There are plenty of cybersecurity vendors that list managed detection and response (MDR) as one of their services. But the definition of MDR is far from standard, making it a challenge for organizations to assess what is included in a particular MDR offering. Starting from a perspective of need will help you find the perfect match. Use the 4 questions below to determine what you are looking for from the MDR vendor relationship and whether the MDR services you are evaluating can meet those needs.
Managed Detection and Response (MDR) is a common descriptor for services offered by cybersecurity providers. Dig a bit deeper and you’ll find that the MDR acronym is stamped on solutions by nearly every vendor with the word “security” in their name.
Clearly, not all of these MDR services are created equal. With so many options, how do you determine which vendor is right for you?
Use these 4 questions to zero in on the levels of MDR services that are critical for your organization. This will help you cut through the technical jargon and focus your evaluation on the MDR services you really need – and whether the potential vendor is the right fit.
1. What level of management does the vendor provide?
It is essential to determine how close you want (or need) the MDR vendor to be to your IT environment. If your organization has a robust and capable in-house technical team, an MDR solution may give you access to cybersecurity expertise, while all management of network and IT resources remains the responsibility of your internal team. On the other hand, if your organization has limited technical capabilities and skills, an MDR solution can provide the people, processes, and technology needed to monitor your entire environment and ensure the appropriate protection is in place. Here are three service-level examples – along with questions that will help you establish which level of MDR management you need:
External. The MDR vendor has zero visibility into your systems and relies only on outputs your organization provides. Questions to ask:
Internal – View Only. The MDR vendor has access to view your system components, but can only advise, not act. Questions to ask:
Internal – View and Manage. The MDR vendor has access to view, monitor, and manage your system components. This relationship requires a high-level of trust in the vendor. Questions to ask:
2. How does the vendor detect and prioritize threats?
Most MDR providers use a security information and event management (SIEM) tool to filter customer security data (e.g., event and log files) and use the output to generate alerts. But the “right” level of filtering is unique to each organization. A basic filtering process on even a simple network could trigger hundreds of alerts per day, each representing a potential threat that needs to be reviewed and potentially acted on. This is a more economical solution but is also time-intensive for alert review. A robust filtering process can include running each alert through a series of algorithms, AI-enabled filters, and human review to assess and prioritize the alerts, elevating actual threats and weeding out noisy false-positives. Following are service examples and questions to ask at each level:
SIEM Only. The MDR vendor provides outsourced SIEM services and escalation is machine-driven with no human involvement. Questions to ask:
SIEM + SOC. The MDR vendor has a security operations center (SOC) which actively reviews, analyzes, prioritizes, and escalates alerts generated for your organization. Questions to ask:
SIEM + SOC + AI/Algorithms. The MDR vendor has layers of built-in analysis to filter, prioritize, and escalate the SIEM output in addition to SOC review. Questions to ask:
3. How does the vendor handle escalations?
Regardless of how a threat is filtered and prioritized, once it is determined to be legitimate, action needs to be taken. In determining who is responsible to escalate an issue, the options can range from customer-driven escalation to cyber professional-driven review and investigation. Here are some escalation options along with questions to ask:
Automated Escalation. With this passive and reactive variety of MDR, the vendor sends alerts to the customer who is responsible for escalation. When threats are encountered, the customer may contact the MDR vendor for support. Questions to ask:
SOC-Based Escalation. This is a more managed approach where responsibility for alert escalation is assigned to SOC personnel. Questions to ask:
Analyst-Reviewed Escalation. A higher level of service includes not only SOC escalation, but also an analyst review of the escalations which includes the escalation details along with advisory information on how quickly – and the best way – to act on that information. Questions to ask:
Analyst Detailed Investigation. As a level of service beyond an analyst review, some MDR vendors provide threat investigation services to determine not just what happened, but how it happened. Questions to ask:
4. What kind of response is right for your organization?
Once it is determined that an escalation of an alert is necessary, communication is of the utmost importance to protect your digital assets. That communication must be defined, including how quickly your organization should be informed of the escalation. Here are some examples, along with questions to consider:
24-Hour Callback. In a consulting-based MDR relationship, calls are usually delivered by non-SOC personnel. Questions to ask:
Proactive SOC. SOC staff or analysts open a ticket for your organization and contact you as they are able. Questions to ask:
SLA-Driven SOC. This is the same as Proactive SOC with the inclusion of a contracted time guarantee with penalties for late contact. Questions to ask:
Remediation-Enabled SOC. In a co-management relationship, an MDR vendor has permission for SOC personnel to fix certain customer issues during non-business hours or anytime (24×7), depending on the contract. Questions to ask:
Deep-Search SOC. The SOC is enabled to measure traffic and system activity beyond SIEM feeds to track activity that indicates a cybersecurity risk. Questions to ask:
MDR vendors provide similar services that vary along a continuum from passive and simple to proactive and complex. It is important to understand your organizational IT capabilities and the resource and security gaps that put your organization at risk. These will help you determine the level of services you need from an MDR vendor, and more accurately assess if a vendor can deliver value with their approach. And keep in mind that experience counts. Cybersecurity is a tough business for new companies to compete efficiently. It is to your advantage to look for a vendor with a long track record of relationships and success within their customer base.
Our handy MDR vendor checklist is an essential tool for evaluating potential providers. It contains 30 questions to help you understand and assess a vendor’s scope of security coverage and MDR service levels. Download.