What you should look for in an MDR relationship

The managed IT services market is growing both in size and importance, as more organizations decide it makes fiscal and operational sense to outsource key functions. This is true even for critical security-oriented tasks, due to both environmental and organizational drivers: the volume, velocity, and sophistication of threats are increasing, while skilled security personnel are scarce and expensive.

As a result, one of the fastest-growing segments in this space is managed detection and response (MDR); in 2022, there are more than 40 companies offering credible MDR services. The value of MDR is that it creates a force multiplier for internal security organizations, delivering day-to-day threat hunting services and teaming with internal staff to repel and remediate attacks.

The MDR concept is relatively new in the security service provider space. MDR offerings augment your security operations center (SOC) by providing detective and reactive tools and expertise, which in some cases may even replace your Tier 1 security analysts, who are focused on responding to threats within the broader environment.

MDR services were first popular among smaller businesses who couldn’t afford a full cybersecurity team. But an MDR relationship can be a huge win regardless of the size of your organization. To gain maximum benefit, however, there are things to keep in mind when considering an MDR service.

MSSP vs MDR

We can’t have a conversation about MDR without first talking about Managed Security Service Provider (MSSPs). The MSSP market is more than two decades old and came into being as the technology, compliance and security landscape grew more and more complex. MSSPs typically manage compliance solutions and some security tools without necessarily getting involved in day-to-day functions such as incident review or the complex, human-centric challenges such as threat hunting.

While MSSPs have evolved to deliver more active participation in daily operations, MDR providers offer a specific set of security services, with tools and technologies that directly support the detection and response use case. This involves collecting network traffic and logs generated by devices, applications, and users, as well as data from more traditional endpoint devices like laptops and servers. The magic happens when these disparate data planes are brought into a single environment to be stored, accessed, and analyzed together by skilled security analysts. They can perform basic incident response, threat containment, and often proactive threat hunting activities.

But the value of an MDR offering is well beyond the eyes-on-glass triage they offer. An MDR provider, after all, isn’t providing services to you and your organization alone. They have other customers too, both within your industry segment and outside it. Because they see so many customers, a good MDR provider can see attacks as they begin to form. Like a meteorologist tracking a developing storm, your MDR service can see not just an impact to the first victim, but the potential impact to other customers as well. MDRs occupy a unique vantage point where they can see the big, multi-organization picture that lets them proactively help protect their entire customer base.

Some MSSPs have evolved into MDRs, and in other cases the provider may have been an MDR from their first day of operation. The point is, MDR is looking at the same environment as an MSSP, but with a different set of lenses. That makes it key to focus on the service options they offer.

Avoid friction and be realistic

One place organizations experience unnecessary friction with their MDR provider is the ticketing and tracking of incidents, which often must work across organizations as investigations take place. It is worth spending extra time up front understanding how exactly your prospective MDR provider will integrate into your existing ticketing and case management platforms. They detect security issues, but ultimately your team may have some role in responding to it. So, don’t settle for a case management integration plan that sounds like “my system can send out an email to your system.” A modern MDR player should offer a true two-way connection between their ticketing system and yours.

It is also important to recognize that contracting an MDR service is not a set-it-and-forget-it relationship. While your MDR provider is bringing significant expertise and technology to the table, you and your team are still the ones who know your environment best. You will be called upon, at least some of the time, to provide help with investigation or remediation.

Don’t make the mistake of thinking that the initial effort of getting your new MDR service into production is the only time you need to spend optimizing their technology to work well with yours. Plan to invest additional time post-rollout to continue to work with them to tune their technology and processes in your environment. For example, how do you plan to communicate your own operations process which kicks off whenever new log sources or new endpoints appear on your network?

Threats continue to evolve and so must your MDR

MDR providers are multiplying because there is a pressing need for these services. Threat actors are looking at a very attractive near-term future where your attack surface is getting larger, not smaller; where combinations of different silos of sensitive data will become even more valuable than any single data silo; and where your users are consuming more and more apps, whether supplied by your organization or not, any of which represent either an indirect or even a direct entry point into your organization.

Some MDR providers may not keep up with the continued pace of change. It is inevitable that the MDR provider you selected yesterday may not be the ideal partner for you tomorrow. Walk into an MDR relationship with a clear view of how you might exit the relationship in the future. Are there penalties for terminating the contract before its end date? Given the intimate knowledge your MDR has about your internal environment, how does the replaced MDR provider handle that data post-relationship? Is that data transferred to you and then destroyed, and if so, how exactly? Is the replaced provider willing and able to work with a new provider to ensure a clean transition if you move?

Whoever you choose as an MDR provider, don’t be a passive customer. Set up regularly scheduled touchpoint meetings. Make sure an informed individual who monitors your environment regularly is always present and participating. Good MDR providers welcome the opportunity to transfer knowledge to you about their threat hunting techniques and custom content they develop in support of your unique environment.

MDR is not a replacement for having an up-to-date incident response plan in place. Instead, you want to be able to leverage your MDR provider as part of your own documented IR plan. Do they offer IR services as an add-on capability or service? In the event of a larger incident, having the responders and the monitoring team on the same page is essential to a speedy resolution. What better way to do that than to source both functions from the same provider?

And don’t overlook the proactive and cost-effective way to get started with incident response, by obtaining an incident response retainer which will ensure you are prioritized if you get hit by a major intrusion. Without a retainer in place, obtaining major incident services can be frustrating and painfully slow, at precisely the moment you need it urgently.

Forecasting the future

As threats continue to evolve and the cybersecurity skills shortage continues, MDR will play an outsize role in threat detection and prevention. It can be an effective approach to augmenting the staff you have so they can focus on the strategic initiatives you keep in-house. So be sure to find an MDR partner who goes beyond defending you and your environment, one who wants to truly partner and help you learn to defend yourself.

Enterprises are always looking for the most effective approach to protecting their systems. With their unique expertise in detection and response along with their ability to see the “big picture,” MDRs are an effective tool in protecting your organization’s security systems.