3 2020

The forrester Wave™: Global Managed security services Providers, Q3 2020

The forrester Wave™: Midsize Managed security services Providers, Q3 2020

for securiTy & risK ProfessionaLs

Now Tech: Managed Detection And Response Services Providers, Q4 2020Forrester’s Overview Of 42 Managed Detection And Response Providers

by Jeff Pollardwith Joseph Blankenship, amy DeMartine, Melissa Bongarzone, and Peggy Dostie

December 16, 2020

Share reports with colleagues. enhance your membership with research share.

http://www.forrester.com/go?objectid=RES157520






http://www.forrester.com/go?objectid=BIO10584



For Security & riSk ProFeSSionalS

Now Tech: Managed Detection And Response Services Providers, Q4 2020December 16, 2020

© 2020 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378

2

Forrester’s Overview Of 42 Managed Detection And Response Providers

establish Threat Hunting With Managed Detection and response

skyrocketing adoption of endpoint detection and response (eDr), seemingly constant need for incident response investigations, and longstanding malaise toward managed security services providers (MssPs) converged to establish the MDr market. forrester defines MDr as:

A fully managed security service that includes the application of advanced security analytics, proactive threat hunting, and incident response investigative capabilities along with security automation orchestration (SOAR) for automated, manual, and on-demand response actions based on predefined and custom escalation workflows.

The quality of MDr services depends on its ability to incorporate extended detection and response (XDr) visibility from not just eDr software, but also network analysis and visibility (nav) tools, network traffic analysis (nTa), and analysis of security log data. clients should therefore expect these outcomes when working with MDr vendors:

› Attain significant expertise to help drive detection and response. The level of competency gained from investigating a myriad of incidents across different client environments results in phenomenal MDr personnel. for a typical enterprise, finding, developing, and retaining this talent is not impossible, but it’s not affordable.

› Become proactive rather than giving the same old reactive response. The reason detection and response teams fail to become proactive is well established — they can’t escape the constant deluge of activities they have to react and respond to. Becoming proactive is a pipe dream, until adding an MDr service that helps them shift in that direction.

› choose what the security team will focus on. even when a security organization includes a capable detection and response team, deciding what to pursue is a challenge. for example, the internal team may focus on external threats but hand off insider threat incidents to an outside firm performing MDr.

select vendors Based on expertise and response actions

We’ve based our analysis of the MDr market on two factors: market presence and functionality.

MDR Market Presence Segments

We segmented the vendors in this market into three categories, based on MDr revenue: large established players (more than $55 million in MDr revenue), midsize players ($20 to $55 million in revenue), and smaller players (less than $20 million in revenue) (see figure 1). We did not include vendors that we estimated to have less than $1.2 million in revenue.




3


FIGURe 1 now Tech Market Presence segments: Managed Detection and response services Providers, Q4 2020

*forrester estimate. †revenue does not reflect atos’ acquisition of Paladion.

cybereason*

cyberProof

IBM*

Infocyte

Kaspersky*

LogicHub*

Nuspire

Pwc*

Atos†

Binary Defense*

Bitdefender

BlackBerry

Blackpoint cyber

BlueVoyant

capgemini*

controlScan

Red canary

Secureworks

SentinelOne

Sophos

Trend Micro

Trustwave

VMware (carbon Black)*

Wipro

AT&T cybersecurity

Booz Allen Hamilton*

critical Start*

Digital Guardian

expel

Kudelski Security

Optiv Security

Rapid7

Accenture

Alert Logic

Arctic Wolf

crowdStrike

deepwatch

Deloitte

eSentire

eY

Fireeye*

Ncc Group

<$20M in annual category revenue

$20M to $55M in annual category revenue

>$55M in annual category revenue

Managed Detection and response services Providers

Q4 2020




4


MDR Functionality Segments

To explore functionality at a deeper level, we broke the MDr market into four segments, each with varying capabilities (see figure 2 and see figure 3):

› Proactive hunter, investigator, and responder specialists. These firms bring an MDr service to clients built on a foundation of deep subject matter expertise in analytics, incident response, and threat intelligence. Proactive hypothesis-driven threat hunting methodologies curated into analytics and their use of automation makes these vendors excel.

› Managed eDR. excellent subject matter expertise around specific eDr products underpin MDr for these vendors, with many using MDr to transform their business model, trading margin for growth. strong service capabilities for on-premises infrastructure, along with mature product management and eDr support capabilities, set these vendors apart.

› Managed incident response-as-a-service (IRaaS). These vendors build on a tradition of “boots-on-the-ground” incident response expertise, transforming service delivery in the form of time and materials into a recurring revenue service. strong investigative methodologies, threat hunting, and analytics are prime use cases for these vendors, offset by less comprehensive response actions, limited XDr support, and niche insider threat capabilities.

› MSSPs adding MDR to service stack. for the 30-year history of MssPs, their core competencies included network security and log data analysis. MDr shifts visibility — and response — from the network to the endpoint transforming their approach. These MDr providers bring strong analytics, mature threat hunting, and a legacy of Mss delivery to clients. expanding to MDr did not solve the cloud challenges that MssPs suffer from, and insider threat investigative experience is limited.




5


FIGURe 2 now Tech functionality segments: Managed Detection and response services Providers, Q4 2020, Part 1

Proactive hunter, investigator, and

responder specialists Managed eDr

Proprietary threat intelligence generation and operationalization

end user compute detection and response capabilities (Microsoft Windows, apple)

on-premises infrastructure investigative methodologies

cloud (iaas, Paas, saas) detection and response capabilities

insider threat detection and response capabilities

analytics capabilities

XDr — use of non-endpoint telemetry in MDr service

Threat hunting approach

Threat hunting scenarios

Malware analysis capabilities

available response actions

client-facing soar

MiTre aTT&cK mapping and use

HighModerateLownoneSegment functionality




6


FIGURe 3 now Tech functionality segments: Managed Detection and response services Providers, Q4 2020, Part 2

Managed incident response-as-a- service (iraas)

MssPs adding MDr to service

stack

Proprietary threat intelligence generation and operationalization

end user compute detection and response capabilities (Microsoft Windows, apple)

on-premises infrastructure investigative methodologies

cloud (iaas, Paas, saas) detection and response capabilities

insider threat detection and response capabilities

analytics capabilities

XDr — use of non-endpoint telemetry in MDr service

Threat hunting approach

Threat hunting scenarios

Malware analysis capabilities

available response actions

client-facing soar

MiTre aTT&cK mapping and use

HighModerateLownoneSegment functionality

align individual vendor solutions To your organization’s needs

The following tables provide an overview of vendors with details on functionality category, geography, and vertical market focus (see figure 4, see figure 5, and see figure 6).




7


FIGURe 4 now Tech Large vendors: Managed Detection and response services Providers, Q4 2020


Primaryfunctionalitysegments

Geographicpresence(by revenue %)

Verticalmarket focus(by revenue)

Managed incident response-as-a-service (iraas)

MssPs adding MDr to service stack

Proactive hunter, investigator, and responder specialists





na 40%; LaTaM 2%; eMea 35%; aPac 23%

na 90%; eMea 9%; aPac 1%

na 100%


na 100%



chemicals; financial services; government

financial services; healthcare; high-tech products

financial services; healthcare manufacturing

financial services; healthcare; high-tech products

financial services; high-tech products; retail

financial services; government; healthcare

financial services; healthcare; professional services

Samplecustomers

vendor did not disclose

apervita; clubcorp; rent-a-center

Hubbard Broadcasting; Jackson Parish Hospital

Greenhill & co.; Mercedes-aMG Petronas formula1 Team; virgin Hyperloop

Dover; Guidehouse; HuB international

Maersk

HKs; M&c saatchi; Wetherby asset Management

Accenture

Alert Logic

Arctic Wolf

crowdStrike

deepwatch

Deloitte

eSentire




8


FIGURe 4 now Tech Large vendors: Managed Detection and response services Providers, Q4 2020 (cont.)









na 78%; LaTaM 1%; eMea 11%; aP 10%*


consumer products; healthcare; media, entertainment, and leisure

financial services; manufacturing; telecom

financial services; high-tech products; transportation

Samplecustomers


Beverages and More; Penn state Hershey Medical center; vodafone Hutchison australia


eY

Fireeye

Ncc Group




9


FIGURe 5 now Tech Midsize vendors: Managed Detection and response services Providers, Q4 2020

Primary functionalitysegments



MSSPs addingMDR to servicestack

Managed incidentresponse-as-a-service (IRaaS)


Managedenterprisedetection andresponse (EDR)

Proactive hunter,investigator, andresponderspecialists





NA 85%; EMEA10%; APAC 5%

NA 60%; LATAM1%; EMEA 20%;APAC 19%

NA 100%

NA 71%; LATAM22%; EMEA 7%


NA 40%; EMEA60%

NA 88%; EMEA12%


NA 94%; EMEA5%; APAC 1%

Financial services;healthcare; high-tech products

Financial services;healthcare;high-tech products

Healthcare; manufacturing; oiland gas

Financial services;manufacturing;professionalservices

Financial services;high-tech products;transportation

Consumer goods;�nancial services;utilities

Financial services;healthcare; telecom

Financial services;manufacturing;professionalservices

Financial services;healthcare; high-tech products

Samplecustomers

ArticularisHealthcare;NHS Management;Per Mar

Vendor did notdisclose

Cherwell Software;Mattress Firm; Moneygram


GreenSky; HoganLovells; Qlik

L’Oréal; PernodRicard; Tetra Pak


Enterprise Bank &Trust; The J. JillGroup; NationalGeographic Society


AT&T Cybersecurity

Booz AllenHamilton

Critical Start

DigitalGuardian

Expel

KudelskiSecurity

OptivSecurity

Rapid7

Red Canary

$20 to $55M in annual category revenue




10


FIGURe 5 now Tech Midsize vendors: Managed Detection and response services Providers, Q4 2020 (cont.)

*The vendor did not provide information for this cell; this is Forrester’s estimate.




MSSPs adding MDR to service stack

Managed enterprise detection and response (EDR)






NA 85%; EMEA 10%; APAC 5%*

NA 51%; LATAM 3%; EMEA 38%; APAC 8%


NA 10%; LATAM 5%; EMEA 60%; APAC 25%*


NA 80%; EMEA 20%*


Financial services; manufacturing; professional services

Healthcare; oil and gas; professional services

Manufacturing; professional services; retail

Engineering; healthcare; logistics


Financial services; healthcare; retail

Financial services; manufacturing; utilities

Samplecustomers

Apache Nitrogen Products; Ricoh USA

Aston Martin; Havas Group; McKesson

Vendor did not disclose

Anthem BioSciences; Cityof Tyler; ClubCorp


Osceola County Sheriff’s Of�ce; Progress Residential; United States Senate Federal Credit Union

RSA Insurance; Thomas Jefferson

Secureworks

SentinelOne

Sophos

Trend Micro

Trustwave

VMware (Carbon Black)

Wipro

$20 to $55M in annual category revenue




11


FIGURe 6 now Tech small vendors: Managed Detection and response services Providers, Q4 2020

*The vendor did not provide information for this cell; this is Forrester’s estimate.












NA 45%; EMEA 55%


NA 89%; EMEA 11%

NA 83%; EMEA 17%

NA 65%; EMEA 10%; APAC 25%

NA 70%; EMEA 10%; APAC 20%

NA 25%; LATAM 25%; EMEA 25%; APAC 25%*

NA 100%

Healthcare; government; manufacturing


Healthcare; hospitality; retail

Education; healthcare; manufacturing

Engineering; healthcare; professional services

Financial services; high-tech products; media, entertainment, and leisure

Financial services; retail; manufacturing*

Financial services; professional services; retail

Samplecustomers


Causeway Capital; NACCO Industries


Cobb County Superior Court Clerk’s Of�ce; Pathway Capital; Prospect Capital Management


DA Davidson; Sentinel Real Estate; US LBM


The Baltimore Life Companies; RecruitMilitary; Weigel’s Stores

Atos

Binary Defense

Bitdefender

BlackBerry

Blackpoint Cyber

BlueVoyant

Capgemini

ControlScan





12


FIGURe 6 now Tech small vendors: Managed Detection and response services Providers, Q4 2020 (cont.)




Managed enterprise detection and response (eDr)







Managed incident response-as-a- service (iraas)




na 85%; LaTaM 5%; eMea 10%


na 90%; eMea 10%



consumer products; financial services; healthcare

financial services; manufacturing; transportation and logistics

Manufacturing healthcare; utilities

financial services; government; healthcare

financial services; government; industrial products

financial services; government; high-tech products

Manufacturing; retail; professional services

Healthcare; retail; utilities

Samplecustomers

encore capital; esP Management; G-star


crossmark; Daikin

ent credit union; solutions Granted; university Health services

Donau chemie; rTi systems

cobalt; Moelis; virtualitics

infusystems; shape corp; Tecomet


cybereason

cyberProof

IBM

Infocyte

Kaspersky

LogicHub

Nuspire

Pwc





13


Recommendations

expect XDr By Default from MDr vendors

as MDr grew in popularity, a new adjacent category and acronym emerged: extended detection and response (XDr). XDr gained momentum as eDr and MDr vendors touted that endpoint-only telemetry from eDr rendered other data unnecessary, which was never true. Quality MDr vendors should already have XDr-like capabilities within their service stack. To avoid a similar pitfall, when selecting MDr vendors:

› Identify a vendor’s history and motivations for offering MDR. MDr offers a transformation for existing security vendors, and buyers need to figure out why a vendor entered the market. Does this represent a transformation in visibility and response, service delivery, licensing model, or a new approach to detection and response that doesn’t currently exist? The motives behind the service will shed some light on how committed the vendor is to MDr, and also reveal the strengths, weaknesses, and overall approach to their MDr offering.

› evaluate the relationship between threat intelligence, threat hunting, and analytics. Many MDr vendors fail to articulate threat hunting in meaningful fashion — in terms of intent, methodology, and outcome. cisos should charge their teams to dig deep in their evaluation and uncover the dynamic cycle between these three items. in quality MDr vendors, each of the three will act as an input, output, and/or augment the others. ask for details like top five threat-hunting methodologies used, how successful hunts become analytic rules, and how threat intelligence becomes a source for future threat hunts.

› Restrictions in response should come from your playbooks, not vendor APIs. When vendors use the word “endpoint,” they mean “supported operating systems on which our tool can be installed,” but when cisos say endpoint, it means “everything we consider to be an endpoint.” This problematic disconnect also exists when it comes to response actions. MDr vendors often rely on existing aPi integrations from technology partners to facilitate response and automation. While MDr vendors should take advantage of integrations that already exist, they should also support manual and automated response actions that go beyond what eDr tools offer. The right MDr vendor will map to your playbook and perform response actions across endpoints, networks, and identity and access management tools.




14


supplemental Material

Market Presence Methodology

We defined market presence in figure 1 based on factors such as MDr revenue, installed base estimates, customer count, geographic presence, vendor briefings, and other forrester research.

To complete our review, forrester requested information from vendors. if vendors did not share this information with us, we made estimates based on available secondary information. We’ve marked companies with an asterisk if we estimated revenues or information related to geography or industries. forrester fact-checked this report with vendors before publishing.

engage With an analyst

Gain greater confidence in your decisions by working with forrester thought leaders to apply our research to your specific business and technology initiatives.

Forrester’s research apps for iOS and Android.stay ahead of your competition no matter where you are.

Analyst Inquiry

To help you put research into practice, connect with an analyst to discuss your questions in a 30-minute phone session — or opt for a response via email.

Learn more.

Analyst Advisory

Translate research into action by working with an analyst on a specific engagement in the form of custom strategy sessions, workshops, or speeches.

Learn more.

Webinar

Join our online sessions on the latest research affecting your business. each call includes analyst Q&a and slides and is available on-demand.

Learn more.

http://www.forrester.com/app

http://forr.com/1einFan

http://www.forrester.com/Analyst-Advisory/-/E-MPL172

https://www.forrester.com/events?N=10006+5025




15


companies Interviewed For This Report

We would like to thank the individuals from the following companies who generously gave their time during the research for this report.

accenture

alert Logic

arctic Wolf

aT&T cybersecurity

atos

Binary Defense

Bitdefender

BlackBerry

Blackpoint cyber

Bluevoyant

Booz allen Hamilton

capgemini

controlscan

critical start

crowdstrike

cybereason

cyberProof

deepwatch

Deloitte

Digital Guardian

esentire

expel

ey

fireeye

iBM

infocyte

Kaspersky

Kudelski security

LogicHub

ncc Group

nuspire

optiv security

Pwc

rapid7

red canary

secureworks

sentinelone

sophos

Trend Micro

Trustwave

vMware (carbon Black)

Wipro

We work with business and technology leaders to drive customer-obsessed vision, strategy, and execution that accelerate growth.

Products and services

› research and tools › analyst engagement › data and analytics › Peer collaboration › consulting › events › certification programs

forrester.com

Client support

For information on hard-copy or electronic reprints, please contact Client support at +1 866-367-7378, +1 617-613-5730, or [email protected]. We offer quantity discounts and special pricing for academic and nonprofit institutions.

Forrester’s research and insights are tailored to your role and critical business initiatives.

roles We serve

Marketing & Strategy ProfessionalsCMoB2B MarketingB2C MarketingCustomer experienceCustomer insightseBusiness & Channel strategy

Technology Management ProfessionalsCioApplication Development & Deliveryenterprise Architectureinfrastructure & operations

› security & risksourcing & vendor Management

Technology Industry ProfessionalsAnalyst relations

161762

https://www.forrester.com