How to select an MDR Service Provider

Now that it is becoming clear that blocking 100% of cyber attacks is not possible, that prevention, damage control and a recovery plan are the most efficient strategies: Managed Detection and Response (MDR) is becoming one of the most important tools for Small and Medium Enterprises (SME). 

For this blog, we will assume that you already understand why you need some MDR in your life, if you are not convinced yet, we have other blog articles that can help you see why. To start let’s first agree on what we mean by MDR, the most important pieces are in the name!

• Managed: This is not a tool; this should come as a service from a provider that understands cybersecurity and can help you become more cyber resilient. Including adding new Indicators of Compromise (IOC) as they become available.
• Detection: One of the two key attributes is the ability of the service to detect [potential] cyber incidents.
• Response: The other key attribute is the ability of the service to respond to those detected events.

So to recap, if you are buying a tool that you need to install and manage yourself, it’s not managed. If the service you get sends you alert and let’s you “take action”, that’s MD, not MDR. If they only monitor events from end points that’s EDR (Endpoint Detection Response). And if they claim they can do more then everyone else with eXtended Detection and Response (XDR), that’s marketing.

Now that we know what MDR should be from a service perspective, let’s focus on the outcome: making you more cyber resilient. The two main aspects to improve your cybersecurity posture are completeness and speed.

• Completeness: The service should be analyzing all your cyber security events, if it does not have all the events, you are partially blind.
• Speed: The sooner the incidents are getting mitigated, the smaller the potential damage.

We now get into the most complicated part of the equation: filtering. The service will be ingesting tons of events, most of which are not important (from a cybersecurity perspective): users mistype passwords all the time and firewalls get attack all day long… So one of the most important aspect of the service is to classify those events into categories, something like “urgent” vs “not urgent”. We also like services that include some automation to trigger containment actions when high risk events are detected. This comes down to a business decision, do you prefer false positives (a device/service got taken offline by a containment action and released by a human an hour or two later once it’s confirmed to be safe) or a missed negative (system flagged it as a “maybe”, no automated action was taken, by the time a human looked at it Monday afternoon, the attacker got a deeper foothold in the environment).

At a minimum, an MDR service should help you deal with the “urgent” issues, if you are an Small or Medium Enterprise, you probably do not have a 24/7 Security Operations Center (SOC) to respond to those events, they must. I would argue here that automated containment actions are not sufficient to qualify as a “response” here. The main reason today is technical: most containment technologies are focused on “managed end-points” (PCs/Servers) that are running some form of agent, they cannot take containment actions on other potential sources of attack like firewall flows or OT (Operational Technology) devices like sensors and automation devices. So the Respond service must be able to manage the other device types.

For “not urgent” events, the service should still identify all of those for you, they are important to help you improve your cybersecurity posture, but they can be planned to be reviewed and actioned during the daytime.

So you have it, the key point for a good MDR service: Managed, Detect, Respond, Complete, Speed.

To help you evaluate potential service/vendors, we have created a checklist you can use to quickly review the key criteria we are proposing here and help you make decisions faster so that you can be protected sooner. You can download it here: pdf or xlsx.

You should also make sure you have your basis covered, more in our Cybersecurity 101.