Brought to you by:
Enterprise Strategy Group  |  Getting to the Bigger Truth™

ESG WHITE PAPER

A Security Leader’s Guide to Leveraging MDR for Security Maturity and Development

By Dave Gruber, ESG Principal Analyst
JULY 2022

Building a Modern Cybersecurity Program

Leading an effective security program is certainly not for the faint of heart. Modern CISOs face unprecedented growth and diversity in both the IT environment they are charged with protecting and the risk and threat landscape they are defending against.
While each organization has its own unique attack surface, operating model, and risk tolerance, most security leaders share a common objective—to enable operational continuity while minimizing friction, disruption, and financial risk. Strategies used to achieve these objectives can vary dramatically across different organizations, regardless of size, objectives, and structure, often driven by experiences, relationships, and overall security program maturity.
As security leaders craft strategies comprised of people, processes/policy, and technology, they face an ongoing resource and skills shortage, motivating many to leverage outside service providers to implement, supplement, or augment parts of their operation. The emergence of modern security service providers is supplying security leaders with new opportunities to accelerate program development velocity.
This paper will introduce a security maturity hierarchy and outline commonly used program strategies that are associated with individual levels of maturity.

The Security Maturity Journey

While individual industry business models may influence security strategies, the larger factors influencing them are more often the role that IT systems and data play in the overall business strategies. And while IT plays an important role in most organizations, for more digital-centric, digital-born organizations, core IT infrastructure IS the business.
As C-level executives make decisions around the importance of their security programs, their risk profile and tolerance, and the level of investment required to address the security needs of their organizations, most will seek to find a security leader with relevant experience to lead the charge. Seasoned security leaders often come with their own experiences and proven strategies that further inform their overall security program goals, strategies, and implementation tactics.
Security investment strategies must align with IT and business growth strategies, focusing on business enablement, business continuity, and risk and compliance management. Security patterns and frameworks help guide these strategies in this continuously evolving industry; however, implementation approaches vary widely.

Security Program Scalability

Staffing models and resource availability play an important role in the velocity of program development. Security tools and data architecture, attack surface diversity and complexity, and the pace of IT change within the organization all must be backed up by people and processes that can scale with the business.
Regardless of company size, industry, and public/private affiliation, security maturity can often play a significant role in what strategies are utilized to achieve overall security and risk objectives. As security leaders develop program strategies, staffing models and resource availability play an important role in program development timeframes. Program development progress is further impacted by security tools and data architecture, attack surface diversity and complexity, and the pace of IT change.
While many strive to hire in-house, permanent resources to build out their security programs, others are taking a services-first approach, often motivated by a lack of availability of skilled resources, alert fatigue, immature processes, and/or an immature security technology stack. ESG research finds that use cases and consumption of third-party services therefore vary based on levels of security maturity, which will further be outlined in this paper.

An ESG Security Industry Maturity Model

ESG segments organizations into five categories of security maturity (see Figure 1), each aligned to specific characterization of risk tolerance, perceived value of cyber assets, governance mandates, and security acumen. Levels of security maturity often also align to overall investment in the security program as compared to operating revenues and personnel. While the model is intended to represent a progression of five levels of maturity, it also recognizes that strategies can vary significantly, so it is intended to be a representative model more than a hard and fast roadmap for maturity progression.
ESG refers to the five progressive maturity levels as: basic defense, aspiring, evolving, mature, and advanced. The graphic below summarizes the progression and associated strategies aligned with each level of the model. The model further intends to show where MSSP and managed detection and response (MDR) services are often applied across the five levels.
Figure 1. Five Levels of Security Maturity

Source: ESG, a division of TechTarget, Inc.

5 Levels of Security Maturity

1. Level-1: ESG sees level-1 maturity organizations focusing on basic business continuity and compliance objectives. These organizations often see security investments as pure operational overhead expenses and, therefore, prioritize cost and simplicity. Security is often a function within IT and is not often discussed at executive levels within the organization. With few (if any) full-time security professionals on staff, strategies often include the use of managed security service providers (MSSPs) for the deployment and management of core operational security infrastructure. Level-1 strategies are often limited and reactive security events and support audit and compliance requirements at the most basic level.
2. Level-2: Aspiring organizations often recognize the risk associated with cyber-attacks and, therefore, prioritize a dedicated security leader to develop a security program, aspiring to progress prowess and maturity over time. The rise of the ransomware threat is moving more organizations into this category, driving many to accelerate security program investments. Investments are often heavily focused on prevention. Endpoint detection and response (EDR) tools are often implemented with endpoint security solutions; however, aspiring organizations often struggle to operationalize the use of EDR. Managed detection and response (MDR) services help overcome this gap, while providing both experts and best practices in effective threat detection and response. Threat intelligence also becomes a priority here, motivating many to acquire threat intel services, together with hiring more skilled resources with deeper security acumen.
3. Level-3: ESG defines organizations in the “evolving” level of security maturity as those who have invested significantly in strategy and are heavily focused on implementation tactics in support of a broad prevention, detection, and response approach. These organizations will have likely also chosen one or more security frameworks to guide strategies. Maturing organizations often partner with third-party security experts, including MDR providers but also work directly with security solution providers to deploy, configure, and optimize tools to build out their security stack. These organizations often have aggressive IT investments underway, requiring alignment and cooperation between in-house IT and security teams working together with third-party solution and service providers.
4. Level-4: Mature security organizations have fully developed and implemented security programs covering all aspects of their operations. Most depend on a combination of in-house security experts, leveraging services to address skills and coverage gaps, along with support for program growth. The CISO or equivalent security leader plays a strong role in leadership, guiding program investments in support of business growth objectives. Mature organizations have well-tested incident response (IR) plans and often depend on a combination of both internal and external IR resources. These organizations are hyperaware of all aspects of their attack surfaces and tend to have greater visibility into attack attempts throughout their environments. Detection and response, including threat hunting, is often central to the program strategy. Cyber resilience is a key area of focus, closely tracking to both changes in the threat landscape and attack surface growth.

Ongoing Skills Shortages

Resource and skills shortages across the cybersecurity industry create ongoing challenges for organizations to achieve advanced levels of security maturity. Focusing internal resources on the most strategic security initiatives and program development often means finding other strategies to operationalize security.
5. Level-5: ESG defines the highest levels of security maturity as advanced. These organizations have highly customized security strategies, tools, and processes, supported by heavily funded, large security teams. Advanced organizations have a deep understanding of the role of security in the enablement and growth of their overall business strategies, and they tend to be experts in all aspects of security, including readiness, prevention, detection, response, and recovery. They highly leverage both internal and external expert resources and frequently are included in executive-level conversations, including the board of directors.

Leveraging Managed Detection and Response Providers

ESG research shows that managed detection and response services are becoming core to modern security strategies, with 73% of organizations already using or actively working on a project to adopt the use of MDR services. Embracing the use of third-party security services, applied across multiple use cases, is characteristic of maturing organizations as they grow and scale, enabling internal resources to stay focused on security strategies and architecture. Use cases supported my MDR vary by organization and include:
MDR Core to Modern Security Strategies
73% of organizations are already using or are actively working on a project to adopt the use of MDR services in support of their detection and response programs.
• Full outsourcing of security operations (SOC-as-a-service).
• Limited functional outsourcing (alert triage, monitoring, escalation, etc.).
• 24x7 coverage.
• Incident response resources and services.
• Staff augmentation (specialized skills, experts, IR, etc.).
• Threat hunting.
• Security tools optimization.
• Specialized threat intel/threat insights.
• Program development and maturity.

Outcomes

Investments in MDR services can deliver on many outcomes, including improvements in efficacy, efficiency, program development, and/or coverage. Specific outcomes include:
MDR Outcomes:
Improvements in security efficacy, operating efficiency, program development, and/or attack surface coverage.
Improvements in efficacy:
• Attack surface coverage and reduction (asset discovery, vulnerability assessments, prioritization, and patching).
• Stopping threats in progress (better detection of all types of threats; faster, more accurate risk assessment and prioritization of threats; and proactive threat hunting to uncover unknown threats).
• Improved incident response, minimizing the impact of compromise/breach (better/faster threat isolation, improved forensics investigation, strengthening controls to reduce future attack).
• Improved cyber insurability. As insurers look to verify security program maturity, posture, and risk, MDR providers can fulfill many of the core requirements insurers demand.
Operational/efficiency improvements:
• Reduced alert fatigue/incident backlog.
• Reduced noise (reduction in false positives).
• Reduced cost of security operations:
  o Lower personnel costs for SOC analysts and managers.
  o Lower security tools deployment and management costs.
  o Increased 7x24x365 coverage at a lower cost.
• Simplified regulatory compliance.
Advancements in security program development:
• Increases in overall program maturity.
• Improved security posture (strengthened policy and controls).
• Standardized processes and best practices.
• Skills growth and improvement (both tactical and management).
• Improved awareness of attack surface coverage.
• Improved risk awareness and reporting.
• Improved tools, infrastructure, and data ingest.
Expanded staffing/skills coverage and growth:
• Off-hours coverage.
• Expert security skills on demand.
• Rapid security tools configuration and management.
• Just-in-time expert incident response resources.
• Compliance expertise.
These outcomes vary based on specific use cases and services contracted with individual managed detection and response providers.

Arctic Wolf Managed Security Operations Offerings

Arctic Wolf provides solutions that help organizations improve their security posture and program efficiency. Combining technology, proven best practices, and an array of security experts, Arctic Wolf offers multiple security services applicable to organizations across many levels of security maturity.
A Scalable, Open, Extensible Technology Platform
Built on an open-XDR architecture, the Arctic Wolf security platform collects and enriches endpoint, network, and cloud telemetry and then analyzes it using multiple detection engines. The platform leverages a combination of machine learning techniques, together with custom detection rules to deliver personalized protection. The platform is vendor-neutral, meaning that it can work with existing security tools investments.
A Personalized Delivery Model
Arctic Wolf offers a concierge delivery model, pairing a team of Arctic Wolf security operations experts directly with in-house security and IT resources to provide 24x7 coverage while growing security posture over time. Arctic Wolf offers both tactical activities, such as alert prioritization and threat hunting, and strategic tasks, such as security posture reviews and risk management.
More than Detection and Response
Arctic Wolf offers other security solutions beyond detection and response, helping security teams grow program maturity or fill operational gaps, including vulnerability management and risk management, user security awareness and education, phishing simulation and training, security program architecture, and incident response program development and retainers.

The Bigger Truth

As security leaders develop security programs in support of risk management objectives, the strategies used to achieve these objectives can vary dramatically across different organizations, regardless of size, objectives, and structure, often driven by experiences, relationships, and overall security program maturity.
Regardless of security maturity, managed detection and response services are becoming a mainstream element of most security programs and are evolving to align with the growth and maturity of program development over time.
ESG recommends that organizations identify specific use cases where MDR service providers can support both strategies and objectives that ultimately align with business outcomes. ESG also recommends that organizations considering MDR services should explore providers such as Arctic Wolf to assess alignment with these specific use cases and organizational objectives.

This ESG White Paper was commissioned by Arctic Wolf and is distributed under license from TechTarget, Inc.

All product names, logos, brands, and trademarks are the property of their respective owners. Information contained in this publication has been obtained by sources TechTarget, Inc. considers to be reliable but is not warranted by TechTarget, Inc. This publication may contain opinions of TechTarget, Inc., which are subject to change. This publication may include forecasts, projections, and other predictive statements that represent TechTarget, Inc.’s assumptions and expectations in light of currently available information. These forecasts are based on industry trends and involve variables and uncertainties. Consequently, TechTarget, Inc. makes no warranty as to the accuracy of specific forecasts, projections or predictive statements contained herein.

This publication is copyrighted by TechTarget, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of TechTarget, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact Client Relations at cr@esg-global.com.

Enterprise Strategy Group | Getting to the Bigger Truth™

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.