Three weeks v three minutes: The MDR Difference
Managed Detection and Response, MDR, has long been considered too expensive and beyond the reach of SMEs. There are very good reasons for this, not least because most companies who provide these services, don’t target SMEs because they perceive that the revenue isn’t there, even though the need very much is. Another issue is that SMEs don’t have the in-house resource that can deal with this kind of service, to do this internally requires expertise, resource and expensive monitoring tools; all resource that SMEs don’t have. At best, their IT systems are overseen by someone who has another primary function and hasn’t got much time to deal with IT issues, has no technical background, much less a cybersecurity background, and whose responsibility lies with liaising with their network provider.
Turning to the network provider, who provides hardware and software, and maybe manages the network on behalf of the SME. The service level agreement (SLA) that these companies work to will concisely lay down what services they provide, and I’m prepared to bet that that doesn’t include MDR, for the simple reason that they also don’t have the skill levels and experience required, to provide an adequate service. Be clear, I’m not denigrating these companies or the services they supply, simply pointing out that they work to strict service levels as laid down in the contract and will usually not step outside of these.
I have written articles and posts about this before, but it’s worth repeating because there are now systems available that, often driven by AI, are now affordable and are not just appropriate for SMEs, but specifically designed for them, at a service level that is realistic and priced accordingly. AI is something that we use in our service, quite extensively, because it does the heavy lifting and allows us to deliver a service at a price that is appropriate for an SME. AI is now prevalent and is used pretty much everywhere, including by cyber criminals. AI driven attacks are becoming the norm and are not going away. We fight fire with fire.
Let’s develop this a bit further and look at a before and after’ scenario, where a small business, holding lots of personal identifiable data (PII), as defined within GDPR and associated legislation, decides to use an MDR service, having recognised that they have a legal duty to protect this data, and that a data breach would be a serious issue which could put them out of business.
Scenario: “Maple & Co. Accounting”
Business type: Small accounting firm (12 employees)
Tech setup: Cloud-based email, shared drives, a basic firewall, and endpoint antivirus
Challenge: Limited IT staff (1 generalist), growing concerns about cyber threats
BEFORE MDR
Day-to-day reality
Maple & Co. believes they’re “covered” because they have antivirus software and strong passwords. But in practice:
- Alerts from antivirus pop up frequently → mostly ignored (“probably nothing”)
- No centralised visibility into systems or logs
- Employees occasionally click phishing emails
- Software updates are inconsistent
- No formal incident response plan
The Incident
One employee receives a convincing phishing email posing as a client invoice.
- They click the link and enter credentials
- Attacker gains access to their email account
- Uses that account to send more phishing emails internally
- Installs a lightweight remote access tool (RAT)
What goes wrong:
- No one notices unusual login locations
- Antivirus doesn’t flag the RAT
- Suspicious outbound traffic goes undetected
- The attacker quietly accesses financial documents for 3 weeks
Impact
- Sensitive client data exposed
- Regulatory reporting required
- Business reputation damaged
- Costly emergency IT response
- Downtime and lost productivity
AFTER MDR IMPLEMENTATION
Maple & Co. adopts a Managed Detection and Response service.
What MDR Adds
- 24/7 monitoring by a managed service provider
- Endpoint detection and response (EDR) tools installed on all devices
- Centralised log collection and analysis
- Automated and human-led incident response
Same Attack Attempt (But Now…)
Step 1: Phishing Email Clicked
An employee clicks a similar phishing link again.
MDR Response:
- Suspicious login detected (unusual geography + device fingerprint)
- Alert triggered immediately by behavioural analytics
Step 2: Credential Misuse Attempt
Attacker tries to access email and internal systems.
MDR Response:
- Account access temporarily blocked
- Forced password reset initiated
- Managed service team flags activity as high risk
Step 3: Malware Execution Attempt
The attacker tries to deploy a remote access tool.
MDR Response:
- EDR agent detects unusual process behaviour
- File execution is automatically stopped
- Device is isolated from the network
Step 4: Human Analyst Intervention
- Analysts investigate the full timeline
- Confirm malicious intent
- Remove persistence mechanisms
- Provide a clear incident report
Outcome
- Attack stopped within minutes, not weeks
- No data exfiltration
- Minimal disruption to operations
- Actionable report delivered to the business
BEFORE vs AFTER (Quick Comparison)
Summary
Before MDR, Maple & Co. relied on tools without coordination or expertise. After MDR, they gained:
- Continuous monitoring
- Rapid response
- Expert analysis
- Reduced risk exposure
The biggest shift isn’t just better tools; it’s having dedicated security expertise actively defending the business at all times.
Remember, no service is ever going to guarantee 100% security, that’s just not realistic. What an MDR designed for SMEs will do is to reduce your risk to a level that you’re prepared to accept, by adopting a risk managed approach. It does this by having:
- A vulnerability assessment tool
- A cyber awareness programme inbuilt
- A phishing simulation tool
By identifying your vulnerabilities early and fixing them, your exposure is reduced and by training your staff to be your first line of defence, you reduce your exposure still further.
Recent Comments