This blog post is part of an ongoing series about evaluating Managed Detection and Response (MDR) providers. For more insights, check out our guide, “10 Things Your MDR Service Must Do.”
Every organization is unique, with different goals, missions, security maturities, staffing models, technologies, and incident detection and response program needs. The best managed detection and response (MDR) providers know this and tailor the solution delivery to meet each customer where they are.
To achieve this, MDR providers will most likely have one of two approaches:
- SOC pod or squad model
- Dedicated concierge model
The pod model assembles Security Operations Center (SOC) analysts into teams (pods) and assigns each pod to customer clusters so they learn about the technology and user environments over time. Forrester analyst Jeff Pollard calls this a “squad model” in The Forrester Wave™: Managed Detection and Response Q1 2021. He says this model allows for a “customized delivery experience” designed to provide subject matter expertise at scale for each customer across their users, endpoints, and networks. Pod methodologies allow teams to triage all customer alerts and prioritize the highest priority threats first in a fast and efficient manner.
In fact, those that used a strictly dedicated “concierge” approach—assigning individuals to monitor the environment—in the Wave generally performed worse than those that leveraged a squad model. The challenge with a dedicated approach is that the service focuses on your alerts, not actual potential threats. This type of model leaves you open to single points of failure (for example, if your dedicated analyst leaves the organization), or challenges that arise with a SOC that’s not optimized for success. As a result, you cannot be confident that a concierge/dedicated approach will enable you to measure success and respond quickly to every alert.
Additionally, the best MDR providers offer security program advisors who augment these SOC pod teams. These security advisors learn about their customers, their environments, their goals, and any limitations, so that only the best and most effective guidance is provided to remediate against threats and build up the security programs. We recommend digging deeper into what your relationship and engagement model will look like with this individual so you can make sure it resembles a consultant rather than a human SMS system.
Together, both the SOC pod and the Security Advisor should have your priorities and security outcome goals at the center of their service delivery. If not, you’re evaluating a Managed Security Provider focused on staff augmentation rather than a true security partner in your MDR.
How Rapid7 MDR can help
Rapid7 MDR is designed to meet our customers at any level of security maturity and help accelerate your maturity, not just manage a Security Information and Event Management (SIEM) tool. Our goal is to ensure we align your investment in MDR with long-term security improvement across all Center for Internet Security (CIS) Top 20 Critical Security Controls.
We go above simply looking at alerts by having our team respond on your behalf, offer advice and mentorship from your Security Advisor, and focus on helping you improve your security program.
We pride ourselves on becoming a true extension of customer teams through attentive service and visibility into our backend systems, and by providing experts and a named resource (your Security Advisor) to whom you can reach out for all things related to security.
The team—from SOC analysts to your Security Advisor—takes the time to truly understand your business processes, environment, and industry so they can provide customized guidance at each interaction point with the MDR service.
After all, MDR is a partnership. Our goal of that partnership is to act as a force multiplier for your team, enabling better cybersecurity decision-making through expert collaboration.
This includes tailored reporting and recommendations, with remediation and mitigation strategies that align your investment in MDR with long-term security improvement across all 20 CIS critical controls.
Here’s how Rapid7 MDR’s customer engagement model fits this need.
We employ a SOC pod model, assigning your team multiple security experts with unparalleled experience—both red and blue teams—that monitor your environment around the clock. SOC Analysts leverage specialized toolsets, malware analysis, tradecraft, and forward-looking collaboration with Rapid7’s Threat Intelligence researchers to make detection and remediation of threats possible.
Each pod acts as an extension of your team for tactical detection and analysis to validate threats in your environment. Our SOC pod implementation ensures each customer receives continuous monitoring coverage for high- and low-fidelity alerts, while giving our team scale to thoroughly identify known and unknown threats across all customer environments.
This includes threat hunting, validation of threats, and guidance (e.g., containment, remediation, and mitigation recommendations) for true threats. On top of that, our detection and response expertise is infused into everything we do. From threat intelligence to breach response, we’ll provide education, tuning, and guidance to help you strengthen your security posture and meet your security outcomes.
The pod is made up of a Security Advisor and six Threat Analysts with an average of 5 years of security detection and response experience. These pod members generally collectively hold over 500 security certifications. Even our most junior analysts already have at least 2 years of experience detecting threats.
Together, your MDR SOC teams maintain 24/7/365 vigilance of your network, from alert validation to in-depth forensics and malware analysis of your network and users. Our combination of these roles provides optimal coverage for all threats and attacker challenges.
These analysts are augmented by your Security Advisor, who acts as your point of contact to the Rapid7 SOC and Threat Intelligence teams. Your Security Advisor is a trusted security resource, offering suggestions and guidance to mature your security program. Feel free to reach out to them whenever you have a question.
Having risen through the ranks of technical service delivery and customer success, each Security Advisor brings domain expertise, technical acumen, and white-glove customer service. These resources are there to help you advance your program—from understanding the threat landscape to your MDR service to reviewing your progress.
Throughout the service, your Security Advisor will communicate with you frequently to:
- Provide service delivery updates, contextualize metrics, and provide updates about analysis activities
- Explain every incident Findings Report and all recommendations for your team to take
- Educate your team on what any new threat intelligence insights mean for your specific environment and business
- Assist you with ensuring you’re reaching your security outcome goals
- Aid in CISO, Executive, and Board presentations; QBRs; and changes in the threat landscape
Between regularly scheduled meetings and QBRs with your Security Advisor to ad-hoc questions for the SOC, you can rest assured you’ll have a partner in your success, providing you with:
- Easy-to-understand reporting with tactical guidance and recommendations
- Experts on call, whenever you need
- Regularly scheduled meetings with your trusted Security Advisor
- Prioritized recommendations to strengthen your security program
Advantages of Rapid7 MDR
Our team is your team. From SOC analysts to your Security Advisors, we take the time to understand your business processes, environment, and industry so we can provide customized guidance and clear direction for your team.
As a strategic partner, we empower customers to accelerate their security maturity with the people, process, technology, and guidance to ensure they can drive security operations at speed and scale.
- Our Security Advisors are focused on helping you advance your security maturity. Your Security Advisor will provide suggestions on managing your technical environment, while offering tailored guidance and security recommendations specific to your environment to accelerate your security maturity—regardless if it’s Rapid7-related or not.
- Our analysts keep the focus on threats. This approach allows our analysts to maintain constant vigilance without burnout or while providing a high level of service for each MDR customer. We focus on investigating and validating threats across customers with a model for both low and high fidelity alerts, enabling our team to efficiently triage the most highly probable alerts we see.
- Our technology provides us an advantage at scale. Our robust technology toolset allows our team to focus our efforts only on alerts which are deemed to be potential threats, not any sign of a notable behavior. This combination allows us to achieve scale effectively without focusing on the number of customers or endpoints per analyst; rather, we focus our SOC on threat detection based on volume and efficiency.
- Our people are incredibly experienced. Unlike other providers who may hire or outsource alert triaging to low-cost and unskilled staff, we employ threat detection experts in our SOC. Each analyst, even our most junior, has thousands of hours in experience detecting threats.
- Our service will jumpstart your program, or advance your current maturity. Many customers have leveraged Rapid7 MDR and the Security Advisor mentorship as a stepping stone as they develop and “graduate” to their own in-house detection and response program, leveraging the already familiar InsightIDR SIEM. Others love the flexibility Rapid7 MDR offers to level up their current program and want to continue the partnership into perpetuity. For example, customer Resimac was able to accelerate their cybersecurity maturity efforts a year ahead of schedule.