What's the Most Important Thing to Keep in Mind About MDR Costs?

Posted on December 21, 2020

Managed Detection and Response Pricing: 21 Cybersecurity Experts & Business Leaders Reveal the Most Important Thing for Companies to Keep in Mind About MDR Costs

The threat landscape is expanding and evolving every day, with new and sophisticated attacks targeting businesses of all sizes. To protect their sensitive data, companies must invest in the tools, technology, and expertise required to take a proactive approach to security, continuously monitoring for risks, and taking swift action when threats are detected to mitigate the risk and minimize damage. The cost of implementing these tools and technologies, as well as building and retaining a team of in-house cybersecurity experts and analysts who can analyze threat data and implement prompt and effective threat response, is understandably high.

That’s not to mention the cybersecurity skills gap. There’s been a cybersecurity labor shortage for several years, making it challenging for companies to attract and retain top cybersecurity talent. To overcome these challenges and bolster their security posture, more businesses are turning to managed detection and response (MDR) services to access the latest technologies and diverse and highly skilled cybersecurity teams to detect threats, manage incident response, and proactively hunt threats – without the time, resources, and expenses needed to build an in-house security operations center.

For many companies, MDR may at first seem cost-prohibitive, but evaluating the value you receive from an MDR program in the context of your company’s risks and vulnerabilities paints a clearer picture. To learn more about the top considerations companies should weigh and what to keep in mind regarding MDR costs, we reached out to a panel of cybersecurity experts and business leaders and asked them to answer this question:

"What’s the most important thing for companies to keep in mind about MDR costs?"

Meet Our Panel of Cybersecurity Experts & Business Leaders:

Read on to learn what our experts had to say about the most important things to keep in mind about managed detection and response costs.

Mark EvansMark Soto

Mark Soto is the founder of Cybericus, a cybersecurity company in Milwaukee, Wisconsin. He graduated with a computer science degree from the University of Wisconsin - Milwaukee. He worked as a security analyst in the banking industry for over 20 years before leaving the corporate world to start his own venture.

"Here are two important things companies should keep in mind about MDR costs...."

1. Recognize the industries that they serve.

Some industries will require a lot more effort and resources than others. No matter how much you leverage automation, humans will still need to analyze certain alerts, and high-risk industries such as banking or healthcare will need far more attention than most. Working with an MDR company that has knowledge of your industry and understands the security threats related to it is worth the extra cost compared to one with little to no knowledge of it.

2. Understand what you're getting in return.

While some MDRs may be less expensive than others, you might not be getting an equal amount of things in return. Things to keep in mind are 24/7 monitoring/reporting, what technology/tools they are using, and what kind of coverage you are getting for the company. The price is just one variable out of the many when keeping in mind MDR costs.

Jared EbrahimoffJared Ebrahimoff

@LavariJewelers

Jared Ebrahimoff is the Founder & COO of Lavari Jewelers.

"Buy the packages you need and not more expensive packages…"

There are a lot of available options in the market, and some have undoubtedly better security and features than others. However, the features embedded in cheaper options might be enough for your business. Choosing the more economical option with substantial features will save a ton of money – these also give you ample protection appropriate for your business's needs.

Neil GurnhillNeil Gurnhill

@NodeIntl

Neil Gurnhill, CEO of Node International, is one of the leading experts on cyber insurance. Node International is a Managing General Agent providing comprehensive insurance and cybersecurity tools in a combined digital risk offering.

"In corporations of all sizes, not a day goes by without MDR (managed detection and response), reaching the board room…"

Attempted cybercrime against businesses is now a multi-time, daily occurrence. It’s even more than this. Effective MDR is a real-time event and a proactive event – you lose if you are slower in detecting the attempted crimes and not super-nimble in your response, even by a millisecond.

MDR is now a large global business and numerous providers provide IT departments and cyber-based businesses with the real-time detection and response they need. Cyberattacks are increasingly stealthy and targeted across emails, endpoints, servers, cloud storage, and complete networks. The only way you can deal with this is to use enhanced AI detection and response systems, and that is where the big providers excel – real-time, AI-driven systems providing cross-system protection. Is MDR expensive? Yes, and in some cases, thousands of dollars. Is it worth it? Most certainly, yes.

Ilia SotnikovIlia Sotnikov

@Netwrix

Ilia Sotnikov is an accomplished expert in cybersecurity and IT management and VP of Product Management at Netwrix, a vendor of information security and governance software. Netwrix is based in Irvine, CA.

"Companies should keep in mind that investing in MDR services is not…"

Purely a tech decision, but a business one, since MDR is associated with the cost of doing business and withstanding risks. So to justify this investment, the company should analyze its viability first.

By conducting an IT risk assessment, you can understand what risks the company is exposed to, determine the likelihood and potential cost of an incident, and assess the impact threats could have on you. Then, you should be able to compare the accumulated cost of the risks with the MDR’s price tag and answer the following questions:

  • Does this cost and the likelihood of an incident justify the investment in an MDR solution?
  • What can happen if we ignore these threats?
  • Do we have enough risk capacity for that?

Isaac HammelburgerIsaac Hammelburger

@IsaacHammelB

Isaac Hammelburger is the founder of Search Pros, a search focused digital marketing agency.

"Managed detection and response is crucial to have in most businesses, especially if you have data online…"

MDR helps you detect and stop a cybercrime before it even happens to ensure the safety of your data. MDR can determine an organization’s cybersecurity gap, and it tackles more advanced threats and issues compared to an in-house IT team.

For me, the most important thing to keep in mind about managed detection and response is that even though it may cost your company some money, building your own specialized security team will still cost more than a managed detection and response solution. The threat of leaking your data is worse than the cost of the MDR.

Carmine MastropierroCarmine Mastropierro

@CarmineMastrop1

Carmine Mastropierro is a copywriter who has written for Neil Patel, GoDaddy, Marketo, and other publications. He is also a content strategist for the marketing security company Morphio.

"The most important thing to keep in mind with MDR costs is how much threats cost your business in the first place…"

As an example, let’s say that an average error or threat costs $5,000 to fix. If the monthly cost for MDR services is less than this, it will have a clear ROI. Secondly, ensure that you speak with service providers about whether fixes are included or separate. Some will only detect threats and charge extra fees for resolving them.

John SnyderJohn Snyder

@NetFriends

John Snyder is President and CEO of Net Friends, Inc., an MSP and MSSP headquartered in NC. Under his 20-year leadership, Net Friends has developed and expanded multiple IT security offerings, including managed SIEM/SOAR, MDR, Pentesting, and Risk Assessments for hundreds of SMBs, mid-sized businesses, and enterprise customers.

"If a business is considering MDR costs, it usually means they are in the early stages of maturity for their MDR solution…"

The important thing to keep in mind for costs at this point is that the MDR budget should include not only the direct costs of an MDR platform or service provider, but also the costs allocated to improving the quality of MDR inputs and responses.

The first important cost to invest in is improving device coverage. At this stage, an organization will still have a number of network nodes that are invisible to the MDR provider. These can be endpoints that lack an agent or network devices that are not funneling log data to the MDR data pool. This missing data leads directly to deterioration of MDR performance since attacks will be flowing to and from those missing nodes while bypassing the MDR entirely. Smart IT departments will regularly compare the count of known agents and devices against counts of network nodes derived from broad-based scanning, and then allocate an appropriate portion of their budget to addressing these missing assets.

The second important cost to invest in is the orchestration of MDR workflows. Orchestration means connecting the outputs from an MDR platform or provider directly to scripted actions within the gatekeeper applications of an organization: Active Directory domain, email, payroll, and internal ticketing. This can be done using a commercial SOAR platform or through custom connections to the APIs of those applications. This provides a force multiplier effect that enhances the productivity of the firm's internal security team. The alternative course – postponing investment in orchestration until an organization's security team is unable to keep up – invariably leads to poor execution and ballooning costs. By allocating funds to active response orchestration early on, before a system become dauntingly complex, companies can avoid such a fate.

Alex AzouryAlex Azoury

@Homegroundsco

Alex Azoury is the Founder & CEO of Home Grounds.

"It's important for companies to keep in mind that no amount of money invested is guaranteed to stop 100% of threats…"

While there is no guarantee, it is crucial that you find an MDR provider that understands the needs of your organization and can tailor a customized plan that will address the issues your business is likely to face.

Ethan TaubEthan Taub

@LoanryStore

Ethan Taub founded Goalry, Inc. with the mission to create one place to reach financial goals and comparison shops for any money matter.

"MDR seems like an unnecessary expense to some companies, but…"

One thing I will like to advise from the start is that security breaches can happen to anybody at any time. When putting a managed detection team, software, or both together, costs will be involved; however, these will prove more beneficial to you and the future of the business than paying out thousands or even millions of dollars for not handling this properly. I thoroughly urge companies to look at how they have set up their MDR, as one day you may thank yourself for putting trust and money into security measures that can tackle the most notorious threats.

Syed Usman HashmiSyed Usman Hashmi

@UsmanSyedZada

Syed Usman Hashmi is currently working as a Digital Marketing Executive at PureVPN. He loves to socialize, travel, read books, and occasionally writes to spread his knowledge via blogs and discussions. He also teaches individuals who are pursuing a future in Digital Marketing.

"There are two things companies should keep in mind about MDR costs…"

The most common, or the biggest mistake that companies make, is that they don’t evaluate the provider before its selection.

Evaluating an MDR provider is a thorough process that should be considered as a long-term relationship between a company and the provider. Also, MDR helps your company remain cost-effective in your industry by being able to mitigate all risks without spending more and more at different intervals.

It is necessary to know the value of the benefits that you’ll gain by implementing MDR. You may think that investing a large amount of money now is not necessary, but in the long run, that threat-hunting program might save you millions of dollars.

Similarly, partnering with an MDR provider may also save you a lot of money. Just think of the premium specialized cybersecurity products you need or the high-skilled cybersecurity team you need. Their costs are high, but partnering with an MDR provider helps you in sharing the cost of these specialized products and personnel with other MDR customers.

William TaylorWilliam Taylor

@velvetjobs

William Taylor is the Career Development Manager at VelvetJobs.

"A great way to manage your MDR costs is to carefully analyze what features you need depending on the size of your business…"

Sometimes, you don't need all the services an MDR company is offering. For instance, you may not need a retainer for on-site teams to assist in the event of an issue. So, make sure you know what services every pricing plan covers and whether you need to invest in a sophisticated plan.

Bottom line: Carefully analyze what features you need before selecting an MDR provider or service level.

Chad HillChad Hill

Chad Hill is the CMO at Hill & Ponton: Veterans Disability Lawyers.

"Managed detection and response is a unique combination of technology and human skills that…"

Deliver things like advanced threat detection, deep threat analytics, and global threat and other collaborative breach response. Here are three things companies should keep in mind about MDR costs:

  1. Managed detection and response (MDR) is not a replacement for a basic Managed Security System (MSS).
  2. MDR is designed to supplement MSS.
  3. MDR vendors and partners deliver threat anticipation services in a variety of ways.

Tim ReitsmaTim Reitsma

@PPLManagingPPL

Tim Reitsma is the Sales and Ops Strategist of People Managing People.

"There are two important things to keep in mind about MDR costs…"

  1. Pricing is by Assets. Though pricing may look affordable, this is not a fixed rate. You see, pricing is based on the number of assets in your logically separated environment.
  2. Pricing is reduced by Volume. The starting cost is at 300 assets, but if you have more than that, the price will be reduced.

Konstantine ZuckermanKonstantine Zuckerman

@CybriUSA

Konstantine has 15 years of experience in technology. Prior to co-founding cybersecurity company CYBRI, he founded a software development company, Torops. Throughout his career, Konstantine has seen and felt the huge void in accessible cybersecurity products and services. Konstantine holds his Executive MBA from Brown University and cybersecurity certification from Harvard.

"The most important thing to keep in mind about managed detection and response pricing is to ensure you are getting value…"

I have seen a number of companies get MDR but not have any robust detections in place. There is nothing worse than paying for an MDR solution that does not detect a breach. It is important to pay for a solution or service that develops alerting and metrics that actually detect incidents as they happen and not after the servers are encrypted.

Ty StewartTy Stewart

Ty Stewart is the CEO & President of Simple Life Insure.

"My team and I at Simple Life Insurance consider ourselves in the service industry…"

Integral to that is providing outstanding customer service experience at every touchpoint, from friendly emails and secure transactions to safely storing their PII. I see MDR costs as the price to pay — literally — for guaranteeing the safest and smoothest customer experience for our policyholders. And it's a price I'll gladly pay. You cannot skimp on people's trust.

This question admittedly makes me reflect on how my company monitors its network, and how we could be doing better. Because when it comes to cybersecurity, businesses can always do better, especially SMBs.

Pushpraj KumarPushpraj Kumar

@consultifour

Pushpraj Kumar is a Business Analyst at a Custom Software Development Company, iFour Technolab Pvt. Ltd..

"Companies should choose the most appropriate level of protection for each of your assets to…"

Ensure that you have the right coverage and achieve the desired security outcomes at the best cost for your business. Businesses and their security teams need managed detection & response (MDR) more than ever because it helps to improve cyber resilience. When we talk about security operations, then cost is often a concern.

There are many pricing models, and it can be confusing. Keep in mind that the MDR provider's price spectrum may not be your best option. The main goal of MDR is to evolve with the changing trend of hacking. Hacking attempts need to be stopped before they actually happen. MDR may be complex, but it is important to remember the advantages of the system with MDR in place. In fact, you can avoid becoming the next victim, hopefully.

Ben HartwigBen Hartwig

@InfoTracerCom

Ben is a Web Operations Executive at InfoTracer. He authors guides on the entire security posture, both physical and cyber. Enjoys sharing the best practices and does it the right way!

"The increasing digitalization of all aspects of our life comes with huge numbers of cyberattacks…"

According to Statista in 2019, data breaches in the USA amounted to 1,473 with over 164.68 million sensitive records exposed. Currently, companies in the US experience an annual loss of more than $525,000,000 due to cybercrime, with the majority of these losses stemming from malicious code and denial of service attacks.

These statistics come to prove that companies need to protect themselves from cyberattacks using alternative strategies, starting with educating employees to not open emails from unknown sources and checking the sender, through email lookup tools, and all the way to using MDR solutions.

The most important thing to remember when choosing an MDR provider is to make a selection appropriate in the context of the company's needs to keep the right balance between budget and risk acceptance. Capability and cost relationships are determined by these four factors:

  • Signal Fidelity
  • Detection Capability
  • Response
  • Visibility

Shayne ShermanShayne Sherman

@techloriscom

Shayne Sherman is the CEO of TechLoris.

"When it comes to choosing an MDR solution, it's important to be aware of your risks…"

How much does your company stand to lose in the event of a breach? How much would an attack cost you?

An MDR solution is a lot like buying car insurance. You don't need half a million dollar's worth of coverage if you're insuring a Camry. If your company doesn't have a lot of PII or financial information, it may not be worth investing a lot of money in a comprehensive MDR plan.

Make sure you perform a risk analysis and determine your potential losses. Only then can you really decide how much you can afford to spend on MDR coverage.

Phil LewisPhil Lewis

@TitaniaLtd

With an extensive business background and a particular focus on technology and cybersecurity, Phil Lewis joined Titania in 2017 as Chief Operating Officer. Working closely with the Titania team, he helps customers and partners address fundamental cyber risk management challenges by delivering cyber hygiene at scale through accurate, timely, and enterprise-wide configuration security.

"In cyber, like any other form of risk management, risk occurs where a threat finds an exploitable vulnerability…"

If you have vulnerabilities but no threats to exploit them, there is no risk. Alternatively, if you have removed all vulnerabilities and reduced the attack surface to all but the most sophisticated attacks, the risk is minimized. So, when it comes to purchasing managed detection and response services (a cover-all term, first coined by Gartner in 2016), you need to consider two types of MDR – Threat and Vulnerability – in order to achieve Security Operations Confidence.

Security Operations Confidence, as defined by Palo Alto in 2020, demonstrates both:

  • 'operational confidence’ – knowing you have people and processes in place to handle threats/breach); the challenge that Threat MDR addresses, and
  • 'configuration confidence’ – knowing your technology is configured to prevent attacks, and you can automatically remediate vulnerabilities or have accurate data for a human to assess the risk and fix issues as they arise; the challenge that Vulnerability MDR addresses.

Threat MDR providers use the MITRE ATT&CK framework to detect and respond to anomalies or ‘Indicators of Compromise’ (IOCs), typically analyzing large volumes of network data in motion and/or application and endpoint performance data, in conjunction with User Entity and Behavior (UEBA) data. Given the volume of data needing to be analyzed, this is where SIEM and SOAR use cases are focused and probably why the R in SOAR relates to ‘Response,’ not Remediation.

Vulnerability MDR providers detect and remediate vulnerabilities and misconfigurations on your network by continuously auditing devices. Although it’s worth noting that ‘continuous’ in vulnerability audit terms is, at best, likely to be daily – and the required frequency depends on the cybersecurity risk management framework (RMF) you need to comply with.

For example, the DHS CDM RMF for US Civilian Critical Infrastructure states that every device should be audited every 72 hours (as opposed to annually, under the previous RMF, FISMA). It equates to a 121x increase in the number of audits required per annum. A 10,00- device network historically only required 10,000 annual audits and now requires 1.21m audits pa.

If you’re working on a cost per device basis and need to secure the entire network, then for most organizations, this level of outsourced Vulnerability MDR support comes with a high price tag. Therefore, organizations may benefit from talking to their Vulnerability MDR providers about a ‘utility model,’ in which price is based on the number of audits carried out and could give much more flexibility in your auditing strategy.

Risk Appetite should also be considered when considering MDR costs. Given that threats increase on a daily basis, the level of underlying cyber risk exposure depends on answering two questions:

  1. Are you auditing every device on every audit (giving you a complete dataset) or a sample (say 10%) and extrapolating the results?
  2. How frequently are you auditing – ranging from once per annum to once per day?

When you combine the two, you arrive at the scale of the Vulnerability MDR challenge you are setting for yourself based on your Risk Appetite – and should invest accordingly. As long as you trust the accuracy of the results, your Vulnerability MDR provider can then combine continuous vulnerability detection – providing a view of your exact network status – with analytics technologies, to set risk tolerance levels so that only the highest priority issues are escalated to your SOC for remediation/response. This automated, continuous approach provides an affordable solution for organizations that see the value in Vulnerability MDR to complement their investment in Threat MDR.

In summary, does your combined solution deliver both SOC Configuration Confidence and Operational Confidence against trusted Risk Management Frameworks? If not, whatever it costs, you have to question whether you are getting value for money.

Grant AldrichGrant Aldrich

@onlinedegreecom

Grant Aldrich is the Founder and CEO of OnlineDegree.com.

"Managed detection and response can vary in price significantly, so…"

What matters more than the cost is the value you receive from the service or the technology's add-on features. Before buying the service outright, always ask to test the MDR's service using penetration testing from another firm, or threat simulation services.

Scaling of Operation: Does the MDR provider have enough staff to survey the number of customers with technology alone accurately? Will you need to hire more staff? Will you need to pay more to get a company that has more extensive staff?

Threat Solutions: Concentrate on technology that offers more than one aspect of capture inspection instead of just logs. If they have a wide variety of capture software, ask if they need SSL/TLS and/or SSH decryption capabilities to overcome specific threats.

Jonathon WrightJonathon Wright

@TheQALead

Jonathon Wright is the Co-Founder of The QA Lead.

"One of the things I always encourage people to consider when looking into managed detection and response solutions is…"

How quickly they respond to threats that are detected and what that response looks like. Bad actors usually need anywhere from 15 to 25 hours to breach a system and, once inside, ransomware can spread to a new machine every six seconds.

You're likely spending a good amount of money protecting your assets. If their response time isn't quick enough to catch a threat inside that window of opportunity, you're wasting your money. Not only does the response time need to be fast, but they need to be able to sift through false positives and false negatives to determine when it's time to act.

Don't Fall Behind; Get The Latest Security Insights Delivered To Your Inbox Each Week

Recommended Resources