MDR: How to properly configure during deployment

(A preview of the upcoming SC Media eBook “Launching MDR: How to configure, deploy and optimize”)

What does it take to manage detection and response in 2023? Sophisticated cyberattacks can traverse attack surfaces across multiple attack vectors – and the complexity of modern digital landscapes adds an additional barrier to achieving a robust security posture. For many organizations, managed detection and response (MDR) services provide the necessary expertise to hunt down and identify actual threats and exploits.

Outsourcing MDR services and SOC responsibilities gives organizations an opportunity to work with veteran threat hunters who can see beyond the obvious. Considering third-party services for managing threat detection and response opens the door for a clearer “big picture” view of an organization’s cybersecurity status, while enabling in-house staff to focus more on the nitty-gritty. 

Researching and deciding on the right MDR vendor is an important step, but it’s not the end of the story. Configuring your organization’s assets (i.e. data, security controls, policies) to be ‘MDR-ready’ is just as important to ensuring a successful deployment. 

To navigate this process effectively, there’s some key lessons for organizations to keep in mind. 

Configuring MDR the right way

Proper configuration is key to successful implementation of any service or application. It’s about taking an honest look at one’s data hygiene and determining (based on that assessment) what actions are needed to give the MDR provider an optimal launchpad for their services. The configuration stage is also a time to establish shared responsibilities of both parties in the event of a security incident– as well as what data types and data delivery mechanism will be used to execute their response. 

Aside from the basic onboarding steps (like activating licenses, and setting up logins to the vendor portal), there’s some key decisions for the customer to address and communicate to the vendor. 

Decision #1: Mapping MDR to business objectives

“Make sure you map your service back to the original business objectives, and that you remind the vendor and others what those objectives are,” says Greg Rosenberg, Director of Sales Engineering at Sophos. For example, if the vendor knows the customer’s objective is to be PCI DSS compliant, they can work with the customer to make sure their firewalls satisfy that objective as part of the MDR service. Beyond compliance, another objective might be stronger endpoint detection. WIth this knowledge, the vendor can prioritize their service to hunt for potential vulnerabilities in the customer’s endpoints or to check if the right policies are in place (like zero trust and least privileged access, for example).  

“Whether it be about compliance or a pure security focus — or even as a cyber liability insurance policy — having these items on a checklist where you can say ‘this is what we need to cover’ is a really good starting point,” adds Rosenberg. 

Decision #2: Identify relevant data sources for MDR and then perform health check

In the process of mapping their MDR service to the desired business objectives, both the customer and vendor will be able to determine which data sources are relevant for the MDR service, and how those data sources should be configured to achieve the business objectives. Data sources can include endpoints, servers, firewalls, identity solutions, directories, logs or any other telemetries that can enrich the findings of the MDR threat hunting team. Identifying and configuring these sources correctly is data hygiene in action, Rosenberg says. 

“When’s the last time you performed a health check against all those sources? It’s imperative to recheck that they’re configured in an optimal state. Otherwise, you may end up with a number of protections turned off, which then disables the vendor from having appropriate visibility.”    

Decision #3: Arrange personnel and processes for data delivery

Once relevant data sources are identified and a health check is conducted, it’s time to arrange the data for delivery. This step ensures that the MDR team actually receives all the information it requires to meet the objectives. Depending on the type and volume of data being delivered, it could mean tasking personnel with specific duties to ensure the transfer goes smoothly — for example, having a firewall admin make sure the provider can access firewall data, or configuring an API to give the vendor more visibility, or simply implementing the right firmware versions. The bottom line is ensuring that the appropriate data gets to the correct destination without interference. 

Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.