Bad actors and cyber-criminals are attacking your business, and their activities can often be observed in device and system logs by security analysts. Alerts from these log events should be triaged, reviewed, and responded to by a security team. Companies deciding to augment existing IT or Security teams by adding a Managed Detection & Response (MDR) provider will have many questions and run into a myriad of buzz words. Asking the right questions of the MDR vendor from the beginning will go a long way in helping you find one that is the best fit.
MDR can fill many organizational and operational gaps, such as a lack of cybersecurity personnel resources, employee skills gaps, adherence to compliance requirements, decreasing security event response and dwell times, providing actionable alerts and threat intelligence, and more.
Like a castle with its complimentary and overlapping security strategies, MDR can be the answer to many security-related problems and business needs.
There are challenges inherent within any MDR service and how to choose the best provider. For example, from the MDR service perspective, having disparate tools and technologies, true positive and detection abilities, reduction of false positives and noise, support or integration for your specific log sources, log volumes and ingestion, log storage and retention, and Security Analyst retention, to name a handful.
The MDR service relationship can also be complex as it’s a co-managed one. MDR doesn’t work without consistent and effective communication between the MDR vendor and the customer. Clear discussion and understanding of the demarcation between what the MDR provider does and what the customer is responsible for are vital.
Ideally, MDR SOC analysts should feel like they’re part of your extended security team, both from your perspective and theirs. An example of this may be whether the providers’ SOC analysts retain and utilize information communicated to them, creating corporate memory of your business. For example, do the answers you’ve provided in tickets appear to be understood and saved, or do the analysts keep asking the same questions over and over (what’s the IP range for your Guest Wi-Fi again)? Do you feel that they ‘know’ your business and are working in concert with your staff to protect your company and reduce security risks and threats?
The MDR provider’s roadmap and ability to enhance and improve their product offering should be top of mind in making a selection. Is the provider cloud-centric, forward-thinking, leveraging common frameworks such as MITRE? Here are some questions you would be wise to ask.
- Impact – Can the MDR provider effectively reduce noise and alert fatigue while providing actionable alerts? Will the provider reduce investigative and triage time for your team?
- Analysts – What sets the provider’s security analyst and leadership team apart? Are they customer-driven? Their education level, certifications, SIEM and SOC experience, alert triage ability, threat hunting skill, analysis capabilities, etc.?
- Technology – What does their tech stack consist of, and how does it measure up? Where is the provider’s focus, such as cloud, endpoint, MDR vs. XDR, automation, machine learning, and SOAR?
- Automation – How are UEBA, Machine Learning, Threat Intelligence, and SOAR utilized by the provider’s platform to accurately identify security events, reduce false positives, improve service and mitigation response, and automate routine and mundane alert handling?
- Coverage – Does the service meet your response criteria? For example, is 24x7x365 coverage through analysts’ “eyes on glass” or just platform monitoring?
- Incident Response – How does the provider handle Incident Response, and what is included? If IR is not provided directly, do they have strong relationships with notable Breach and IR Retainment services?
- Threat Remediation – Are threat remediation and containment included? Does the tech stack allow for response action or just alerts and notifications?
- Proactiveness – Is proactive threat hunting included or just alert response?
- Threat Intelligence – Does the provider leverage threat intelligence, and is it baked into the platform and regularly updated? Does the threat intelligence enrich and accompany the SOC alerts?
- Forensic Capability – Does the provider offer digital forensic (DFIR) capabilities? If not, will they and when? In place of this feature, what do they assist within a security event, where does their role/service end?
- Right Fit – Do your business needs and goals align with the provider’s services and coverage roadmap?
Effective and timely security events and incident alerting and response are key goals of MDR, thereby reducing your overall cyber risk. In addition, MDR fills many gaps and organizational deficiencies in providing security-specific experts, 24×7 incident monitoring and operations, and maintaining the vital mapping of threats to security technologies currently used or deployed within your environment.
MSSPs are evolving to include MDR services based on cloud technologies, machine learning, and big data. These elements are no longer relegated to just the MDR Providers. MSSPs are leveraging their managed service capabilities to include security advisory, managed security infrastructure, and MDR options. MSSPs can be your one-stop shop, enhancing multiple areas of your business and grow as you do.
The right MDR provider and platform will fully integrate with your environment and continually minimize the attack surface and improve visibility into threats while reducing the cost of securing your business.
New Era Technology Can Help!
New Era SecureBlu services can assist you with addressing a wide range of security challenges, including the deployment of Managed Detection & Response (MDR). If you are interested in learning more about how your organization can prevent, detect, and maintain threats through New Era SecureBlu services, please visit our website or email us at firstname.lastname@example.org.