Managed detection and response (MDR) providers are becoming increasingly popular with small-to-medium sized business and mid-market companies alike.
Gartner estimates that by 2025, half of all organizations will be using MDR services for threat monitoring, detectiona dn response functions that offer threat containment and mitigation capabilities.
With that said, in earlier publication, Gartner also highlighted the confusion that exists in the market. Would-be MDR customers have a hard time differentiating one provider—and even one feature—from another, given the variety of approaches and technologies used by MDR service providers.
In general, as outlined by Gartner, MDR services provide:
But because most MSSPs have had decades of vetting that MDR providers haven’t (given the newness of the solution) you’re left to do more due diligence on MDR providers before signing a contract. Having a strong set of requirements in mind from the outset of your search will make the selection process far easier and make direct comparisons more achievable.
So with that in mind, in this post we offer you just such an evaluation framework for organizations considering MDR. We want to help you not only evaluate but compare prospective partners and vendors in an apples-to-apples way. This will depend on the outcomes you’re looking to drive, the nature of your attack surface (org size, vertical, sec maturity, etc.), and which attack vectors, vulnerabilities, are most relevant for your organization.
Your choice of vendor will depend in large part on what outcomes you’re looking to achieve.
Are you in need of somebody to step in when an incident occurs? Then, you’re looking for a service that offers incident response.
Do you need to cover the gaps in your coverage? Maybe you have an in-house SOC but are having a hard time dealing with the 24/7 commitment—having someone on call all the time can be challenging and expensive. And you can’t cut back on that coverage, can you? After all, studies show that 49% of ransomware attacks happen on weekdays after 6pm (most commonly around 11pm) and 27% happen on weekends. And don’t forget attacks during mega events like the Super Bowl, or during the Black Friday-Cyber Monday window, or over the Christmas-New Year period when many SMBs are shut down for a week or more.
In fact, ransomware is a good test case when considering an MDR provider. Ask whether the provider protects you from ransomware, and then ask how. Their responses will tell you a lot about the scope and capability of their services, and you’ll be able to separate the wheat from the chaff pretty quickly when comparing the responses.
Your desired outcomes are going to be determined by factors specific to your organization.
For a start, what industry are you in? Are there regulatory frameworks associated with your industry? If you’re in manufacturing do you need to comply with CMMC? What about privacy frameworks? Are you impacted by GDPR? CCPA? PIPEDA? Compliance questions should be another big part of your ask to prospective MDR suppliers. We go into more detail here, here, and here about what you should consider about MDR and various privacy regimes—the links are worth a look and will help you know what to ask.
Next, do you have a senior level security person on staff? Can they advise at the policy and planning level? Do they know what constitutes a breach versus an IOC versus an NBD (hint: that last one means ‘no big deal’) and the implications for whether you need to notify your customers, or a governing body, like ICO? (Check out our recent webinar about breach notification for more info on what your responsibilities are in breach situations.)
If the answer to any of the above questions is “No” or “I’m not sure,” you may want to consider an MDR with supplementary services, like Virtual CISO, so they can guide you on policy/planning efforts within your cybersecurity or compliance programs.
And what if you do business outside North America? In that case, you’ll want to consider a provider that offers network detection and response (NDR) and analyzes the traffic to your network for threats. In fact, sometimes the case for network capabilities is more compelling when you deal with a particular/domestic market - and traffic from known.
Do you have a clear understanding of your security posture? Has your IT team made a priority of remediating vulnerabilities, and patching systems? Because there’s so much more to detection and response than being reactive. It’s proactive improvement of endpoint hygiene and addressing critical vulnerabilities that will go the farthest in reducing your risk profile. Ask your prospective provider what their endpoint capabilities are, and how they help to improve your prevention posture over time.
Does your prospective provider have what it takes to play in the big game? Do they offer a credible competitive starting position to protect your business? Before signing anything, make sure you understanding whether your provider has the following capabilities, and validate by asking how they achieve them: :
ActZero MDR delivers on each of the capabilities above, and more. Whether you choose to pursue detection and response on your own, or with a trusted partner like ActZero, we hope this post has enabled you to assess providers and their capabilities accurately and compare various offerings. Check out our MDR Service Overview here.
If you’re considering another approach, check out our post on MSSPs, and the pitfalls of building your own SOC.