(A preview of the SC Media eBook “All about MDR: What it is and how to optimize it.") 

Managed detection and response (MDR) is a third party cybersecurity service dedicated to the provision of top-tier threat hunting and remediation.

For successful implementation of MDR, it’s vital for both the vendor and the customer to understand what their shared responsibilities are as part of this arrangement. Below, we’ve outlined what those responsibilities look like and what customers should be aware of as they explore MDR offerings. 

Steps to achieving a productive MDR partnership

#1: Updating incident response plans with MDR

In a successful MDR relationship, both parties will be on the same page when it comes to resolving a security incident. To make that happen, the customer organization should update their incident response plan to reflect which duties belong to the MDR vendor and which duties remain in the customer’s court. For example, some customers may prefer a less hands-on approach from the vendor, with the flexibility to act on the vendor’s recommendations themselves. Other customers, meanwhile, may prefer a response strategy that gives the vendor full license to remediate on the customer’s behalf. Whatever the arrangement is, the incident response plan should reflect this modified delegation of duties so there’s no confusion in a live scenario. 

#2: Identifying shared responsibility in cybersecurity

Customers shouldn’t enter an MDR relationship with inflated expectations of the vendor’s role. While it’s true that the vendor carries primary responsibility for identifying, responding to and eliminating threats, there’s some groundwork that the customer has to lay ahead of time for this arrangement to work. For example, in many cases it’s the customer who is responsible for actual configuration and deployment of endpoint tools or other telemetries that ultimately feed into the MDR vendor’s decision-making. Conversely, it’s the MDR vendor’s responsibility to make sense of the telemetries that have been provided to them. That means drawing conclusions, eliminating false positives, recommending actions, and updating customers on newly discovered vulnerabilities. As customers explore MDR offerings, they should probe potential vendors on what types of coverage they offer as well as the nature of responsibilities the vendor expects the customer to fulfill in kind. 

#3: Keep business concerns front and center

MDR vendors provide customers access to elite threat hunting professionals with years of experience spent finding and eliminating threats. However, no one will be a greater expert on a customer’s business than the customer themselves. 

“We can make all the suggestions and recommendations in the world, but we never want security to be a hindrance to the business,” says Mat Gangwer, Vice President of Managed Threat Response at Sophos. “We can tell a customer to do X, Y and Z – but maybe those things just can't be performed because there's reasons that the business can't do them, or would even impede the business if they did do them.”

Customers have a responsibility to harmonize MDR recommendations with business objectives. That requires communicating to the vendor when a suggested course of action would jeopardize business continuity or undermine the work of other teams. Remember that the vendor is an expert in detection and response, not the needs of the business. The latter is up to the customer to make clear.

"We can make all the suggestions and recommendations in the world, but we never want security to be a hindrance to the business."

Mat Gangwer, Vice President of Managed Threat Response, Sophos

#4: Cyber hygiene and IT policies make MDR more effective

An MDR relationship will yield significantly more mileage for customers who are already serious about enforcing cyber hygiene. Sophos’s Gangwer says it’s a game-changer when his clients have good password policies in place, keep up to date with patches, and train their workforce to identify and report potential threats. “The more resilient customers can be, the less we [Sophos] will ultimately have to deal with on a day-to-day basis in terms of dealing with legitimate threats. If we can eliminate that from the get-go, then we can move up the value chain in what we provide for the customer.”

Conducting routine data quality or data sanity checks is another way customers can align their efforts with the vendor. “To the extent that you can, make sure that the sort of things you're going to be sending to your vendor are normalized,” says Gangwer. “It just makes it a lot easier for you or your [vendor] partner to work with that data in the long run.”

#5: Be an active collaborator

Having an active and collaborative relationship with the vendor will make for a satisfied MDR customer. What does that mean in practice? For one, it means designating someone inside the business to be receptive and available to the vendor’s questions or recommendations. This person (or team) can take the vendor’s suggestions and filter them through the business’s needs, or alternatively push back on the vendor’s suggestions when necessary.

“This person will have a lot more clout within the organization to make things happen and affect business change,” says Gangwer. “They can escalate our suggestions, chase down internal business units, and actually ‘talk the talk’ with their security folks. 

Active collaboration means asking questions and being receptive to change as well, as well as trusting the vendor to perform the job entrusted to them. “There's always an element of trust. We need them to trust that we're capable and can do the job. That's something that's earned, we don't expect that on day one. But over time, as we continue working with our customers, that would be something we hope we can gain through the work we perform.”