This blog post is part of an ongoing series about evaluating Managed Detection and Response (MDR) providers. For more insights, check out our guide, “10 Things Your MDR Service Must Do.

This is possibly the most overlooked aspect of selecting an MDR partner. But when you get to a hair-on-fire, all-hands-on-deck moment, you’ll be glad you don’t have to live out this meme.

In the Gartner article, “How and When to Change Your Managed Security Service Provider,” there’s a big call out: “You can outsource the tactical effort for security, but not the responsibility, liability, and accountability.”

Having the best threat detection methodologies, a streamlined and efficient process for validating threats, and a rock-solid reporting standard may still leave you open to unexpected costs.

For example, what happens when attackers breach your environment, despite all the security controls like next-gen AV and modern firewalls that are a part of your defense-in-depth approach?

This goes far beyond a typical alert investigation and guidance available from your MDR provider who investigates and writes up an Incident Findings Report. And, in this case, any use of managed response capabilities would essentially be playing hacker whack-a-mole.

We’re talking something like:

  • Evidence of previously unknown attacker activity
  • Evidence of attacker activity expanding to affect multiple endpoints
  • Evidence of lateral movement, data exfiltration, or staging

This is the time you need more help than what most 24x7 security operations MDR services can provide. And, with every second that passes, an attacker has hands-on-keyboard access to your environment.

Now, some MDR providers will say they can help, but this isn’t just about having the support (many providers will claim they assist). It really comes down to how they’ll support you, and where they draw the line between what they can do and when you’ll need to get outside help from a vendor that might not be intimately familiar with your environment, people, or processes.

The last thing you expect to hear from your MDR provider after, “You have been breached,” is, “So, you have to pay us or someone else extra to continue the investigation and get the attacker out.”

The most obvious option would be to purchase an Incident Response (IR) Retainer from a vendor with extensive consulting experience handling breaches. This might be required for companies due to their cyber-insurance policy. Other reasons could include third-party legal counsel or internal compliance checks.

These retainers are typically priced at time and materials cost ranging from $400 to $500 per hour. The costs can add up, as most IR engagements can take 60–80 hours!  

Getting an MDR provider may help cut down on the event you’ll need to use an IR retainer, but it’s not a replacement for one. Many times, MDR providers will require you to seek these retainers from yet another third-party vendor that specializes in breach response, since IR is not a core capability within MDR, specifically.

The challenge with this approach is that the team who’s handling the IR needs to get caught up to speed on your environment. Getting another 3rd party caught up to speed is frustrating and causes a loss of valuable time. And since it’s based on T&M, as the scope grows, it’s not predictable.

We’d recommend asking your prospective or current MDR provider, “Do you have IR breach response expertise on-staff that will help if I am breached?” Some will. Others may quote an additional cost, yet outsource it behind-the-scenes to an external third-party partner. Again, having this third party involved can cause you to lose valuable time and can expand the cost as the breach continues to include kick-off calls, knowledge transfer, and access to logs/environment.

But it’s not just a matter of the team having knowledge of your environment that helps speed up response—it’s the ability for the team to quickly gather and analyze evidence. If they have to obtain access to your tools, then you’re relying on their expertise in utilizing that specific stack and that the stack has the relevant information/response capabilities necessary to handle the incident at hand. The other scenario is that the third-party IR team has you deploy their tools (like Velociraptor) in your environment. Depending on your stack and IT team bandwidth, that’s an additional lift and more pain/delay.

So what should you look for?

The best MDR partners will bundle IR hours (some are even unlimited!) to assist you with breach response 100% in-house, with experts that are the same caliber as the IR consultants you’d get from buying a retainer. This type of provider is more aligned to a partner than a transactional, service-oriented relationship. Having a team of in-house IR experts at your MDR provider speeds up the process, since the same team monitoring your environment can quickly pivot into IR mode. No time is lost when minutes are critical.

Additionally, knowledge of the environment also— perhaps unsurprisingly—often doesn’t include knowledge of the people/processes. An MDR team that has built a relationship with your internal security and IT teams is able to utilize that “tribal” knowledge to further speed not only the containment and eradication of the threat, but to propose tailor-made strategic/tactical recommendations to assist with mitigation, recovery, and ongoing monitoring efforts.

How Rapid7 MDR can help

At Rapid7, we consider our managed services customers as much more than customers: You’re our partners. It’s our commitment to help you protect your business against attackers and breaches.

That’s why we include an uncapped number of “On-Demand Remote Incident Response” (RIR) hours in each MDR contract, just in case something happens. These RIRs often can extend as long or even longer than our typical IR engagement!

The Remote Incident Responses (RIR) is a remote technical process handled by the Managed Services SOC triggered upon compromise. Rapid7 will fully investigate the scope, impact, and root cause of an incident, while working hand-in-hand with the customer to contain and eradicate the threat.

In fact, we combined our MDR team with our IR team to ensure all customers have the deepest incident response expertise available to them in the event an attacker gets past their current security controls, including our MDR service.

Luckily, only 3% of any Findings Report (actual threats found) we produce ever end up as RIR engagements. To put it in perspective, only 0.01% of the millions of alerts our team investigates turn out to be worthy of producing a Findings Report. The rest are false positives, benign alerts, or expected behavior that still need to be investigated, but aren't cause for concern.

And there’s been only a single customer who used more than one RIR in a year. The majority repurpose their extra RIRs into a Purple Team Exercise to test MDR as a security control against their annual PenTest.

So, even if it’s rare to use an RIR, customers love that they have the confidence that if there is a breach, we’ll be there as a trusted partner to take it from end-to-end.

Learn more about Rapid7’s Managed Detection and Response (MDR) services and solutions here. And, be sure to check out other posts in this series here!