Managed detection and response (MDR) providers are becoming increasingly popular with small-to-medium sized business and mid-market companies alike.
Gartner estimates that by 2025, half of all organizations will be using MDR services for threat monitoring, detectiona dn response functions that offer threat containment and mitigation capabilities.
With that said, in earlier publication, Gartner also highlighted the confusion that exists in the market. Would-be MDR customers have a hard time differentiating one provider—and even one feature—from another, given the variety of approaches and technologies used by MDR service providers.
In general, as outlined by Gartner, MDR services provide:
- A remotely delivered 24/7 SOC solution that can detect, investigate, and respond to threats.
- Staff that have skills and expertise in threat monitoring, detection, and hunting, and in incident response.
- Processes that include standardized workflows and procedures.
But because most MSSPs have had decades of vetting that MDR providers haven’t (given the newness of the solution) you’re left to do more due diligence on MDR providers before signing a contract. Having a strong set of requirements in mind from the outset of your search will make the selection process far easier and make direct comparisons more achievable.
So with that in mind, in this post we offer you just such an evaluation framework for organizations considering MDR. We want to help you not only evaluate but compare prospective partners and vendors in an apples-to-apples way. This will depend on the outcomes you’re looking to drive, the nature of your attack surface (org size, vertical, sec maturity, etc.), and which attack vectors, vulnerabilities, are most relevant for your organization.
Outcomes to Consider
Your choice of vendor will depend in large part on what outcomes you’re looking to achieve.
Are you in need of somebody to step in when an incident occurs? Then, you’re looking for a service that offers incident response.
Do you need to cover the gaps in your coverage? Maybe you have an in-house SOC but are having a hard time dealing with the 24/7 commitment—having someone on call all the time can be challenging and expensive. And you can’t cut back on that coverage, can you? After all, studies show that 49% of ransomware attacks happen on weekdays after 6pm (most commonly around 11pm) and 27% happen on weekends. And don’t forget attacks during mega events like the Super Bowl, or during the Black Friday-Cyber Monday window, or over the Christmas-New Year period when many SMBs are shut down for a week or more.
In fact, ransomware is a good test case when considering an MDR provider. Ask whether the provider protects you from ransomware, and then ask how. Their responses will tell you a lot about the scope and capability of their services, and you’ll be able to separate the wheat from the chaff pretty quickly when comparing the responses.
It’s All About YOU
Your desired outcomes are going to be determined by factors specific to your organization.
For a start, what industry are you in? Are there regulatory frameworks associated with your industry? If you’re in manufacturing do you need to comply with CMMC? What about privacy frameworks? Are you impacted by GDPR? CCPA? PIPEDA? Compliance questions should be another big part of your ask to prospective MDR suppliers. We go into more detail here, here, and here about what you should consider about MDR and various privacy regimes—the links are worth a look and will help you know what to ask.
Next, do you have a senior level security person on staff? Can they advise at the policy and planning level? Do they know what constitutes a breach versus an IOC versus an NBD (hint: that last one means ‘no big deal’) and the implications for whether you need to notify your customers, or a governing body, like ICO? (Check out our recent webinar about breach notification for more info on what your responsibilities are in breach situations.)
If the answer to any of the above questions is “No” or “I’m not sure,” you may want to consider an MDR with supplementary services, like Virtual CISO, so they can guide you on policy/planning efforts within your cybersecurity or compliance programs.
And what if you do business outside North America? In that case, you’ll want to consider a provider that offers network detection and response (NDR) and analyzes the traffic to your network for threats. In fact, sometimes the case for network capabilities is more compelling when you deal with a particular/domestic market - and traffic from known.
Do you have a clear understanding of your security posture? Has your IT team made a priority of remediating vulnerabilities, and patching systems? Because there’s so much more to detection and response than being reactive. It’s proactive improvement of endpoint hygiene and addressing critical vulnerabilities that will go the farthest in reducing your risk profile. Ask your prospective provider what their endpoint capabilities are, and how they help to improve your prevention posture over time.
Table Stakes
Does your prospective provider have what it takes to play in the big game? Do they offer a credible competitive starting position to protect your business? Before signing anything, make sure you understanding whether your provider has the following capabilities, and validate by asking how they achieve them: :
- 24/7 coverage
- Comprehensive detection on both the network and the endpoint
- Comprehensive reporting
- Response capabilities:
- Does all your data live in the cloud? Maybe you couldn’t care less if an individual endpoint gets hit with ransomware. Unless that’s the case, endpoint detection and response (EDR) is a tremendous value-add that MDR providers bring to the table enabling immediate containment and disruption of threats (like ransomware)
- Threat hunting:
- Sometimes, the ‘M’ in MDR is just monitoring. What sets the true providers aside is their focus on threat hunting—proactively ensuring the security of your system and preventing attacks before they even happen.
How ActZero Can Help
ActZero MDR delivers on each of the capabilities above, and more. Whether you choose to pursue detection and response on your own, or with a trusted partner like ActZero, we hope this post has enabled you to assess providers and their capabilities accurately and compare various offerings. Check out our MDR Service Overview here.
If you’re considering another approach, check out our post on MSSPs, and the pitfalls of building your own SOC.