Does Your MDR Deliver Outcomes — or Homework?

At CrowdStrike, we’re on a very simple mission: We stop breaches. That’s easy to say, but challenging to put into practice, and nobody does it better than the CrowdStrike Falcon Complete™ team. Today CrowdStrike is very proud to have been recognized as a Leader in the IDC MarketScape: U.S. Managed Detection and Response Services (MDR) 2021 Vendor Assessment (doc #US48129921, August 2021)​​. 

This is a strong recognition of CrowdStrike’s unique approach to MDR, and of the fundamental shift CrowdStrike is bringing to the way an MDR service can protect its customers from modern cyberattacks.

The Need for Speed

The main challenge in cybersecurity is speed. Today’s adversaries move fast, and we know from observation — of countless attacks against millions of endpoints protected by the CrowdStrike Falcon® platform — that attackers go from initial intrusion to lateral movement in a matter of a couple hours or less. If defenders are going to be successful in stopping a breach, they need to operate on this same timescale, containing and remediating threats in minutes, 24 hours a day, 7 days a week.

This is a challenge for many organizations to do with in-house staff, which is why they engage with an MDR provider. Unfortunately, few managed services are willing or capable of delivering the capabilities that are truly needed to stop breaches at speed and scale. Instead of outcomes, they deliver recommendations and homework for their customers, who remain responsible for taking the actions necessary to stop intruders. Falcon Complete set out with the ambitious goal to fill this gap.

MDR Should Deliver Outcomes

The first and primary piece of the puzzle that sets Falcon Complete apart is simple. We made the decision early on that we would own the results. A typical customer engages with an MDR service for one simple reason: They want to avoid a damaging breach. Since many MDRs aren’t able to commit to this outcome, the requirement often gets broken down into more granular commitments, such as how soon an analyst will respond to a critical alert. Service-level agreements (SLAs) like this are useful in tracking effectiveness over time, and short SLAs for response can reduce risk of a breach, but it’s a long way from committing to the mission of stopping breaches.

From Day One, Falcon Complete has included our best-in-class Breach Prevention Warranty, designed to provide confidence to our customers that CrowdStrike stands strongly behind our team and the results they deliver. I’m proud to say that in more than three years since Falcon Complete has been available, we have not had a single claim against this warranty.

Setting the Foundation 

In order to deliver on our mission with confidence, Falcon Complete adopted some key guiding principles that existing service providers were unwilling or unable to deliver on: 

  • Your MDR should drive the security configuration. One of the most common ways for an attacker to gain a foothold is via unprotected systems, or via systems with improper security configurations. Without active management of security posture, an MDR service cannot commit to stopping breaches, as they don’t control a key component of proactive defense. Our Falcon Complete team actively manages the security configuration of managed systems, ensuring all endpoints have optimal protection at all times. 
  • Your MDR should uncover threats at the earliest possible stage. Most MDR services are structured around SLAs for responding to high-severity alerts and have little incentive to pay attention to low-severity alerts. This structure helps them to create a sustainable, scalable business, but it ignores early signs of emerging threats, increasing risk and costs to remediate. We knew that if the Falcon Complete team was going to be effective at stopping breaches, we would need to be much more aggressive in identifying malicious activity earlier in the kill chain. We crafted a team with deep expertise in digital forensics and incident response (DFIR) and the Falcon platform. We organized them in a unique structure capable of investigating every alert, from low to critical severity. We built a service that incorporates continuous 24/7 human threat hunting (via the Falcon OverWatch™ team) to uncover the most sophisticated threats quickly. And we trained them on our proprietary processes that are critical to meeting the 1-10-60 challenge.
  • Your MDR should own remediation as part of the response. Stopping an intrusion before it becomes a breach is time-sensitive business. It may require isolating an affected system from the network, killing processes, removing persistence mechanisms from the file system or Windows registry, or carrying out any of a wide variety of actions. Many MDRs know what needs to happen, but very few are willing to pull the levers and execute. Instead they provide “recommendations” to their clients, which in turn introduces significant delays in response, as the client needs to receive, understand and correctly execute the remediation steps. Our Falcon Complete analysts own the full response to intrusions, including surgical remediation of threats in near real time. With Falcon Complete, intrusions are often detected and eradicated before attackers are even able to leverage their access.

Falcon Complete Delivers

When Falcon Complete was launched, the notion that an MDR could commit to outcomes, not just SLAs, seemed fairly radical, and it took some time to convince a skeptical market that an MDR could be trusted to perform these kinds of operations for clients at speed and scale. Today, just three years later, Falcon Complete protects thousands of customers, overseeing millions of endpoints all over the world. We are honored by the trust our customers have placed in us, and we remain committed to the mission of stopping breaches, wherever and whenever they occur.

Additional Resources

Related Content