Buying MDR: Quotes from the experts

(A preview of the SC Media eBook “Buying MDR: How to determine needs and choose your solution") 

Managed detection and response (MDR) as a third party service helps organizations save money while providing access to high-level expertise in threat hunting. In Part 1 and Part 2 of this series, we identified potential questions and considerations that buyers of MDR should evaluate before making the purchase.

In this latest installation, we’ve compiled the most compelling commentary from our conversations with experts about what customers should be thinking about as they scan the MDR market. They include insights from: 

  • Mat Gangwer, Vice President of Managed Threat Response, Sophos
  • Matt Hickey, Senior Director of America Sales Engineering, Sophos
  • Greg Rosenberg, Director of Sales Engineering, Sophos

MDR value for enterprise

  • Mat Gangwer: “MDR can be a huge value add when you consider the breadth of expertise and skill sets that you're getting through working with that vendor. And you're getting the people who are experts with the technology that's being brought to the table, which is another huge benefit. Because if there wasn't an MDR provider, ultimately all of that is going to boil down to staffing and building that out in-house, which many organizations probably won't get to the size or scale where that's a necessity.”
  • Matt Hickey: “We see MDR as a way to augment your existing services that are in play. Having been on the [cyber] frontlines before, I look at MDR as a sounding board  — if I see an attack on my network and I don’t have all all the knowledge in front of me, well now I have a stable full of very competent, experienced threat hunters I can bounce ideas off of, and they're watching my network as well. There's a lot of tools out there to help you bend that learning curve, but there's no substitute for experience.”

Harmonizing security with business needs

  • Mat Gangwer: “We're not the experts in your business, we’re experts in detection and response. We can make all the suggestions and recommendations in the world, but we never want security to be a hindrance to the business, and us saying do X, Y and Z – well, maybe those things just can't be performed because there's reasons that the business can't do them, or it would impede the business in certain ways. So that's a decision that the organization would need to make where we can help inform and advocate for things, but they'll ultimately be the ones that have to do it.
  • Mat Gangwer: “We don't know the business as well as the individual that's working there. So we can only go so far and make best practice recommendations that work in some instances, but not everywhere. The liaison for that business is going to have to take that and either push for it internally because it's the right thing to do, or let us know a reason for why we shouldn’t implement that. Having that collaborative relationship where the customer is asking questions  — and we're there to support and be an extension — is optimal.”

Choosing third party for managed services

  • Greg Rosenberg: “Whether you're doing it internally or looking at a managed service, think about what it is that you're going to measure. Do those measurements track back to the objectives? Say you want increased protection against a full-blown ransomware incident  — well, how do you measure effectiveness for that not only today but in the future? Can you conduct some sort of operational review on a regular basis as well? Do you have the ability to map a compliance regime on top of it? And are you looking to in-source MDR at some point as you move forward? These questions should help drive your decision as to whether or not you have the internal skill set and tools to meet those criteria on an ongoing basis.”
  • Matt Hickey: When you’re trying to build everything internally, it’s easy to forget all the costs that are involved. Besides the tool costs, there’s the training costs, the maintenance costs, and then the cost of expertise that is required to actually do the response. Consider too the cost of creating your own playbook of how to respond to attacks. All of that is pretty much done for you when it comes to a third party service [like MDR].”

Optimizing MDR partnerships

  • Mat Gangwer: “There's that expectation on our side that customers are doing the right things from an IT and security hygiene standpoint. So they have good password policies, they’re keeping up to date with patches, they're implementing proper policies for their end users and so on. The more customers can do to be resilient to attacks, the less that we ultimately will have to deal with on a day-to-day basis in terms of actually dealing with legitimate threats. If we can eliminate a lot of that nasty stuff from happening from the beginning, then we can move up the value chain in what we can provide for the customer.”
Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.