MDR: What to know before you buy, part 2


(A preview of the SC Media eBook “Buying MDR: How to determine needs and choose your solution") 

In part 1, we looked at a few items that organizations should keep in mind before partnering with a vendor offering managed detection and response. Those were:

  • 1: Determining if MDR is right for a company
  • 2: Determining the right level of MDR support
  • 3: The importance of researching MDR vendor history

In this second installment, we continue to explore other considerations that can help inform the buying process.

4: Ask vendors for stats

Think of your favorite pro sports team. Would they ever let any individual join their roster based on blind intuition? Certainly not. There’s a thorough evaluation of candidates based on scouting reports as well as past and recent performance, much of which is heavily stats-driven.

With similar rigor, MDR buyers should carefully scope out the whole market and base their buying decision on facts, not hunches. For example, there’s several ‘softball’ questions every MDR vendor should be able to answer. If they can’t (or attempt to steer the conversation elsewhere), that’s a red flag. These include questions such as: 

  • How many customers does the vendor currently have?  
  • Does the vendor provide 24/7 coverage 365 days a year? 
  • What is the average time it takes the vendor to detect, respond to and resolve threats?
  • What data sources / telemetries does the vendor use to inform their findings? 
  • Is the vendor’s approach to threat hunting lead-driven, leadless, or both? 

There’s many more questions customers can ask, ranging from what’s included in the scope of service to the types of technologies being used, and more. Customers exercise due diligence in requesting these types of information to ensure the vendor they choose is the right fit.

5: Request a demonstration

Besides requesting data on a vendor’s performance, it’s also a great idea to have them ‘interview’ for the job. One way to do this is by asking a vendor to roleplay a security event from beginning to end, and observe how they approach each checkpoint in the MDR timeline. Some questions to keep in mind are: 

  • What did the vendor prioritize based on the specific actions they took, and do those priorities align with the customer’s priorities? 
  • Are they amenable and receptive to customer feedback?
  • What are the metrics they use to determine if their actions were successful or not? 
  • How do their actions compare to demonstrations by other vendors?
  • How much of their actions require availability and engagement from the customer?

The ‘try it before you buy it’ approach is a smart way to vet MDR vendors before pulling the trigger. The best vendors will anticipate this request and provide examples that showcase how they approach the job.

6: Understand your responsibilities as a customer

MDR may be a service provided by an external vendor, but the potential impact it has on the business means this partnership requires buy-in and responsibility from both sides of the aisle. Trust, accountability and availability are critical to the relationship working as intended. 

“There's always an element of trust,” says Mat Gangwer, Vice President of Managed Threat Response at Sophos. “The customer needs to trust that we're capable and can do the job. And that's something that's earned, we don't expect that on day one. But over time, as we continue working with our customers, that would be something we hope we can gain through the work we perform.” 

MDR doesn’t absolve the customer of enforcing good cybersecurity practices, either. In fact, it’s these practices — such as setting good password policies, keeping up to date with patches, and implementing proper end user policies — that ultimately create the foundation on which MDR can truly thrive. By owning their side of the cybersecurity equation, customers can enable providers to focus efforts on more challenging problems higher up the value chain.

Finally, it’s important to determine the level of availability and communication the vendor needs out of the customer. If the answer to that question is constant availability and communication, the vendor might create more complications for the customer than they solve. Conversely, if the vendor expects near-zero engagement from the customer, this could create an environment where threat intelligence is shared sparingly or not at all, blocking the transfer of valuable insights that could ultimately aid the business’s strategy going forward. The ideal customer-vendor pairing is one that entails a fair share of responsibilities for both sides, and is marked by transparency, healthy collaboration, and trust in the vendor’s expertise.

Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.