Managed Detection and Response or MDR, is on the cusp of becoming a mainstream cybersecurity solution, and for the right reason. Despite mounting threats, an ever-changing cybersecurity landscape, a talent shortage that’s not getting better, and increasing external pressure from governments and customers to keep data secure, companies just don’t have the resources, budget, staff, or tools to build a full-service cybersecurity department in-house.
As a result, MDR services are offered to organizations to help supplement their cybersecurity needs. While the MDR services can vary across firms, organizations can expect to have better detection tools and systems, while also having support on the response side.
These MDR providers can serve as near-complete outsourced cybersecurity departments for a given company, or they can work with an existing department to partner up, shoring up gaps an organization has in their cybersecurity posture.
With MDR an organization is better at knowing when they’re being attacked, and have the resources needed to respond appropriately in order to excise an attacker or reduce the damage a compromise may bring.
But not all MDRs are built the same and it’s important for organizations to vet them accordingly, avoid pitfalls, and work effectively with them. Not only do organizations need to find the right MDR, but they need to be operationally ready for them.
Here are a couple of considerations you need to be aware of when in the market for Managed Detection and Response.
Are you buying into MDR marketing or hype?
This advice can be applied across the cybersecurity vendor market but it matters a lot here as well. Too often, MDR services overstate their abilities or leverage common buzzwords like AI or Machine Learning or they tout that their services are automated in hopes to create a bit of FOMO on the side of new customers.
While these technologies aren’t a downside, they’re still nascent enough that they’re unlikely to be the key driver behind an MDR’s success. If MDR is relying heavily on these new technologies and not on their own team of experts, that could be a cause for concern.
In a similar way, MDRs can market their ability to ingest massive amounts of data, but as we’ll discuss below, that may not be the best way to approach cybersecurity and you’ll end up with a noisy MDR provider.
“You still need intelligent people that are going to go and either configure machine learning, build new use cases,” says Dan Pitman, Director of Technical Solutions at Bitdefender, “or move forward to make sure that we're augmenting [new] technology with people.”
These new technologies need to rely on human input and in a field like cybersecurity, where things are changing on a week to week basis, relying on automated tech based on old inputs may lead to false positives and a failure to detect novel threats.
When speaking to an MDR provider, make sure you’re getting them to back up their marketing and paint a clear picture of how they’re marrying new technologies with established cybersecurity approaches and processes.
Is your department clear about achieving cybersecurity goals and outcomes?
An MDR is a significant cybersecurity partner and should be a major part of your cybersecurity team’s roadmap. This means you have to come to the table with expectations and goals to make sure that not only can your MDR get your organization to the secure state it needs to be but that you’re also making the MDR as effective as possible.
For example, you start working with an MDR and connect it to your data stream. But because you didn’t take the time to establish goals, the MDR ends up ingesting all your data and your team ends up with an overabundance of alerts and noise.
“...those providers are effectively alert factories.” says Pitman. “They are going to take that data in and they're going to give you an alert back...the more data you put into a system...the more alerts are going to get out.”
In a similar way, you might be adding an MDR to an existing security environment that includes a SIEM, virtualization services, EDR, and a number of other partners and vendors. Have you appropriately assessed how the MDR fits within your existing environment? Are there overlaps in what your partners are monitoring, incremental gains in your security posture, or are they filling a major gap?
If you’re not thinking of how an MDR vendor holistically fits within your broader vendor ecosystem, you may struggle with vendor complexity and may find that your team doesn’t have the time or resources to make the most of what the MDR has to offer.
Don’t be scared to ask questions throughout the vetting process — an MDR vendor should be able to have a conversation that gets to the root of whether it can help you achieve your departmental and organizational goals.
Work with the MDR as a mutual partner
While the MDR vendor is providing a lot of services for you, it would better suit your organization to work as closely with them as possible, resources allowing. Like we mentioned before, being clear about objectives, departmental goals and outcomes, and even making sure the MDR service fits within any existing frameworks you’re using can help the solution serve you best.
But you also have to put in systems, processes, and communications in place to help streamline efforts as the MDR vendor works within your environment and with your team. This means making sure you have a process in place to take actions based on recommendations either due to a discovered vulnerability or accidental exposure.
You should also set parameters for what MDR vendors can or can’t do within your environment as they undergo threat hunting and as they spot attacks or threats. You should be most familiar with the systems your organization can afford to have go down for a brief period of time in the case of an attack and which should be addressed on a case by case basis with you involved.
“It's important to have processes and plans in place,” says Pitman. “One way we do that at Bitdefender is by making sure that we have a set of pre-approved actions that we can take on the customer's behalf.”
Going through various scenarios and being clear on what the MDR vendor has permission to do will save your team hours on a weekly basis, letting the vendor work on their own and eliminating threats in the background while contacting your team when absolutely necessary.
As you consider a Managed Detection and Response service, you should also be working internally to ready your organization. To get a better understanding of how to best work with MDR, register for our webcast.