An Evolved Approach to Security Protection for Small to Medium IT Staffs

By Amos Aesoph, Xigent CISO

sophos mtr banner


If you’ve taken time to look at which managed business security services are available on the market, you’ve probably found a variety of vendors offering a vast number of “named” security offerings. But what do those names mean?

It’s hard to compare your options unless you understand some key terms used to describe types of managed security offerings; let’s break them down:

  • Managed Security Service Provider (MSSP): an MSSP oversees and manages your network and information system security. The term MSSP is used to describe a broad service provider who offers MDR, MTR or SOC services.
  • Security Operation Center (SOC): SOC-as-a-Service allows smaller companies to take advantage of the experience and security expertise of the MSSP − providing monitoring systems for malware and attacks and notifications and assistance in remediation.
  • Managed Detection and Response (MDR): an MDR service focuses on discovering attacks that have already bypassed existing protections, threat validation, and provides actionable containment and remediation advice.
  • Managed Threat Response (MTR): MTR is a type of MDR service that leading security company, Sophos, has used to help the market understand what differentiates their service from typical MDR offerings. Sophos MTR not only finds the problem for you, but can actively help you resolve the attack. MTR is a fully managed threat-hunting, detection and response service that provides you and your organization with a dedicated 24/7 security team to detect and neutralize the most sophisticated and complex threats.

Top 5 pain points: The case for MDR or MTR services

Many organizations simply don’t have the time to search for possible threats on their own. This job requires highly qualified and specialized professionals with the right level of expertise. Such people are not only challenging to find but have a high salary level. If you extend this to a 24-hour service, it consumes an even larger portion of your IT security budget – and for many companies, is an impossibility.

Here are the 5 most common pain points that lead organizations toward and MDR or MTR service:

  1. Skilled resource gap—79% of organizations worldwide report having difficulty recruiting qualified cybersecurity talent.*Further, threat hunting, investigation, and response are specialized skills that require experienced security analysts and responders. MDR services can be a more cost-effective way to gain access to the necessary skills and resources without having to recruit, train, and retain internal talent.
  2. Alert fatigue—80% of organizations globally said they wish they had a stronger team in place to detect, investigate, and respond to security incidents.*Organizations often report that the number of alerts generated by their tools is greater than they can process and that the humans involved fail to spot the important alerts among the noise. MDR services lend a helping hand to review, validate, and address alerts, enabling customers to spend more time on other priorities.
  3. Time limitations—Investigating alerts and hunting for undetected threats are time consuming. It takes additional time to respond effectively to a confirmed threat. With IT and security resources stretched thin, some organizations prefer to outsource these tasks, freeing up staff for other priorities.
  4. 24/7 coverage—Few organizations have the in-house personnel to monitor for threats around-the-clock while proactively hunting for new and emerging threats.
  5. Unknown threats —Many organizations lack the experience and tools needed to track down unknown and zero-day type threats that are not already being detected by their existing technology or security solution.


What to look for in an MDR or MTR service

While there are many types of MDR services, not all MSS providers or MDR/MTR offerings are created equal. You’ll want a service that can:

  • Save you from dealing with long lists of error and threat messages on your own
  • Reduce the need to hire full-time, qualified and experienced security staff
  • Provide 24/7 lead and leadless threat hunting
  • Use telemetry to aid in threat investigations
  • Offer asset discovery services
  • Give you 24/7 access to a team of security experts
  • Take necessary action on your behalf if desired

Let’s take a look at what makes Sophos’ MTR service unique – allowing small and medium-sized businesses to afford and benefit from comprehensive and professional IT security protection.


What is Sophos Managed Threat Response (MTR)?

Sophos’ MTR service equips organizations with a 24/7 expert security team that takes care of threat detection in your organization. It’s not just another item on your security dashboard, but a targeted human response. Sophos’ MTR team will not only inform you in the event of an attack, but if desired, will also take necessary action to neutralize the threat on your behalf, providing:

  • Strong protection – Sophos MTR is built around Sophos Intercept X, an industry leading end point protection solution. It allows analysts to spend less time dealing with threats the product missed and more time focused on unique, complex or hidden threats. It’s consistently rated best-of-breed in endpoint protection:
    • The leader in Gartner Magic Quadrant for Endpoint Protection
    • SE Labs Endpoint Protection Report AAA rating
    • Ranked #1 in MRG Effitas Malware Protection Report
  • Fully managed response – Other MDR services may only notify customers of attacks or suspicious activities, and then it’s up to the customer to take action against threats and work toward remediation. Sophos’ response team can engage fully and take control of a threat, from detection to neutralization.
  • Flexible response modes – The Sophos MTR team can adapt its engagement depending on customer requirements. This means peace of mind for customers who know that they will get the help they need without any unwanted interference.
  • Robust threat hunting – Sophos threat hunters proactively hunt for and validate potential threats and incidents, and investigate casual and adjacent events to discover new indicators of attack and compromise.
  • Sophos Central – Customers can view and manage their entire portfolio, as well as MTR deployment, from a single portal with no need to setup on-prem servers.


Choose the level of support that works for your organization

Sophos MTR offers multiple authorization levels, and during the onboarding process, organizations can decide on a level of support determining how much control they want to give up based on existing internal talent and capabilities. The support service is also flexible, so you can choose Notify Monday–Friday 8 am–4 pm and Authorize for nights and weekends.

Here’s how the three authorization levels work:

  1. Notify: At this level, if the Sophos MTR team detects a threat or attack, they will inform you and will not act on your behalf. In addition to the notification, the team will send you a detailed report on the cause and the detection, with steps you can take to neutralize the threat on your own.
  2. Collaborate: This mid-level of support means after the Sophos MTR team identifies the threat, they work with your employees or an external consultant to respond to the threat as an extension of your team.
  3. Authorize: The authorize level of support gives the MTR team permission to take care of containment and neutralize the threat independently while keeping you informed about the measures taken.

The authorization level flexibility is unrivaled in the market space and available without additional charges, making the service affordable to organizations with little to no in-house security expertise.


Two variations of the MTR service: Standard and Advanced

While the authorization levels are available for either version of the Sophos MTR service, the two variations of services allow organizations to choose between a standard or more advanced and proactive form of Sophos’ threat detection capabilities.


The high-level capabilities for each include:

Standard version

·         24/7 lead-driven threat hunting

·         Adversarial detections

·         Activity reporting

·         Security health checks



Advanced version

Includes all capabilities of Standard as well as:

·         24/7 leadless threat hunting

·         Enhanced telemetry

·         Direct call-in support

·         Proactive posture improvement

·         Asset discovery









How do I decide what is best for my organization?

Xigent has the experience to cut through the marketing clutter and help find the right solution for your business, even if that means just using what you have now. There are hundreds of new threats every month and as many new products to fight them. Data security is critical to every business no matter the size, industry, or importance − but for effective data security, you need a plan and the resources and capabilities to execute that plan.


*Results of an independent survey of 3,100 IT managers commissioned by Sophos in 2019

Talk to a Security Expert