Making the right decision with the five things to look out for when you run a trial
Managed Detection and Response (MDR) services offer a turnkey technology approach for companies that have little or no existing in-house capability for threat detection, response and investigation. For any company that finds itself in need of an outside MDR service to bring their security operations up to scratch or introduce this capability as quickly as possible, it’s vital to make the right decisions. Otherwise, you’ll end up spending money on a service that doesn’t solve the problem. That just leaves you facing the same issues, but now you no longer have any budget left to fix them. That’s why it’s crucial to get things right the first time.
What should you look for in MDR?
In the next five years, we expect to see a significant increase in the number of companies using MDR services. While MDR is ideal for mid-size organizations, it has applications for enterprises of any size. MDR service providers offer a broad range of specialist threat detection and response capabilities using outcome-based approaches. They typically concentrate on providing high-fidelity threat detection and validation capability that focuses on countering attacks that have bypassed protective security controls such as firewalls and endpoint protection.
However, MDRs come in many different shapes and configurations; you need to understand which elements fit your specific use case as one size won’t fit all for these services. The reality is that most MDR service providers simply resell someone else’s technology, marking up the price but offering no tangible benefits. Even worse, some service providers still use solutions that rely on logs and off-the-shelf security information and event management (SIEM), backed up with their analysts. Such a solution is no better than a managed SIEM or EDR but with higher costs of an MDR. Watch out for any provider offering “advanced detection” services.
Also, be wary of any Managed Security Service Provider (MSSP) who offers an MDR service. Rather than being a proper MDR service, this is typically just a bolt-on addition to their basic services. Such a solution will never deliver the results that a genuine MDR service provides while incurring all the inefficiencies and defects of a compromise hybrid solution.
Nothing beats word of mouth recommendations from friends for honest and reliable intelligence about how great any service is. With a plethora of social and business networking options available, it’s easy to ask colleagues, friends, and even casual acquaintances for their opinions on a service provider. Unless you’re looking in a particularly narrow niche, there are bound to be people out there with a similar setup who have bitten the bullet and hired an MDR service provider. They can tell you exactly how good or bad they are.
There is a growing trend for security service providers to focus on specific industry verticals as a means of leveraging their internal expertise and differentiating their services. Looking to see what the businesses around you are doing is a great way to see which service providers have experience and capabilities that match your specific needs.
While some service providers will happily provide a list of customers who are happy to provide a reference, remember they are only going to refer customers who they are sure will give a glowing review. If you do go down this route, don’t forget to take some healthy skepticism with you.
Why you should try before you buy an MDR service
There are hundreds of companies that advertise MDR services, each claiming to be the best, the cheapest, the most innovative… the list of advertising hyperbolizes, and the claims of unbeatable benefits made are endless. But how can you trust what they say? You need to see through the marketing lingo and precisely understand what the service they offer will do for you, and equally as crucial for your security, what it won’t do.
The solution is to try before you buy. Run a proof of concept trial to see if the claims in the brochures work with your own companies’ circumstances. The deployment of the MDR will be on the inside of your network on all the chokepoints and endpoints, so you need this deployment to be seamless, painless, and as non-intrusive as possible. Any MDR service should rapidly identify and limit the impact of security incidents on a 24/7 basis, focusing on core services of remote threat monitoring, detection, and targeted response activities. You need to be sure that the service provider you choose not only delivers these core services but that they do so in a way that works for you, provides the security you need in a language you can understand.
Any trial won’t be exhaustive and provide all the answers, but it’ll answer most of the important ones and give you confidence that the service provider knows what they are doing, can handle the work, deliver what you need and when you need it. Also, with any trial, you’ll end up working with the front-line technical staff rather than the salespeople. These interactions provide valuable insight into how your working relationship with the service provider is going to pan out. Salespeople are great talkers and have no qualms about promising the earth for the price of a few beans. The technical staff are realists and tell you like it is, even when there’s a salesperson next to them, kicking them in the shins because they think the truth might be losing them the sale.
So, what if the service provider you choose to approach will not support running a trial? Ask yourself why they are reluctant, what are they trying to hide. Signing up for an MDR service is usually a long term commitment, and it won’t be cheap, so any decent service provider should be delighted to have the opportunity to show you that they can be the partner you’re seeking.
What should you look for in any trial?
- How well does the MDR service fit with my existing systems?
The MDR service must work out of the box with your existing systems. You don’t want to have to spend precious time and money, changing your systems to work with the MDR service. Conversely, you don’t want an MDR that needs to be radically adapted to fit your systems because you know you’ll end up one way or the other paying for the adaptions and supporting maintenance and upgrades to this bespoke solution.
Similarly, if you have existing security such as anti-virus, IPS, snadbox or SIEM technology, you want an MDR service that seamlessly integrates and accommodates any peculiarities in your systems. The alerts from your existing security controls should connect directly into the MDR incident response lifecycle without imposing any additional workload on your business. Remember that MDR solutions do not suit all organizations, so if the services offered do not fit with your existing infrastructure, consider other options that deliver your defined outcomes and goals.
- Does the MDR service work in a live environment?
Plenty of MDR service providers will offer demonstrations and flashy presentations, but showing a service working in a carefully controlled environment can tell you very little about how it will work in the real world. There’s no point getting a service that gets overwhelmed by the standard quantity of events that your environment generates, cannot cope with the volume of real traffic, or which falls over whenever something unexpected happens. If coverage of the latest innovative capabilities such is required, the trial should ensure that the service provider can demonstrate a mature and proven ability. Any try before you buy assessment must be on your live environment, or at least a test environment that’s a close match, to be of value.
- What sort of company are they?
If you’re after a long-term security partner to deliver the MDR service than you’ll need to find someone that you can deal with on a day to day basis. In times of crisis, you’ll be relying on these people, and you have to be comfortable working with them as you fix the problems. There’s no point keeping any secrets from them as that will just delay resolution of the issues that led to the crisis, so you need to find someone you trust, you can communicate with, and who is entirely dependable.
Ideally, you’ll find someone who will take away all your problems and return with solutions that are easy to implement, rather than someone who takes up all your time by generating a deluge of requests to investigate spurious events. Your MDR provider should not send you unvalidated alerts or false positives and expect you to conduct the investigation. Communications should ideally be direct between your staff and the MDR provider’s analysts; you don’t want to be dealing with them through a portal or via service tickets when there are urgent matters to resolve. In a perfect world, the MDR will adapt to recognize and report only those issues that are important, leaving you to concentrate on running your business.
- Will they add value to my business?
Well-performed incident response takes time and skill, which many organizations just don’t have, especially when detecting multiple threats in a short time frame. This situation is where the service provider should step up to the plate, but merely reducing the time to discover a breach is meaningless without a corresponding reduction in the response time, so you need a service provider who will act fast.
MDR services should bring round the clock threat detection, incident investigation and response capabilities to your business. However, you will still need internal resources to provide support where necessary. Finding human attackers and conducting accurate and timely threat hunting is not an easy task, that’s why you’re looking to outsource. Your MDR provider should be able to show you how they perform their work, what types of skilled professionals they have, and how their team will work with you and share their knowledge.
- Will the service evolve as our business evolves?
One certainty in business is that your company will need to change and adapt as the world changes and your markets change. I bet you didn’t predict 12 months ago exactly what challenges your business is facing today. The same is true for the security threats you face; these continuously evolve and mutate, the bad guys always looking for new tricks and techniques, new holes in your defenses, and patiently waiting for that moment when they think you’ve dropped your guard.
That’s why you need an MDR that’s adaptable enough to keep up with you and can adapt to any changes to your systems or your security controls. The provider should be able to offer fast, scalable turnkey deployment of services that keep pace with your evolving requirements. While a trial won’t provide this insight, talking with the service provider about past and future developments and their aspirations for their service can give confidence that they are the right people to take with you on this journey into the corporate unknown.
Additional Benefits of running a trial
A trial can shine a light on the real state of your current security measures. While your existing security controls are ineffective, the chances are that they won’t detect any breaches should they happen. A company that thinks it is secure because no breaches are detected tends to sit back on its laurels and is unlikely to commit additional funds to enhance security. Most companies only undertake serious investment in security after they suffer a severe and publicly embarrassing incident.
Undertaking a trial has the potential to provide a better picture of the security of the company’s systems, and if they are as bad as you suspect, provide the impetus for funds to be made available to plug the gaps. Having a trial system running and a quote for turning it into a live system will make getting the necessary funding a lot simpler for the CSO. All the difficult questions that the board can ask will have already have answers, and any risks eliminated. If a director asks, “so will this work?” the CSO can point at a screen that shows it’s already working.
Before choosing your MDR provider, it is essential to have clearly defined outcomes and goals that address defined use cases that you can use as a benchmark to assess the provider’s capabilities. You also need a solid understanding of where you see your business going into the future once you have engaged with an MDR provider. Armed with this knowledge helps ensure you make the correct decision. If you perform sufficient due diligence, then the chances of success are greatly improved.