Tuning Out False Positives To Find a True MDR Provider

One of the greatest challenges facing cybersecurity teams today isn’t the ever-increasing frequency and sophistication of attacks, or the constant proliferation of new adversary groups, it’s the confusion created in a crowded marketplace by the solution providers themselves. Managed Detection and Response (MDR) is a sector in cyber that is having a resurgence in activity as cyber teams are revisiting the outsourcing strategy that frees up the time of their valuable inhouse staff to focus on more critical work. As a result, vendors have flooded the market repackaging their capabilities as MDR offerings, creating confusion in the market.

So how do you cut through the noise and identify an effective solution provider? Earlier this year Gartner published its Market Guide for Managed Detection and Response Services that provided guidance, and Forrester has also provided insights into what buyers should be looking for. We have distilled their perspectives into the following principles:

1. Make sure your MDR partner nails the basics; the solution provider needs to deliver the core and essential capabilities.
2. Treat “nice to have” MDR capabilities as “must-have”; move beyond the basics and add the desirable capabilities that play a critical role in the effectiveness of an MDR
3. Pick a forward-thinking MDR provider; ensuring that your MDR provider is innovating in ways that will future proof your MDR approach
4. Use offensive security to continuously improve your MDR efficacy; augment automation with expert human analysis with purple team and threat hunting

Nailing the Basics

These are a set of “core capabilities” that you should expect from any MDR provider:

• 24×7 detection and response operations.
• A provider-operated technology stack for detection, investigation, and active response.
• Daily engagement with individual customer data for detection, threat hunting, etc.
• Turnkey delivery with tuned detection content, playbooks, and third-party integrations.
• Immediate response, investigation, and containment workflows that extend beyond alerting.

No volume or time limits on triage, investigations, and guided response activities.

The second item warrants a deeper level of consideration early in your MDR vendor evaluation process. While every MDR provider should offer a provider-operated technology stack, some customers may be better served by a co-managed MDR model based on their preferred security information and event management (SIEM) and/or security orchestration, automation, and response (SOAR) tool.

Each approach has potential advantages. Our view is that MDR providers should give customers access to both options, be transparent about the pros and cons of each, and help customers reach an informed decision based on their unique needs and future plans.

Treat “nice to have” MDR capabilities as “must-have”

As MDR solutions have evolved, providers need to move beyond the basics to stay ahead of today’s adversaries. There are several desirable capabilities we believe play a critical role in the effectiveness of an MDR relationship and should be considered must-have items on day one.

• Integrating your MDR partner into your vulnerability management and penetration testing activities to provide additional context about vulnerabilities, attack surface, and reputational impact into the MDR model.
• Access to DFIR resources with experience in conducting investigations, as well as the ability to investigate events inside your MDR platform, will optimize the effectiveness and speed of your response in crisis situations.
• MDR providers should provide security control management and security policy management to strengthen the obvious breach points that are so often overlooked or misconfigured
• Add proactive, human-led (non-automated) threat hunting that extends beyond known threats to address customer-specific threats and risk factors.

Pick a forward-thinking MDR provider

Adversaries are constantly evolving their tactics and strategies, so it’s important to select an MDR provider that is committed to continuous learning and product innovation. Even if your organization isn’t ready to adopt these solutions today you should make sure your MDR provider is innovating in these areas for when you are.

• Non-Automated Threat Response: MDR providers achieve economies of scale by automating as many aspects of threat detection and response as possible while maintaining an arm’s length advisory role during incident response. But the most effective MDR partners must meet customers where they are and ensure that they can fill any skill or automation gaps on a case-by-case basis, even if this includes manual investigation and intervention.
• Advanced Exposure Management: move beyond just VRM and MDR pairing to true discovery of individual vulnerabilities to understand an organization’s attack surface and how to reduce it over time.
• Cloud Infrastructure Monitoring: a growing percentage of application workload and user activity now occurs in infrastructure-as-a-service (IaaS) and software-as-a-service (SaaS) platforms so MDR providers must extend their monitoring to major cloud platforms and correlate on-premises and cloud signals.

Using Offensive Security to Improve Your MDR Efficacy

We believe it’s critical to combine defensive MDR capabilities with sustained offensive security measures, including human-guided threat hunting and ongoing red team, blue team, and purple team exercises. This is a topic that requires its own discussion which we will address in a future post.