UncommonX - Blog

What to Look For in a Managed Detection and Response Provider / Part 1

Written by SOC Team of Security Experts | Mar 1, 2022 1:00:00 PM

This is the first of a two-part series.

Choosing a managed detection and response (MDR) provider can be difficult. Here are some aspects to consider and investigate during your search. These are in no particular order but they’re all important when making the right choice for your organization.

What the MDR provider offers

While some MDR suppliers offer just managed detection and response, others go beyond these, acting as a true partner in the security maturity of their clients. From those, you can expect security maturity and technology assessments, compliance testing and gap assessments, incident response, security consulting, and even assistance in training. Understand what they offer. It’s also best to have all services through one vendor with a single point of contact in case there’s ever a problem.

Primary and Secondary SOCs

Just as you ensure you have backups for all you do in IT, your MDR provider should have a primary and a secondary (backup) security operations center (SOC). Murphy’s Law dictates that bad things will happen. If they do, make sure the company that’s taking care of security has planned contingencies. It’s also a good idea to ensure their SOCs are geographically diverse and on different power grids.

Hours of Operation

Some businesses only need Monday to Friday, 9:00 a.m. to 5:00 p.m. service. Others need full 24/7/365 coverage. Decide what you need and choose an MDR provider that offers it. There will be costs associated with whatever level of service you seek.

SLAs/SLOs

In this category, vendors vary greatly. A good amount of the work done by an MDR provider is automated, but the important work is often pushed from automation into the hands of experienced, living and breathing techs and engineers at the SOC.

Read the service levels and ask questions about how they escalate alerts. More importantly, find out how they communicate alerts throughout your organization.

Security Assessments

A full-service MDR supplier will have a professional services team that can help identify gaps in both security and compliance within your organization by running assessments. They will have experience not only in security but also IT and running organizations. Ideally, they also can identify areas that need improvement, as well as guide you through the process of completing any necessary changes.

Additionally, it is helpful to have a provider that thoroughly understands attack surfaces, how they are manipulated, what threat actors’ goals are, and how to respond to and mitigate these threats. A full-service provider will understand your daily environment and be able to help with security maturity and incident response.

Incident Response

If your MDR provider doesn’t offer incident response support, then they are a fire alarm, not a fire department. MDR providers who handle malware, botnet attacks, and ransomware attacks every day have built up the muscle and discipline necessary to respond to incidents, triage, and fix all attacks. More importantly, they can help prevent incidents before they happen.

If your MDR supplier and your incident response vendor are the same company, it will speed time to resolution for whatever incident occurs. They know your network inside and out, and there’s no need to go searching for a separate incident response vendor while engaged in an incident. In this case, one provider can make a big difference in effectiveness and overall costs.

Machine Learning and AI-Based Technology

These aren’t just today’s buzzwords. Machine learning, done right, will help reduce costs and speed processes, reducing the time to resolution. AI-based software can do the same. In dealing with millions of security events each month, the more interactive the MDR provider is with tools like artificial intelligence and machine learning, the lower it helps lower costs.

Machine learning and AI are more effective than monitoring by people alone. This automation results in fewer false positives and quicker incident resolution. This also means that since the vendor doesn’t need to hire as many techs and engineers, they can often offer better rates to clients.

Diverse Toolset Management

Since your infrastructure is not static, search for an MDR vendor that can work with a variety of tools (O365, AWS, Azure, G-Suite, etc.). Also, if they don’t currently offer a plugin for the security software you have today, ask if they can and will create one. The best providers can and will do it quickly.

Scalability

Companies like yours are growing top- and bottom-line revenue every year. There are constant mergers and acquisitions. Be sure your MDR provider can handle any size growth you achieve in the next 12 to 18 months — and beyond. MDR providers with experience understand this concept and are prepared for the unexpected. In fact, they plan on it!

Established Company

When interviewing MDR vendors, it’s important to know how long each has been in business. In my experience, there’s a very large learning curve when it comes to understanding not only what customers want and how they need it, but also in being able to deliver on those wants and needs. A minimum of five years is what I’ve seen in organizations that are capable of delivering the appropriate level of protection for clients.

For the second part of this topic, click here

To learn more about how UncommonX’s security platform can benefit your organization, contact our team to request a demo and talk about your specific security needs.