Cyberthreats are now the No. 1 source of stress among CEOs, with 71% of respondents to PwC's 2021 CEO Study reporting they are "extremely concerned" about the issue. At the same time, the cybersecurity skills gap continues to grow, with 95% of security pros saying the shortage of talent in their field hasn't improved. So while the seriousness of the problem has increased, the availability of in-house resources to adequately address it has not — particularly when it comes to finding talent with the specialized skills in detection and response.
These trends have led many organizations to partner with managed detection and response (MDR) service providers to address resource and skills gap challenges and build a strong competency to find and stop attackers in their environment.
By instantly extending your internal team’s capabilities with detection and response experts, MDR services can provide you the confidence that your environment is protected at all times.
And for those that struggle to build a fully staffed security operations center (SOC) with the right headcount, technology, and process to be effective — all while staying under a tight budget — MDR may provide a cost-effective method to quickly stand up a complete detection and response program.
In our 2022 MDR Buyer's Guide, we outline the core capabilities that provide the foundation for evaluating MDR vendors. They include:
- 24x7 SOC team with expert analysts
- Extended detection and response (XDR) technology
- Strategic guidance and collaboration
- Threat hunting
- Managed response
- Digital forensics and incident/breach response (DFIR)
- A simple, predictable pricing
- SLA delivery standards
If you're looking for a deep dive into each of these criteria, download the full guide!
In this post, we'll streamline the discussion into 4 big-picture questions, providing you a quick-reference guide to use in the early stages of your MDR vendor selection journey, as you begin to identify your needs and narrow down your options.
1. Is this partner simply an outsourced SOC, or can they help us advance our overall security program?
An MDR provider is not just a vendor but a partner — and people are the foundation of any great partnership. You'll want to ensure you ask the right questions regarding who will be servicing your organization and how, including:
- How many MDR SOC analysts will be monitoring my environment 24x7?
- What's the experience level of the MDR SOC team we'll be working with?
- What is the average tenure and attrition rate of the team?
- Will your partner suggest operational and strategic guidance to improve your program based on real-time threat monitoring and proactive threat hunting?
- Is there someone who will be our Security Advisor that we meet with regularly?
- What is the customer experience like when I need to connect with the MDR team?
2. Do they have the right tools at their disposal?
MDR combines real-time threat monitoring across the most critical elements of your IT environment — endpoints, network, users, and cloud sources. And in case you haven't noticed, those environments are becoming increasingly complex. The cloud is enabling rapid scaling, and threats can come from virtually anywhere.
To carry out their duties well in this context, MDR providers need to be using the right XDR technology for complete visibility and coverage. Here are some questions to ask that can help you get a better sense of how the MDR vendors you're considering approach their technology implementation — and how that affects you as the customer.
- Is the MDR SOC team using multiple third-party solutions, or a technology built by an embedded engineering team?
- How do you detect threats that bypass preventative controls?
- Will I have full access to your back-end technology? If not, will you provide self-service log search and dashboards?
- Does the SOC perform proactive threat hunts on top of the real-time detections?
- Will we have the ability to add SOAR automation capabilities to expedite the remediation process?
3. Can they pair insight with action?
The last thing you want to hear from an MDR provider is, "Hey, we found this threat — now you have to go fix it." The vendors you're considering should have a managed response approach to effectively curb attacks after detection.
To understand when and how vendors will respond to threats they detect, start with these key questions:
- What types of managed response actions will the MDR SOC advisors take?
- In what instances will the MDR service take response action on our behalf?
- Will I have the opportunity to deny the containment response if I don't want the SOC team to take action?
4. Does the service scale to our needs and budget?
Even if an MDR vendor sounds great on paper across all of these points, that doesn't necessarily mean they're right for you. After all, you wouldn’t buy a two-seater car as your primary vehicle for a family of four. It’s critical to evaluate your MDR provider on the axes of your program maturity and desired security outcomes — both as it is now and for your goals for the future. Here are a few questions that will help you get a sense of whether an MDR vendor's service and pricing structure fits your organization's requirements.
- How is the MDR service priced?
- In the event of a breach, does MDR include DFIR as you’d get if you had an incident response retainer?
- Are there data allotment or retention limitations?
- What is your mean time to detect (MTTD) and mean time to respond (MTTR)?
These kinds of questions should help point you in the right direction in your initial conversations with potential MDR vendors. As you begin to make more fine-tuned decisions, you'll want to have a few more detailed questions to ask — which means understanding the ins and outs of the MDR landscape a little more fully.
Check out our full MDR Buyer's Guide for 2022 to help you navigate your choices with confidence and clarity.