Managed Detection and Response

Investing in security solutions such as endpoint detection and response (EDR), security information and event management (SIEM), and security orchestration automation and response (SOAR) platforms is a wise choice. Each of them plays a crucial role in an overall cyber security strategy by generating alerts when they detect suspicious activity in your environment and helping you with threat management.

Often, however, the number of alerts they generate is too large for companies to effectively deal with, especially since most of them are false positives. That makes it difficult for organizations to filter through the alerts and find those that represent credible threats.

A good MDR provider will ingest high value telemetry from your existing security tools, correlate alerts coming from across the environment, eliminate false positives, and zero in on alerts that are indicative of an actual threat. So, an MDR service complements the security tools you already have, helping you parse the alerts they generate so you get more value from them.

A number of attributes should be considered table stakes in an MDR provider. They include a good level of experience, including the number of years in the business and retention rates of security staff. Having the resources – in terms of both staff and security operations centers (SOCs) – to provide 24x7x365 coverage is likewise a must. A global presence is a significant benefit, even if you’re not a global company, because it gives the MDR provider visibility into emerging threats no matter where they originate. A provider with an active threat hunting team is likewise a plus for much the same reason: to provide proactive hunts for adversaries that evade detection by modern tools. (Ideally, those threat hunters should be able to identify both indicators of compromise and indicators of behavior.)

To help identify which providers have that kind of experience, consider asking the following questions:

• For how long has the vendor provided cybersecurity services?
• How does the vendor attract, retain, and train its people? What certifications have its security professionals earned?
• Is the provider able to respond to threats quickly and consistently or are there variances in the skillsets from one SOC – or analyst – to the next?
• Does it have processes in place that deepen its expertise beyond individual talent?
• What is the provider’s geographic and industry footprint? Does it have insights into the global threat landscape or is it more regionally or vertically focused?
• What threat intelligence sources are used in its service(s)? Does it have its own security research lab?
• Does the vendor take response actions? Is it included in the service offer or an extra expense? How does the vendor ensure it will not take any actions against your security policies?
• How well is the vendor recognized within the industry?
• Do its supported technologies/platforms align with your environment?
• How are you able to interact with the service? (Email? Ticketing? Phone? Mobile app?)
• What types of industry certifications and standards does the vendor use to assist with your compliance audit and maturity goals?
• Does the vendor offer adjacent managed services like threat hunting, digital forensics and incident response (DFIR), as well as consulting capabilities?