Silver Linings Blog

4 Questions to Focus Your Search for the Right MDR Provider

There are plenty of cybersecurity vendors that list managed detection and response (MDR) as one of their services. But the definition of MDR is far from standard, making it a challenge for organizations to assess what is included in a particular MDR offering. Starting from a perspective of need will help you find the perfect match. Use the 4 questions below to determine what you are looking for from the MDR vendor relationship and whether the MDR services you are evaluating can meet those needs.

Managed Detection and Response (MDR) is a common descriptor for services offered by cybersecurity providers. Dig a bit deeper and you’ll find that the MDR acronym is stamped on solutions by nearly every vendor with the word “security” in their name. 

Clearly, not all of these MDR services are created equal. With so many options, how do you determine which vendor is right for you?

Use these 4 questions to zero in on the levels of MDR services that are critical for your organization. This will help you cut through the technical jargon and focus your evaluation on the MDR services you really need – and whether the potential vendor is the right fit.

1. What level of management does the vendor provide?
It is essential to determine how close you want (or need) the MDR vendor to be to your IT environment. If your organization has a robust and capable in-house technical team, an MDR solution may give you access to cybersecurity expertise, while all management of network and IT resources remains the responsibility of your internal team. On the other hand, if your organization has limited technical capabilities and skills, an MDR solution can provide the people, processes, and technology needed to monitor your entire environment and ensure the appropriate protection is in place. Here are three service-level examples – along with questions that will help you establish which level of MDR management you need:

External. The MDR vendor has zero visibility into your systems and relies only on outputs your organization provides. Questions to ask:

  • Do we have the internal IT resources to set up, manage, and protect our own network?
  • Do we have visibility into all areas of our network for security reporting?

Internal – View Only. The MDR vendor has access to view your system components, but can only advise, not act. Questions to ask:

  • Do we have the internal IT resources to set up, manage, and protect our own network?
  • Are we able to take the advice from our vendor and react in a timely manner to threats detected?

Internal – View and Manage. The MDR vendor has access to view, monitor, and manage your system components. This relationship requires a high-level of trust in the vendor. Questions to ask:

  • Do we have the trust that the vendor is providing us the service that we are paying for?
  • Can we access the same data that the vendor has to be able to confirm we are getting a quality service? 

2. How does the vendor detect and prioritize threats?
Most MDR providers use a security information and event management (SIEM) tool to filter customer security data (e.g., event and log files) and use the output to generate alerts. But the “right” level of filtering is unique to each organization. A basic filtering process on even a simple network could trigger hundreds of alerts per day, each representing a potential threat that needs to be reviewed and potentially acted on. This is a more economical solution but is also time-intensive for alert review. A robust filtering process can include running each alert through a series of algorithms, AI-enabled filters, and human review to assess and prioritize the alerts, elevating actual threats and weeding out noisy false-positives. Following are service examples and questions to ask at each level:

SIEM Only. The MDR vendor provides outsourced SIEM services and escalation is machine-driven with no human involvement. Questions to ask: 

  • What is the ratio of number of devices to average number of alerts created per day?
  • What volume of alerts can our in-house team effectively process and review? 

SIEM + SOC. The MDR vendor has a security operations center (SOC) which actively reviews, analyzes, prioritizes, and escalates alerts generated for your organization. Questions to ask: 

  • What is the operational cadence of the SOC? (e.g., 24×7)
  • What are the qualifications of the SOC employees? 

SIEM + SOC + AI/Algorithms. The MDR vendor has layers of built-in analysis to filter, prioritize, and escalate the SIEM output in addition to SOC review. Questions to ask: 

  • What type of AI and algorithms are used?
  • What are the definitions of the methods used?
  • Who are the thought-leaders in the company? 

3. How does the vendor handle escalations?
Regardless of how a threat is filtered and prioritized, once it is determined to be legitimate, action needs to be taken. In determining who is responsible to escalate an issue, the options can range from customer-driven escalation to cyber professional-driven review and investigation. Here are some escalation options along with questions to ask:

Automated Escalation. With this passive and reactive variety of MDR, the vendor sends alerts to the customer who is responsible for escalation. When threats are encountered, the customer may contact the MDR vendor for support. Questions to ask: 

  • What is the average call response time?
  • What is the service level agreement (SLA)? (e.g., 9x5x5 or 24×7)

SOC-Based Escalation. This is a more managed approach where responsibility for alert escalation is assigned to SOC personnel. Questions to ask: 

  • Where is the SOC located? What are the time zones for the SOCs? 
  • Is there more than one SOC? Is there a follow-the-sun SOC model in place?
  • What is the first language of SOC and support teams?
  • What is the SLA?
  • Are escalation services available after hours? 

Analyst-Reviewed Escalation. A higher level of service includes not only SOC escalation, but also an analyst review of the escalations which includes the escalation details along with advisory information on how quickly – and the best way – to act on that information. Questions to ask: 

  • What are the qualifications of the analysts reviewing escalations?
  • What is the SLA?

Analyst Detailed Investigation. As a level of service beyond an analyst review, some MDR vendors provide threat investigation services to determine not just what happened, but how it happened. Questions to ask:  

  • Does the vendor provide detailed reports on escalated alerts, including not just what the threat is, but also how to remediate it?
  • Are investigations automated or is there human involvement?

4. What kind of response is right for your organization?
Once it is determined that an escalation of an alert is necessary, communication is of the utmost importance to protect your digital assets. That communication must be defined, including how quickly your organization should be informed of the escalation. Here are some examples, along with questions to consider: 

24-Hour Callback. In a consulting-based MDR relationship, calls are usually delivered by non-SOC personnel. Questions to ask: 

  • Do we have the internal capability to handle most security issues on our own?
  • How many years of cybersecurity experience does the vendor have? (10+ years of experience is a common standard)

Proactive SOC. SOC staff or analysts open a ticket for your organization and contact you as they are able. Questions to ask:

  • What is the average call response time?
  • What are the qualifications of SOC personnel?

SLA-Driven SOC. This is the same as Proactive SOC with the inclusion of a contracted time guarantee with penalties for late contact. Questions to ask:

  • What is the SLA?

Remediation-Enabled SOC. In a co-management relationship, an MDR vendor has permission for SOC personnel to fix certain customer issues during non-business hours or anytime (24×7), depending on the contract. Questions to ask:

  • What is the SLA?

Deep-Search SOC. The SOC is enabled to measure traffic and system activity beyond SIEM feeds to track activity that indicates a cybersecurity risk. Questions to ask:

  • What is the SLA?

MDR vendors provide similar services that vary along a continuum from passive and simple to proactive and complex. It is important to understand your organizational IT capabilities and the resource and security gaps that put your organization at risk. These will help you determine the level of services you need from an MDR vendor, and more accurately assess if a vendor can deliver value with their approach. And keep in mind that experience counts. Cybersecurity is a tough business for new companies to compete efficiently. It is to your advantage to look for a vendor with a long track record of relationships and success within their customer base.

Our handy MDR vendor checklist is an essential tool for evaluating potential providers. It contains 30 questions to help you understand and assess a vendor’s scope of security coverage and MDR service levels. Download.

Cybersecurity On-Demand

See how SilverSky can make a difference for you.