New Research Report: What are security leaders saying about their security postures? View the Findings ➞

Evaluating an MDR Solution? 10 Things to Consider

So you need an MDR solution—managed detection and response. Let’s break that down and figure out which piece is most critical for your business. Below, we’ll discuss how to determine which aspect you should focus on, plus some questions you should ask as you’re evaluating an MDR service.

What’s most important to you?

The “Managed” Part of MDR

Is the Managed part most important? Is it because you don’t have the budget, bandwidth, or expertise to manage either the tools or the security operations capability needed to tackle detection and response—especially in light of the never-ending stream of ransomware attacks? Outsourcing seems like a great solution. You get 24/7/365 coverage and don’t need to manage additional tools or hire more people.

When you’re prioritizing the managed aspect, here are a few things to consider:

  1. Is the cost predictable? Is 24/7/365 coverage really 24/7/365, or is it based on a limited number of incidents—potentially leaving you open for risk when you most need support?
  2. Does the service include a dedicated customer service manager who tracks and reports on progress against your key initiatives, timelines, and critical events?
  3. Are reporting and measurement included? How do you know the MDR provider is doing a good job for you? How are they decreasing risk, saving you time and money, and helping you gain credibility for your security operations program?

Learn about the ReliaQuest MDR offering >

Assessing the “Detection” Element

Do you care most about the detection piece? Is it because you’ve got the tools, but not the time to continuously manage updating and tuning detection content across SIEM and EDR tools? Are you drowning in alerts with no way to tell the difference or prioritize across duplicates, false positives, or true positives? And, because your detection content isn’t tuned, are your teams only getting to 20% of your alerts with the rest falling on the floor—potentially opening the door to attackers and risk?

When detection is your priority, here are a few things to think about:

  1. How do they assess your key risks and how to prioritize detection content? Are they mapping to known frameworks? Do they have best practices based on your industry or your business or departmental goals? Can they help you with cloud security? Can they apply threat research and trends from their customer base to benefit your organization?
  2. Can they work with any tools already in your stack, or are they constrained by proprietary tools or limited in what they can support? If you want to bring new tools into the mix, do they base their recommendations on resale value or what they believe you truly need to get a better handle on your specific risks?
  3. Who owns the detection content? When you part ways with your MDR provider, do the tools, detection content and process you’ve defined with them come to your organization (detection content built in your tools), or because the provider manages them, when you sever the relationship you’re starting from scratch?

The “Response” Factor

Is the Response part most important? Is it because you get single-source alerts pointing to the same issue, but uncorrelated, so your team has to pivot across tools and collect data, then bring it all back into one place to conduct a thorough investigation, make a decision, and execute a response? (Is what I just described driving your team to look for a new job?) Do you want a SOAR tool to help automate response, but are concerned about the skill needed to both design the process and code the plays in order to get value from a SOAR investment? Do you just need someone to help with the mundane so your staff doesn’t go nuts, and so they can then do real security?

When response is your priority, a few more items to consider:

    1. Will the provider give you a unified view of data and tool inputs and context so your teams can make fast, smart decisions to investigate and remediate issues? Will your team have visibility to see what the provider is doing for you on an incident, to facilitate collaboration and speed response?
    2. Will you have automation capabilities and playbooks for response? Have those playbooks been validated and who maintains them? Is there a flexible interface for adding additional playbooks as new incidents emerge?
    3. Will the provider proactively run threat hunts on your behalf? What happens when the next Conti or Kaseya or Solorigate happens?
    4. Does the provider have threat hunting or attack simulation capabilities? Are they included or an additional cost? Once issues are found what’s the process to remediate those issues?

ReliaQuest GreyMatter doesn’t just detect and respond—we also investigate. Learn more >

Putting it all together to choose your MDR solution

With thousands of security tools and hundreds of managed services providers out there, I do not envy your task of building out your security program. But fear not. Regardless of whether you’re prioritizing the Managed, Detection, or Response part of MDR, ReliaQuest can partner with you to assess your needs and deliver a solution. We help hundreds of enterprise organizations improve their security operations from those just starting to invest in security to those who need to build consistent security practices as they migrate to the cloud, to organizations with business units spread across the globe with different risk profiles and tolerances. Check out what Auto Club Group and Tampa General Hospital have to say to get a bit more color on how we can partner with you to solve your most pressing security challenges.


Manage SIEM, EDR, and beyond. Get more out of an MDR provider. Let's talk.

More Articles

Security Alert Fatigue? False Positives? Common Problems in Threat Detection And How to Fix Them

If your team is suffering from security alert fatigue, too many false positives, and an overall reactive posture, you’re not alone. Organizations are continuing to invest in a growing suite of cyber security tools, complicating security operations, overwhelming teams, and negatively impacting threat detection. According to a 451 Research Report, 43% of enterprises are unable to act […]

What Is Managed Detection and Response (MDR)?

Managed detection and response (MDR) is an outsourced approach to cybersecurity where third parties handle threat monitoring, detection, and response. Specifically, the MDR model pairs endpoint detection and response (EDR) or endpoint protection platforms (EPP) with real-time monitoring and detection of ransomware, malware, and other security intrusions with rapid incident response to address and eliminate […]