Keys to Selecting a Managed Detection and Response Partner

In today's rapidly evolving digital landscape, safeguarding your organization against cyber threats has become a top priority. Managed detection and response (MDR) services offer a proactive and comprehensive approach to cybersecurity. It's important to note that not all MDR providers are equal. In fact, not all providers define MDR the same way, which has created marketplace confusion. For this discussion, we will assume that MDR includes detection and response actions across the entire security threat landscape instead of only focusing on endpoints. Selecting the right partner is crucial to ensuring the security of your business. In this article, we'll explore eight key factors to consider when choosing an MDR partner.

The first and most critical key to selecting an MDR partner is their experience and expertise. Look for a provider with a proven track record in the industry – 10+ years of security operations experience is a solid metric. Experience matters because security threats and security tools are constantly evolving, and an MDR partner with a deep understanding of this is better equipped to protect your organization. Their expertise should extend to a variety of commercially available security tools, avoiding “black box” or proprietary solutions that result in limited options for service support partners.

Every organization has unique security needs. Your MDR partner should offer tailored solutions that address your specific challenges and goals. One-size-fits-all approaches can be financially appealing, but they are rarely effective for organizations that need any customization. Work with a partner who takes the time to understand your organization's infrastructure, industry, compliance requirements, and risk profile to provide a customized MDR strategy.

Consider the staffing models and geographic coverage of the MDR provider. Some organizations may prefer a local partner, while others might benefit from global support. Evaluate the provider's ability to offer follow-the-sun support, dedicated teams, and round-the-clock monitoring. Geographic diversity can be a significant advantage in responding to threats that may originate from different regions.

According to Cyber Seek, more than half a million cyber vacancies remain unfilled in the United States. As a result, while local staffing models may seem appealing, they can sometimes be unfeasible due to the difficulty in hiring, training, and retaining employees for graveyard shifts. With the national average salary of a security analyst over $100,000 per year, expect local staffing models to be significantly more expensive than global staffing models.

Automation and orchestration capabilities are essential in MDR. A strong MDR partner should leverage advanced automation to respond quickly to security incidents. This reduces response times, minimizes human error, and ensures a more efficient threat mitigation process. Inquire about the provider's automation and orchestration capabilities and how they integrate with your existing systems. Automation should extend outside of the MDR provider’s service boundary and include adjacent security tools. Identify your top five ticket workflows and ask for sample automation playbooks specific to your needs.

The SOC is the heart of any MDR service. Evaluate the quality of the SOC team, as this is where your security alerts are analyzed and acted upon. Service level agreements are important for setting expectations, but the expertise and efficiency of the SOC staff also matter. A well-trained, experienced, and responsive SOC team will make a significant difference in the effectiveness of your MDR service.

It is not feasible to rip and replace all security technology at once, so your MDR solution should seamlessly integrate with a wide array of security tools. A disjointed security infrastructure can lead to inefficiencies and gaps in threat detection and response. Inquire about the provider's ability to integrate with security information and event management (SIEM) systems, user and entity behavioral analytics (UEBA), threat intelligence feeds, and other security technologies. Most security tools provide excellent business outcomes when they are deployed and maintained well. Resist the urge to discard the gem with the rubble and focus on having the right people and processes in place to maximize the potential of existing tools.

A successful MDR partnership requires a clear delineation of roles and responsibilities. You should know who does what, when, and how tasks are divided between your organization and the MDR provider. This clarity ensures that incidents are handled promptly and efficiently. Reviewing the roles and responsibilities document line by line is tedious but will result in better operations engagement. Setting clear milestones and responsibilities during onboarding is also important to minimize coverage gaps and avoid double billing.

While MDR is a critical component of your security strategy, it's not the only piece of the puzzle. Look for an MDR partner that understands how their service fits into the broader security ecosystem. The ability to harmonize MDR with other security tools and processes is key to a comprehensive defense strategy.

Selecting the right MDR partner is a pivotal decision for your organization's overall security program. By considering these key factors—experience, tailored solutions, staffing models, automation, SOC quality, integration, clear roles, and a holistic approach—you can make an informed choice that strengthens your defenses against cyber threats and helps safeguard your digital assets.