How to Choose an MDR Solution – Key Things you Should Consider
One consequence of the changing threat landscape is that security teams are quickly becoming overwhelmed by the sheer volume of threats and alerts they have to deal with daily – The average SOC team can receive more than 10,000 alerts in a single day!
As a result, organizations are turning to Managed Detection and Response (MDR) providers to help close the gap between hunting, mitigating and remediating cyber threats. However, the MDR market has quickly become saturated, with many providers claiming to offer similar capabilities.
Here is how to choose an MDR solution amidst all the noise:
Managed Detection and Response (MDR) – Defined
With the sheer amount of MDR solutions and services available on the marketplace today, you’d be forgiven for not having a clear understanding of what these services are supposed to provide in the first place. Thankfully the industry seems to agree on 3 basic components as being the bare minimum for achieving managed detection and response:
- 24/7/365 Monitoring backed by a modern SOC
- Proactive threat hunting
- Endpoint Detection and Response
Evaluating MDR Services:
When evaluating MDR services, there are various areas to look at that you can use to evaluate an MDR provider:
At the core of every MDR service is 24/7 monitoring – after all, the majority of cyber attacks and incidents happen outside of business hours.
These critical capabilities are often out of reach to security teams that lack the reach or expertise to build an operation themselves, which is where MDR services come into play – They can serve as a safety net for your organization’s environment by providing effective response, advanced analytics, proactive threat hunting, and security expertise.
However, not all MDR services claiming to provide 24/7 service are the same. Take the time to find out more about these specific attributes:
- Out-of-hours callout processes
- Out-of-hours staffing levels
- Remote, co-sourced, or geo-independent SOC?
IT deployments are notorious for being time-consuming and expensive – ask any IT admin and they can probably share stories of nightmare deployments that could never quite seem to finish.
Security teams looking to deploy an MDR solution within their network environment should therefore pay attention to the deployment requirements of a given MDR solution. Will any additional infrastructure changes be needed to support the new technology stack? Will I need to purchase new hardware? Is deployment support available?
An organization looking into MDR services should take a holistic view of their providers by going beyond simply looking at the technologies being used and monthly contract costs. Having access to seasoned security experts is a critical component of any successful security program.
A leading security stack and well-defined automation can take a company far, but the true differentiator is the people keeping it running. How many years of experience does the incident response team have? Does the MDR provider have experience dealing with major data breaches? What kind of certifications does the team have?
All too often we see organizations bringing on MDR services only to end up dissatisfied with the level of communication and reporting received. To avoid this outcome, it is recommended that you pay special attention to things like service level agreements (SLA) for reporting theats within your environment.
Some additional questions to think about:
- What kind of information is provided through reporting?
- Is the information provided digestable and usable?
- How often is information provided?
Threat Detection Capabilities
Deep, comprehensive threat detection should be the backbone of any MDR service. Look for providers who are to provide deep validation capabilities to ensure threats that pass through security measures are discovered and remediated.
Some questions to ask yourself:
- Does the solution cover against unknown or emerging threats?
- Will the solution detect anomalous user behaviour?
- Does the provider use threat intelligence?
- Does the solution provide coverage for cloud environments?
- Will the solution detect attacker tools and activities?
Proactive Threat Hunting
Threat hunting is a key component of MDR that requires high levels of expertise to carry out effectively. It provides a contextualized view of emerging threats and provides visibility into likely bad actors and their associated tactics.
Ask some of the following questions:
- How do you define threat hunting?
- What performance indicators will be used?
- Do you incorporate automation into your threat hunting? If so how much?
Incident Response Capabilities
Most MDR providers will present their incident response services as a team of experts keeping a watchful eye over your organization 24/7, when in reality, far too many providers simply notify their clients of an incident and leave them to deal with it on their own.
As such, it is important to clearly determine what a provider means by response – Ask some of these questions to make sure that your expectations are aligned:
- What kind of proactive response capability is available?
- Will I receive detailed investigation reports?
- Does your response plan include business-focused remediation techniques and mitigation?
Better MDR with Stratejm
Stratejm’s Managed Security Service takes the best of MSSP and MDR and combines them into a single security platform that provides rapid remediation and response along with industry-leading automation and support capabilities. Our partners gain access to our world-class security team and state of the art detection technologies from day one.