So you need an MDR solution—managed detection and response. Let’s break that down and figure out which piece is most critical for your business. Below, we’ll discuss how to determine which aspect you should focus on, plus some questions you should ask as you’re evaluating an MDR service.
What’s most important to you?
The “Managed” Part of MDR
Is the Managed part most important? Is it because you don’t have the budget, bandwidth, or expertise to manage either the tools or the security operations capability needed to tackle detection and response—especially in light of the never-ending stream of ransomware attacks? Outsourcing seems like a great solution. You get 24/7/365 coverage and don’t need to manage additional tools or hire more people.
When you’re prioritizing the managed aspect, here are a few things to consider:
- Is the cost predictable? Is 24/7/365 coverage really 24/7/365, or is it based on a limited number of incidents—potentially leaving you open for risk when you most need support?
- Does the service include a dedicated customer service manager who tracks and reports on progress against your key initiatives, timelines, and critical events?
- Are reporting and measurement included? How do you know the MDR provider is doing a good job for you? How are they decreasing risk, saving you time and money, and helping you gain credibility for your security operations program?
Assessing the “Detection” Element
Do you care most about the detection piece? Is it because you’ve got the tools, but not the time to continuously manage updating and tuning detection content across SIEM and EDR tools? Are you drowning in alerts with no way to tell the difference or prioritize across duplicates, false positives, or true positives? And, because your detection content isn’t tuned, are your teams only getting to 20% of your alerts with the rest falling on the floor—potentially opening the door to attackers and risk?
When detection is your priority, here are a few things to think about:
- How do they assess your key risks and how to prioritize detection content? Are they mapping to known frameworks? Do they have best practices based on your industry or your business or departmental goals? Can they help you with cloud security? Can they apply threat research and trends from their customer base to benefit your organization?
- Can they work with any tools already in your stack, or are they constrained by proprietary tools or limited in what they can support? If you want to bring new tools into the mix, do they base their recommendations on resale value or what they believe you truly need to get a better handle on your specific risks?
- Who owns the detection content? When you part ways with your MDR provider, do the tools, detection content and process you’ve defined with them come to your organization (detection content built in your tools), or because the provider manages them, when you sever the relationship you’re starting from scratch?
The “Response” Factor
Is the Response part most important? Is it because you get single-source alerts pointing to the same issue, but uncorrelated, so your team has to pivot across tools and collect data, then bring it all back into one place to conduct a thorough investigation, make a decision, and execute a response? (Is what I just described driving your team to look for a new job?) Do you want a SOAR tool to help automate response, but are concerned about the skill needed to both design the process and code the plays in order to get value from a SOAR investment? Do you just need someone to help with the mundane so your staff doesn’t go nuts, and so they can then do real security?
When response is your priority, a few more items to consider:
- Will the provider give you a unified view of data and tool inputs and context so your teams can make fast, smart decisions to investigate and remediate issues? Will your team have visibility to see what the provider is doing for you on an incident, to facilitate collaboration and speed response?
- Will you have automation capabilities and playbooks for response? Have those playbooks been validated and who maintains them? Is there a flexible interface for adding additional playbooks as new incidents emerge?
- Will the provider proactively run threat hunts on your behalf? What happens when the next Conti or Kaseya or Solorigate happens?
- Does the provider have threat hunting or attack simulation capabilities? Are they included or an additional cost? Once issues are found what’s the process to remediate those issues?
Putting it all together to choose your MDR solution
With thousands of security tools and hundreds of managed services providers out there, I do not envy your task of building out your security program. But fear not. Regardless of whether you’re prioritizing the Managed, Detection, or Response part of MDR, ReliaQuest can partner with you to assess your needs and deliver a solution. We help hundreds of enterprise organizations improve their security operations from those just starting to invest in security to those who need to build consistent security practices as they migrate to the cloud, to organizations with business units spread across the globe with different risk profiles and tolerances. Check out what Auto Club Group and Tampa General Hospital have to say to get a bit more color on how we can partner with you to solve your most pressing security challenges.