As security talent shortages loom and IT infrastructures – and security technologies – become more complex, many companies are turning to outsourced services as a way to quickly improve their security efforts. Threat detection and response are top priorities for reducing an organization’s critical mean-time-to-detect (MTTD). And what could be better than off-loading the large volumes of logs from across your network to a team of experts who monitor them 24x7x365, hunt for threats, and then block incidents of compromise based on what they see? The challenge is making sure a provider delivers on this promise. This blog can help.
There are thousands of providers that list managed detection and response (MDR) as a service offering, and nearly as many variations of what those offerings include. How can you know if you’re getting true MDR – or just managed detection and “alerts“ (MDA), which leaves the “R” up to you?
Here are 3 ways to make sure you’ll get actionable responses – not just noise – from your vendor:
Remember that analysis can only be performed on data that’s actually ingested into your provider’s MDR platform. If you share just perimeter firewalls, for instance, the analysis will be limited and leave the rest of your environment exposed.
It’s your responsibility to validate that the types of data being sent – network traffic, firewalls, endpoints, servers, etc. – give your cybersecurity provider full visibility into your distributed environment – including logs that show both ingress/egress as well as lateral movement.
What you can do: Engage with your cybersecurity firm to discuss all of the different possible data sources from the cloud, SaaS, on-premise, or within your supply chain to maximize the effectiveness of your MDR services. Be sure to ask how your provider enriches the data you provide with global visibility from beyond your network sources, including dark web analytics, threat intelligence, and other threat detection feeds.
When an alert is identified by your provider, it triggers a response. That can mean either the provider addresses the suspicious activity, active threat, or attack on your behalf – or provides guidance and detail for you to address it. For many environments, response is a combination of both.
The key, though, is in the definition of an alert. Not all alerts that the system or analyst identifies are the same level of criticality – and some are false alerts. Alert validation by expert analysts can filter out the noise to save your team from alert fatigue and help them focus on the alerts that count. It’s a benefit of outsourcing to an MDR provider – but only if it’s done right.
What you can do: Your cybersecurity firm should work with you to develop and document a customized response playbook at the start of your partnership. The playbook defines what constitutes an alert for your specific organization (severity classifications). It also documents the processes of how the provider will handle alerts based on their severity including escalation paths, who on your team or in your organization gets notified and how, and which response actions are the provider’s responsibility and which ones are yours.
Your MDR service needs to be more than the next evolution of a security alert system. You need insights into what’s happening inside and outside your network, the ability to partner in the event of an incident, and the trust to know that your cybersecurity firm is blocking threats you cannot see – with full transparency of their analysis and response.
What you can do: Look for partners with global operations and a heritage of service delivery with customers whose organizations are similar to yours – such as company size, industry, network complexity, and geography. Also, a provider’s technical certifications and regulatory expertise should match their case studies. For instance, a vendor that works with the healthcare industry should have a deep understanding of the implications of HIPAA on security controls and compliance.
An MDR provider should remove the burden of managing threat detection and response in-house – not just flood your already overworked security team with noisy unvalidated alerts. Use the 3 tips we’ve outlined here to ensure your vendor delivers effectively on the “R” of MDR – and provides you with reliable, proactive security protection for your organization.
Are you looking for an MDR provider? See if they check all the boxes with our handy checklist, Questions to Ask an MDR Vendor. Download now.