When Gartner first began tracking the market for Managed Detection and Response (MDR) security services back in 2016, it listed just 14 companies as representative vendors. Today, the global analyst firm estimates that more than a hundred providers currently claim they offer MDR services.
As the security landscape grows more complex, it’s only logical that increasing numbers of organizations will seek out comprehensive security services. While traditional managed security service providers (MSSPs) primarily took responsibility only for remotely monitoring a customer’s security tools and infrastructure, an MDR provider typically includes alert analysis, threat investigation and incident response capabilities within the terms of the engagement. It’s an attractive proposition for companies looking for a turnkey experience.
Demand for these services is skyrocketing, and many prospective providers are rushing in to meet it. Some come from adjacent areas such as traditional managed security or IT services, while others are telecommunications carriers or management consultancies eagerly jumping on the MDR bandwagon to take advantage of this relatively new market’s rapid growth.
But with so many providers competing for business, it can be tough to differentiate between them. Everyone promises that their services will be reliable and easy to consume. Everybody claims that their offering provides great value for what you’ll spend. And there’s so much technical talk and confusing jargon in the field that it’s hard to figure out who’s telling the truth.
As we mentioned in a recent blog article, here at BTB we’ve been providing MDR services for many years, and we were doing so long before all the hype started.
On the basis of our extensive experience, we’d like to share the top five questions that we recommend you ask prospective providers you’re considering working with. Listen to their answers thoughtfully and evaluate them with care. This will give you a clearer picture of which MDR provider will best fit your organization’s individual needs.
#1: What’s in their DNA as an organization?
Nearly every firm that’s now offering MDR services has a background in some aspect of IT, telecommunications or cybersecurity. But this experience may or may not be directly relevant to building and running a highly effective security operations center (SOC).
Do the MDR provider’s employees have extensive experience in “advanced” security disciplines like threat hunting, penetration testing or forensics? Or do they come from a venture-backed think tank that’s primarily product-focused?
Understanding the company’s history will shed light on what are likely to be its top priorities and strongest competencies.
#2: How much visibility into your environment will they have?
How many different types of log data do they plan to collect within your environment? What types of threat intelligence do they rely on?
As endpoint detection and response (EDR) solutions have become popular, a growing number of providers are leveraging these tools because they provide in-depth information about what’s happening on endpoint devices. Though this data is valuable, if you’re not gathering service and network data too, it’s possible to miss late-stage attacks. Look for a provider who seeks broad visibility into a wide variety of different types of network and host logs, security events and usage data from cloud applications.
#3: How will they make use of the log data they collect in your environment?
It’s relatively simple to collect logs and feed them into a system information and event management (SIEM) platform or other data analytic tool. It’s another matter to be able to monitor this information in real time. Writing rules that enable log management solutions to alert on the right events — the ones that are truly meaningful in your organization’s IT environment — isn’t easy. Nor is it easy to know which of the hundreds or thousands of alerts that these solutions generate every week is most worthy of a security analyst’s limited time and attention.
Figuring out what’s most important to pay attention to requires skill, experience, and a baseline understanding of what’s typical in an individual business’s unique computing environment. But the quality of security monitoring is arguably more important than the sheer quantity of data that’s being collected.
#4: What’s their pricing model?
Some MDR providers charge on a per-user basis, while others calculate pricing on the basis of the number of servers or endpoints in your environment. Still others may include additional costs for each firewall or other security appliance they’re monitoring or set limits on the amount of log data that they can handle.
Choose a solution that will enable you to scale up and down in accordance with your business needs, and one with a pricing model that’s transparent and easy to understand.
#5: Are you a good fit for my company?
Every MDR provider should have well-defined standard operating procedures that outline how they handle particular workflows. Some clients want to be able to retain a great deal of control over threat and incident response processes in their environment. Others would prefer their provider to simply take charge of everything.
A good match for your business means that the provider’s capabilities and preferred ways of working will dovetail with your requirements and expectations. Ask what types of services the majority of their clients use, and how comfortable their team is with taking action on clients’ behalf.