Gartner reports that "Buyers face challenges in selecting managed detection and response (MDR) services to meet their needs due to the quantity and variety of providers, and the different delivery models, available in the market." To avoid changing providers because of failed expectations, we recommend that you shouldn't blindly stare at the technology stack when selecting an MDR provider. Gartner has published an in-depth article about choosing an MDR solution: Ask These Critical Questions and Consider These Risks When Selecting an MDR Provider. We will share this article with you and highlight six questions that we think are essential to consider. In addition to checking these, you should evaluate the service as a whole and try it with a pilot.
One name, multiple definitions
MDR has become a buzzword, and it shows on the market. Let's look at Gartner's definition of Managed Detection and Response on their Peer Insights page about MDR:
Managed detection and response (MDR) providers deliver 24/7 threat monitoring, detection and lightweight response services to customers leveraging a combination of technologies deployed at the host and network layers, advanced analytics, threat intelligence, and human expertise in incident investigation and response. MDR providers undertake incident validation, and can offer remote response services, such as threat containment, and support in bringing a customer's environment back to some form of "known good."
So, in our opinion, what's MDR in one company, is called a Security Operations Center (SOC) or Cyber Defence Center (CDC) in another. Some MDR providers might include threat intelligence and threat hunting, some provide them as additional services, and some will stick with minimal additional information. You might find Endpoint Detection and Response (EDR) and Network Detection and Response (NDR) listed as separate components, but basically, they go under the big MDR umbrella: detecting anomalies from hosts, networks, and cloud, and responding to these threats.
MDR is not just a bunch of products; it's about people operating the tools, analyzing the alerts, and connecting the event information to the current threat landscape – understanding cybersecurity. Although the products are using artificial intelligence and continuously getting better, you need experienced people to spot anomalies and see the bigger picture between seemingly uncorrelated events. Someone also needs to update and maintain the detection rules based on timely threat intelligence. And after all, there's the response part in MDR: if all hell breaks loose, a provider that can support you with the incident response both on-site and remotely is a valuable ally.
Due to all these differences, it's no wonder selecting a provider can be challenging. Luckily, Gartner has published guidance that helps you survive the Managed Detection and Response market. You're welcome to download the document here. We selected six of Gartner's key questions that we consider essential:
- "What threats are the highest concern or priority for us?"
- "Do we have use cases specific to our environment that the MDR provider needs to accommodate?"
- "Do we require the MDR provider to bring its own tech stack or do we want it to use ours?"
- What is the providers' support for other assets and environments like public and private cloud (IaaS, SaaS and PaaS), operational technology (ICS/SCADA), and Internet of Things (for example, medical devices, building control systems)? "
- "Are additional services available, like digital forensics and major incident response (on-site and or remote)?"
- "What other security services are offered by the provider, such as threat hunting, vulnerability management and log management?"
We'll explore these questions in more detail in this blog post.
Questions 1 and 2: What are your concerns and use cases?
One of the first things in evaluating MDR services is to stop and think about what security challenges you are trying to solve. Do you know the threats specific to your line of business and environments? Does the MDR provider have experience in those fields? What do you want to protect? If you're most concerned about your employees using shadow IT cloud services, a Cloud Access Security Broker (CASB) might better fit your needs.
It's also good to consider use cases, either specific to your environment or related to how you want to work with the MDR provider. They can range from "we want to detect someone intruding our power plant in Poland" to "our security officer wants to be able to view and comment all our incidents."
Questions 3 and 4: What's your tech stack?
The technology stack question is twofold. Firstly, do you want to use your existing detection technology, or have the provider install theirs? It's good to have flexibility. Especially with cloud services, it's often easiest to integrate your MDR provider to your cloud-native tools. Also, if you already collect your logs to your own SIEM, why not let the MDR provider access it? On the other hand, in some cases, you are probably interested in using the tools that the provider recommends and has experience in – they have vetted different products and chosen the best one.
The other aspect of the technology stack is the MDR provider's support for different environments. Are you operating in a multi-cloud environment? Or perhaps you have IoT devices? Maybe you're looking to detect if someone breaks into your factory? Take a look at what kind of environments the provider has secured before.
Questions 5 and 6: What's included?
"There are only two types of companies: those that have been hacked, and those that will be." If you have a skilled internal incident response team, maybe you're good to go. But even if you have great detective and preventive measures, it's good to keep this quote from Robert Mueller, the former Director of FBI, in mind. It's crucial to prepare for security incidents: how to react, how to communicate, how to keep the business running – and practice that with your incident response team. You will probably save a lot of hassle and get quicker to corrective actions if your MDR provider can also provide digital forensics and incident response service. Setting up communications is much more comfortable with a familiar team, especially when they work in close relations and are not divided into multiple sites and timezones.
There are only two types of companies: those that have been hacked, and those that will be.
The other services that the vendor provides tell about their expertise. Do they specialize in cybersecurity and offer, for example, threat hunting? Will they do active mitigation to defend you? Can you extend to log management and vulnerability management later? Consider what your future needs could be and see if the provider can cater to those.
Proof of value shows what you'll get
Gartner recommends, "Establish and document the desired outcomes from outsourcing to an MDR provider, the necessary requirements and the expectations before engaging providers, especially factoring in the needs of your internal incident response capabilities." Still, we believe, using a long list of demands to compare providers can be as challenging as comparing apples to oranges.
That's why a pilot or Proof of Value for a few weeks or a month will give you a better idea about the service. Are the reports what you're expecting to see? Are you getting enough transparency in the detection process? Is it easy to communicate and get support? What's the process when asking additional services or scaling up? Your organization will grow and change, so look for agility – the service should scale with you. Try it out, and you'll see what you'll get.
Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.
- Gartner, Ask These Critical Questions and Consider These Risks When Selecting an MDR Provider, Toby Bussa, Kelly Kavanagh, Craig Lawson, Pete Shoard, 31 October 2019
- Gartner, Peer Insights Managed Detection and Response Services, Peers