Managed Detection and Response (MDR): Choosing the Best Provider

Bad actors and cyber-criminals are attacking your business, and security analysts can often observe their activities in device and system logs. A security team should triage, review, and respond to alerts from these log events. Companies deciding to augment existing IT or Security teams by adding a managed detection and response (MDR) provider will have many questions featuring a myriad of buzzwords. Asking the right questions of the MDR vendor from the beginning will go a long way in helping you find one that is the best fit.

Why Managed Detection & Response (MDR)?

MDR can fill many organizational and operational gaps, such as a lack of cybersecurity personnel resources, employee skills gaps, adherence to compliance requirements, decreasing security event response and dwell times, providing actionable alerts and threat intelligence, and more.

Like a castle with complementary and overlapping security strategies, MDR can answer many security-related problems and business needs.

What Are the Challenges with Managed Detection & Response (MDR)?

Challenges are inherent within any MDR service, making it imperative to choose the best provider for your needs. For example, from the MDR service perspective, having disparate tools and technologies, true positive and detection abilities, reduction of false positives and noise, support or integration for your specific log sources, log volumes and ingestion, log storage and retention, and Security Analyst retention, to name a handful.

The MDR service relationship is potentially complex as it’s co-managed. MDR doesn’t work without consistent and effective communication between the MDR vendor and the customer. Clear discussion and understanding of the demarcation between what the MDR provider can do and what the customer is responsible for are vital.

Working with a Managed Detection & Response (MDR) Team

Ideally, managed detection and response SOC analysts should feel like they’re part of your extended security team, both from your perspective and theirs. An example is whether the providers’ SOC analysts retain and utilize information communicated to them, creating corporate memory of your business. For example, do the answers you’ve provided in tickets appear to be understood and saved, or do the analysts keep asking the same questions repeatedly (what’s the IP range for your guest Wi-Fi network again)? Do you feel that they ‘know’ your business and are working in concert with your staff to protect your company and reduce security risks and threats?

When selecting an MDR provider, the roadmap and ability to enhance and improve the product offering should remain at the top of mind. Is the provider cloud-centric, forward-thinking, and leveraging common frameworks like MITRE? Here are some questions you would be wise to ask.

Key Questions to Ask Your Managed Detection & Response (MDR)

• Impact — Can the MDR provider reduce noise and alert fatigue effectively while providing actionable alerts? Will the provider reduce investigative and triage time for your team?
• Analysts — What sets the provider’s security analyst and leadership team apart? Are they customer-driven? Their education level, certifications, SIEM and SOC experience, alert triage ability, threat hunting skill, analysis capabilities, etc.?
• Technology — What does their tech stack consist of, and how does it measure up? Where is the provider’s focus, such as cloud, endpoint, MDR vs. XDR, automation, machine learning, and SOAR?
• Automation — How are UEBA, machine learning, threat intelligence, and SOAR utilized by the provider’s platform to accurately identify security events, reduce false positives, improve service and mitigation response, and automate routine and mundane alert handling?
• Coverage — Does the service meet your response criteria? For example, is 24/7/365 coverage through analysts’ “eyes on glass” or just platform monitoring?
• Incident Response — How does the provider handle incident response, and what is included? If incident response is not provided directly, do they have strong relationships with notable breach and incident response retention services?
• Threat Remediation — Are threat remediation and containment included? Does the tech stack allow for response action or just alerts and notifications?
• Proactiveness — Is proactive threat hunting included or just an alert response?
• Threat Intelligence — Does the provider leverage threat intelligence, and is it baked into the platform and regularly updated? Does the threat intelligence enrich and accompany the SOC alerts?
• Forensic Capability — Does the provider offer digital forensic (DFIR) capabilities? If not, will they and when? In lieu of this feature, what do they assist within a security event, and where does their role/service end?
• Right Fit — Do your business needs and goals align with the provider’s services and coverage roadmap?

The Key Goals of Managed Detection & Response (MDR)

Effective and timely security events, as well as incident alerting and response, are key goals of MDR, thereby reducing your overall cyber risk. In addition, MDR fills many gaps and organizational deficiencies in providing security-specific experts, 24/7 incident monitoring and operations, and maintaining the vital mapping of threats to security technologies currently used or deployed within your environment.

MSSPs are evolving to include MDR services based on cloud technologies, machine learning, and big data. These elements are no longer relegated to just the MDR Providers. MSSPs leverage their managed service capabilities to include security advisory, managed security infrastructure, and MDR options. MSSPs can be your one-stop shop, enhancing multiple business areas and growing as you do.

The right MDR provider and platform will fully integrate with your environment, continually minimize the attack surface, and improve threat visibility while reducing the cost of securing your business.

Let New Era Technology Help You

New Era Technology’s SecureBlu services can assist you with addressing a wide range of security challenges, including deploying managed detection and response. If you want to learn more about how your organization can prevent, detect, and maintain threats through New Era SecureBlu services, please visit our website or email us at solutions@neweratech.com.