6 Things to Look For In A Managed Detection & Response Provider

According to Gartner [1] organizations in the market for managed detection and response services (MDR) are overwhelmed by the sheer number of vendors in the market offering the service. But, it's not just the number of vendors overwhelming buyers; it’s the disparate services and delivery models. 

To help clear up some of this confusion, Digital Hands put together this handy guide of the six essential questions you ask MDR vendors before you dive deep into your search for a MDR provider that ticks off all the boxes.

Basics of MDR

Using Gartner's definition [2], MDR providers deliver threat monitoring, threat detection, and threat response services on a 24/7 basis across your hosts and your network. To do this, they leverage a mixture of technology, threat intelligence, advanced analytics, and human brainpower for incident response and investigation. MDR vendors usually offer remote incident response and technical support for incident remediation should your infrastructure come under attack.

EDR (endpoint detection and response) and NDR (network detection and response) fall under the umbrella of MDR. They are part of the mix when it comes to detecting and responding to threats. 

MDR is not just about the technology a provider uses. A complete MDR service will depend heavily on the people behind the technology, people with the experience to spot anomalies and see the big picture when it comes to disparate and uncorrelated events. MDR requires people with domain expertise to regularly update detection rules with the latest threat intelligence. These people are the ones who will come to your aid when the worst-case scenario occurs and a cyber attacker penetrates your defenses. 

Not all MDR providers are created equally, so it's important to ask the right questions.

A Quick Note About Extended Detection & Response (XDR)Before moving onto the subject of asking the right MDR questions, it's worth touching on the subject of XDR slightly because you increasingly see MDR vendors refer to themselves as XDR vendors.  According to Gartner [3], Extended Detection & Response (XDR) is an incident response tool and security threat detection tool that integrates your SOAR and other security products into a SaaS-based security operations platform. XDR delivers threat information in real-time  and provides a holistic view of cyber threats across your entire technology infrastructure. Its goal is to provide for faster detection and response outcomes and is geared towards improved detection and response capabilities, force multiplying your security operations team, and lowering the cost of ownership of effective threat detection and incident response. XDR is not too far away from MDR, the real difference is that XDR providers integrate their SOAR and SIEM with their detection and response capabilities, we at Digital Hands do this but we still call it MDR rather than XDR.

Question 1 -

What does your MDR protect? If you already have cybersecurity technologies in place, like SIEM, you may want to let the MDR provider access it and feed it with alert data when they detect any potential threats. 

You may also have your own detection technology that you want the vendor to use. Typically, MDR providers will have more effective technology than you, simply because they have many customers and they trial lots of different products and choose the best technologies for each specific job. But if you have invested in your own technology, talk to a MDR vendor and find out if they can be integrated into the mix or if the purchase of new technology is required.

Question 2-

How do you collect and process data?

If you are like most businesses these days, you have a mix of different IT environments ranging from the private, public, and hybrid clouds, as well as some onsite servers and endpoints. Some MDR providers are unable to manage this kind of complexity. Ask your vendor if they have worked in that kind of IT environment mix before and if they can support your entire IT estate across that mixed environment. Ask if their detection and response solutions can work effectively across native cloud security solutions and those multiple platforms.

Question 3 -

Does the vendor understand your threat landscape?

It is important to make sure that the MDR vendor knows your industry and the specific threats that your business faces. For sure, many different industries face similar threats, but it is important that your MDR provider understands the specific security challenges that you want to solve and the specific threats targeting your IT infrastructure and business. 

You need to have a solid understanding of what assets and intelligence you are trying to protect and from which threats. Match that up with the specific experience the MDR vendor has so it's a good fit. Also, ask for an example of the ways they have adapted their service to their customers’ specific needs and how they plan to fine-tune their service as your business, attack surface,  and the threat landscape changes.

Ultimately, it is up to you to verify that your business context and risk profile are taken into account.

Question 4 -

Do you provide more than MDR?

Some MDR providers focus on MDR only. That's fine if it's just the MDR element you want, but the extra services a provider offers speak to their expertise. Take a holistic view of security to ensure continuous security protection across all systems. Ask them what additional services they provide. For example, ask about native cloud security support DFIR (digital forensics and incident response), if they can set up your IDS/IPS, configure and manage your web application firewall, or perhaps deal with your log and vulnerability management. 

You might be in the market for MDR, but “above and beyond” security protection can be tremendously helpful when bad things happen. It's much easier to work with and communicate with a team you already know, so discuss future needs with your vendor.

Question 5 -

How would you and your provider work together during attacks?

When the worst-case scenario occurs, the way you work and communicate with the provider is important. You effectively begin incident engagements in a “fog of war”, so maintaining clarity around what you collectively know and what you don't is essential to working through the subsequent investigation and response process.  Although we manage the MDR process on your behalf, our customers have full access to the process and the intelligence it yields. This enables them to collaborate with us during investigations and directly liaise with their own team of dedicated Digital Hands analysts, who act as a natural extension of their team. 

Make sure that you understand how your provider will communicate with you and how quickly and often that communication will occur. Ask them if they have a ticket portal that they update you through (not ideal), or if they will assign a dedicated analyst you can provide support and answers (best-case). What you are looking for is frequent, regular, and consistent communication channels. Those channels should include people who work within and outside of your business when an incident occurs. For example, law firms who understand cyber attacks and law, regulatory bodies, incident response providers, and law enforcement.

Question 6 -

How will they provide you with visibility into their actions and decisions?

You must be confident that your MDR provider is making the right decisions on the behalf of your business. We have a saying in cybersecurity, “Trust, but verify.” This is what a good MDR provider allows you to do - verify their work, insights, and decisions. 

There are multiple steps in security operations. For example, triage is the process where your MDR provider will determine if a threat needs to be investigated or written off as a false positive. Much of the time, this triage is done by machines rather than humans. Ask your MDR provider how they triage and the method they use to triage. During investigations, will they show you what data they pulled from your infrastructure? Will they reveal their methodology for what data they pull and what they make of it? Are reports understandable and comprehensive enough to gauge their actions, thinking, and responses? Is each step time-stamped so you can examine what happened and evaluate their performance? 

It is only by seeing the MDR provider’s work that you can verify they are doing their job. Any MDR provider worth their salt will be able to answer these questions with confidence. Trust your instincts and drill down into any of their answers that do not seem to be as comprehensive as they should be. Taking the time to do that is an important step in deciding who your MDR provider should be and ensures that your business's security is in good hands.

References:

1,2)  https://www.gartner.com/reviews/market/managed-detection-and-response-services 3)  https://blogs.cisco.com/security/gartners-report-on-innovation-insight-for-xdr