RSA 2023 is upon us.
The largest security event of the year, set to take place in San Francisco’s Moscone Center, is expected to draw close to fifty thousand IT and cybersecurity professionals from around the world. And as attendees wrestle with the many security challenges and solutions framing these conversations, we anticipate that managed detection and response (or MDR) will be near the top of the list.
Lately, more organizations have discovered the value of obtaining MDR services from a third-party vendor. MDR services provide organizations with 24/7/365 monitoring of their attack surface, dedicated threat hunting support, and up-to-date threat intelligence data and vulnerabilities collected across a global network of customers.
While these capabilities can fill an immediate need for organizations that lack the resources or skilled personnel to understand what’s happening on their attack surface at any given moment, they can also benefit large organizations that already have a well-developed security operations center by enabling in-house security analysts to be used more efficiently.
If you’re on the fence about MDR and curious to learn more, this year’s RSAC will be hosting many discussions about managed services, threat detection, response and remediation – and there will be several spotlights on AI, both as a threat and a tool.
Asking questions about MDR
Take a look at this cheat sheet we’ve put together for hosting productive conversations with MDR vendors about their services. You can use this guide as an inspiration for exploring new tools and platforms.
“What does your MDR service specifically entail? How is MDR different from other three-letter services (like XDR, EDR, NDR, CDR, and ITDR)?” The MDR service is not an all-in-one security solution that’s going to remove every challenge facing your SOC. It’s a good idea to ask not only what the service covers, but also what it does not cover.
“How can MDR meet my organization where we currently are?” MDR vendors should be able to answer this question with confidence. And if they can’t, there’s your red flag. Your organization belongs to a specific industry with its own needs, policies, and vulnerabilities to contend with. Your organization has a fixed budget, established technologies, and personnel with varied skill sets and responsibilities. You’re going to want a MDR provider who takes time to appreciate your business objectives and requirements and modifies their service accordingly, rather than one that makes no distinction in how it serves any of its customers.
“What value would MDR bring to my particular organization?” The answer to this question isn’t so obvious. For example, if you’re a small organization with a SOC manned by about 3 to 5 analysts, you would probably benefit from having a fully involved MDR partner who can take threat containment actions on your behalf when the situation calls for it. On the other hand, if you’re a large enterprise with at least thirty to fifty analysts on board, then you may decide to keep your MDR vendor in a more advisory role where actions are prescribed but not necessarily carried out by the MDR team themselves.
“How would MDR help our in-house security analysts?” Security analysts are highly-skilled and tend to be very expensive, so organizations want to make sure their time is being used as efficiently as possible. Is that time best spent on responding to security alerts, a portion of which are false positives? Or is that time better spent on finding ways to secure the business as it pursues its objectives? By offloading day-to-day firefighting duties to MDR teams, customers can give their own analysts more time to tackle strategic goals that move the business forward.
“Can you walk me through a threat scenario and tell me how your team would handle it? How would I, the customer, be notified and work with you to resolve the incident?” This is a great way for the MDR vendor to show you what’s under the hood. A confident vendor will be transparent about the methodology and tools they use to discover vulnerabilities, and how they work with your team to contain and eliminate them. They should be able to discuss recent case studies and detail what steps were taken to resolve them and the lessons that were learned.
“How does your org plan to leverage AI and other advanced technologies to help us eliminate threats?” AI and machine learning are expected to be major conversation topics at this year’s RSA, which makes this a great question for understanding the role that AI and other technologies can play in a MDR service. More MDR vendors are incorporating AI and automation into their threat hunting services, which allow analysts to make data-driven decisions at much faster speeds and predict where and how likely an attack is to take place.
“What do you require from our organization (resource, or personnel-wise) to make this partnership work?” MDR entails a shared service agreement. The MDR provider is responsible for managing detection and response, on the condition that the customer is able to provide appropriate data access, assign shared contacts, and inform the MDR team about important business needs. Remember that the MDR provider is an expert at the service, but the customer is the expert on the business. It’s the customer’s responsibility to make sure the MDR vendor is aware of what’s important from a business perspective.
MDR-specific events at RSA
There’s hundreds of seminars and panels you can attend at RSA, but you’ve only got so much time. To help you out, we’ve provided a few sessions below that would be especially appropriate to ask the experts about MDR.
- “Making Sense of a Confusing Detection and Response Solutions Landscape”
- “Hype and Reality: How to evaluate AI/ML in Cybersecurity”
- “Why Extended Detection and Response (XDR) Must Unite the Industry”
- “Threat Response Needs New Thinking. Don’t Ignore This Key Resource”
- “You Are Not an Island – Threat Model as a Team”
- “Intelligence and AI at the Convergence Zone of Data and Threats”
