(A preview of the SC Media eBook “Buying MDR: How to determine needs and choose your solution") 

The vigilant services of a managed detection and response vendor can be a powerful weapon in an organization’s cyber toolkit. However, outsourcing SOC responsibilities and threat hunting oversight to an external partner is an important decision, and there’s a few steps companies should consider first before making the investment.

1: Determine if MDR is right for you

Even advanced cybersecurity software — like firewalls, network monitoring tools, SIEMs, and so on — can’t identify every threat hiding in your IT environment. MDR is an attractive option not because it addresses limitations in technology, but in talent. 

Every year, new studies emerge that tell the same story: deep cyber expertise, the kind that is capable of investigating and eliminating threats before they strike, is in extremely short supply. Even when such experts are within reach, they command salaries that disqualify many companies from even competing for them in the first place. Not surprisingly, seven out of every ten organizations report being understaffed in the cybersecurity department, according to a recent study from the non-profit (ISC)2. Meanwhile, hundreds of thousands of cyber jobs around the U.S. remain unfilled. 

Therefore, MDR is a great option for companies that lack the budget and prestige to attract elite threat hunters on their own efforts. But it’s also a good way to support small security teams who feel currently overwhelmed by the daily deluge of threat data being picked up on the network, or who lack the ability to prioritize vulnerabilities by severity and context.  

Additionally, MDR makes sense for companies experiencing digital transformation pains. With vendor support, customers can restore visibility into endpoints and other telemetries that may have been obfuscated by moving workloads to the cloud. MDR-provided threat hunters can also help companies shed their reactionary cyber posture and engage in proactive hunts that are increasingly necessary to discovering and defeating ransomware operations

In short, it’s good to have a full understanding of how MDR’s use cases can address limitations in training, staffing and expertise. On that note, we recommend organizations research what’s covered under MDR (as well as what isn’t) to get the full picture.

2: Determine how much support you need

Not every company seeking MDR support will be in the same league when it comes to cyber and threat hunting maturity. Consider the large enterprise with a fully staffed SOC, versus the small-to-medium size organization operating on a tight budget. Both can benefit from MDR, but where the former might just need a second opinion in validating potential threats, the latter might decide to outsource nearly all their SOC requirements to the vendor.

This flexibility is something every MDR vendor should be able to provide, meeting the customer on their own level rather than locking them into any one path. Depending on the customer’s needs, MDR can vary in terms of involvement and action: 

  • Fully embedded: The vendor completely manages threat response on behalf of the customer.
  • Collaborative: The vendor works in tandem with customer SOC, responding to threats as a joint partnership.
  • Alert and advise: The vendor alerts the customer SOC to threats and provides remediation guidance, but does not execute remediation themselves.

Sophos, a vendor providing MDR assistance for the SOC, works with its clients to find the support level that is right for their needs. 

“If it’s a very immature program, we can perform basic blocking and tackling on their behalf,” says Mat Gangwer, Vice President of Managed Threat Response at Sophos. “As they get more mature, they [the customer] may add staff to handle threats internally, and we [the vendor] can dial back our response. We can still ‘talk the talk’ with their internal security team, but now they have more clout since they’re the ones escalating our recommendations and chasing down business units to affect real change.

3: Investigate vendor histories and specializations

It’s worth taking time to investigate what a vendor did prior to offering MDR as a service, and whether that history would inform the type of technologies, talent or processes they bring to the table. 

“In terms of MDR providers, the first category include those who are predominantly providing the technology and the service together,” says Gangwer. “The second category of providers would be those who integrate more predominantly with third party technologies or data that the customer has already purchased. In those cases, their technology is kind of the platform rather than the endpoint EDR solution or firewall [itself].”

The sweet spot, Gangwer suggests, is finding a vendor that will work with the customer on both fronts, bringing years of specialization in one area while expanding their services to address other MDR requirements.

By learning more about a vendor’s pedigree, a company can determine with greater precision what that provider’s MDR strategic roadmap looks like and how their offerings may evolve or diversify over time. At the same time, they can get a detailed understanding of the provider’s detection and response methodology, its quality of customer service, its record of dealing with cybersecurity breaches, as well as its outlook on emerging threat trends.