Last updated at Thu, 09 Nov 2023 19:37:37 GMT
This blog post is part of an ongoing series, MDR Vendor Must-Haves.
Engaging a managed security service provider—either a traditional MSSP or MDR provider—should never involve wasting your time. When you’ve decided to partner with a provider to manage your threat detection and incident response program, the last thing you want are false positives to investigate that become more tiresome than the alerts themselves.
At the end of the day, you shouldn’t pay for a list of things that you must validate before you figure out what’s actually important.
The best MDR providers perform alert validation up front to minimize the number of false positives sent to your team. MDR should be a partnership, not a human SMS system.
In order to accelerate alert validation, your provider needs to take on the majority of the detection and response process. Their goal should be to make your life easier, not tell you when the blinking red light is going off.
Any report you get should provide (at the very least) a high level of detail to determine the validity of the findings, as well as concrete steps to remediate. These reports should tell you the complete story of the attack and how to best contain the attacker, remediate the threat, and mitigate future situations. Otherwise, how do they help you improve your security posture?
If the provider won’t take on the minimum of 24x7 monitoring, investigation, validation, incident response, and deliver you an actionable report that provides this level of detail, it may be time to find a new MDR partner.
How Rapid7 MDR can help
Rapid7’s global MDR SOC teams are composed of security experts with unparalleled experience—both in red team and blue team—who use this in-depth knowledge of attacker tools, tactics, and procedures to catch malicious activity early in the attack lifecycle and validate each potential threat.
Each of our SOC analysts acts as an extension of your security team and tailors the MDR service specifically to your industry and your business. This includes threat hunting, validation of threats, and guidance (e.g., containment, remediation, and mitigation recommendations) for only true threats.
Once alerts are investigated and verified, our SOC analysts produce a Findings Report delivered via the Customer Services Portal (with alerts via email or phone call, per the customer’s request). This isn’t your standard automated report generated by the technology. It’s a deep dive into the attack storyboard and clear direction for how to improve your security posture. We have customers that just pass it along to their IT teams since the report says more than “reimage the box”.
You'll receive a Findings Report each time we validate a threat. This report is a summary of the incident and contains:
- Detailed investigation timeline and root cause analysis
- Written analysis of attacker activity and scope of the threat
- Incident criticality and risk
- How to contain the endpoint or user
- How to resolve this incident
- Potential ways to prevent future recurrence
You’ll be able to quickly see the problem, its importance, and the solution.
