Magazine Button
Top 10 considerations when choosing a managed detection and response provider

Top 10 considerations when choosing a managed detection and response provider

Deep DiveEnterprise SecurityTop Stories
Jan van Vliet, VP and General Manager EMEA at Digital Guardian reviews the top factors to consider when evaluating a potential provider

Gartner has identified managed detection and response (MDR) as the next evolution of threat monitoring and incident response services. Jan van Vliet, VP and General Manager EMEA at Digital Guardian reviews the top factors to consider when evaluating a potential provider.

With cyberthreats increasing in sophistication and frequency, organisations of all sizes are looking to enhance their security posture in a bid to identify threats – and act fast before these turn into breaches.

However, building next-generation capabilities for advanced threat detection and response is a complex endeavour that requires significant investment in time and resources. Which is why more and more organisations are turning to specialist managed detection and response (MDR) providers to deliver the expertise, technology, analytics and threat intelligence needed to identify, contain and eliminate threats before these cause damage or disruption.

Indeed, Gartner predicts that by 2020, 15% of organisations will be using MDR services – up from less than 5% today.

With MDR providers set to play an increasingly mission-critical role in helping companies to secure their operations, organisations will need to weigh up a variety of factors when selecting an MDR partner.

Here at Digital Guardian, we invited a panel of data security experts to identify the top considerations companies will need to evaluate when choosing an MDR provider. Here’s what they told us.

#1           Define the requirement

Organisations first need to decide exactly what they hope to accomplish by entering into a relationship with an MDR provider – in other words, are you seeking ancillary services that supplement current tools and expertise, or a more complete protection solution? Determining this will depend on understanding your security programme’s current maturity level.

A good MDR will provide a customised solution to company-specific problems. So, defining what assets – networks and applications – you’re trying to protect will be the key to understanding if a vendor has the capabilities you require.

When conducting an interview with any prospective MDR, present them with scenarios and company-specific problems you are facing to ensure their approach makes sense, addresses your concerns and assures you that you’re not being forced into a generic solution.

Finally, make sure you understand the impact of latency on your solution. If you use an always-on cloud-based protection, you could be increasing your latency and application responsiveness.

#2           Think about the future

Assess your company’s present and future technology needs and initiatives. Is the MDR provider able to address your full range of needs? For example, are your applications hosted in a data centre or cloud, and what’s on the horizon in the near future?

Don’t forget that any security strategy should encompass people and processes. So, check if a potential provider is able to offer ongoing employee training as part of their service.

#3           Going beyond technology

Don’t get dazzled by the technologies on offer. You’re going to expect a provider to be able to offer advanced technologies, such as endpoint detection and response, behavioural analytics, specialised forensics tools and proprietary security event management platforms. But you should be checking for other factors too.

For example, will the MDR provider continuously assess your organisation’s performance in terms of achieving security objectives? Also, are they able to combine data inputs from security detection tools, threat intel feeds, third party data sources and the IT asset database to identify not only where there is a threat, but its risk compared to others in the queue.

While MDR providers are focused on advanced threats such as lateral movement by hackers, credential theft and escalation, and command and control activity, a good MDR provider won’t let less sophisticated attacks slip through its fingers. So, check a potential partner will investigate all threat types.

#4           Don’t be afraid to pursue due diligence questions

You’ll need to be confident that an MDR lives and breathes security in everything they do. Request a copy of their SOC2 certification or any other third-party security audit or tour their facilities. A good MDR should also be able to provide you with the qualifications of their security analysts and, ideally, request to speak to one directly so you can come away satisfied that they are skilled, engaged and experienced enough to help your organisation.

#5           Transparency is vital

Ask about what visibility you’ll have into a provider’s performance and ask to see examples of actual reports to ensure these make sense to you and your business needs. Your CIOs/CISOs should have unprecedented transparency to all aspects of the security environment through dashboards and visualisation techniques. All of which will make it easier to communicate with an MDR provider about potential vulnerabilities and threats.

#6           Check for industry-specific expertise

Your organisation is likely to face specific threats based on the industry in which you operate – manufacturing is totally different to professional services or construction businesses. Which means you’ll need to choose a provider with experience and expertise detecting and responding to industry-specific threats, as well as generic threats such a phishing.

It’s worth pointing out that it’s important to establish that MDR is a service provider’s core competence and they’re not just a general technology company that’s jumping onto the bandwagon.

#7           What’s your trust level?

Data and privacy regulations will need to be respected, so it’s important to establish your chosen provider can meet the compliance requirements you need to observe.

When defining any organisational boundary, it will be important to understand the potential of vendor hold-up. Key to avoiding this risk is establishing trust in your MDR provider.

#8           Responsiveness is all

Evaluate a potential provider’s responsiveness throughout the discovery and sales process. You need to be certain the provider you select can operate in a timely manner with practices that provide the level of response your organisation expects. As an extension of your support team, it will be important that security event information is communicated quickly and in a comprehensive way that is understandable and actionable.

During the evaluation period, check any promised response time is delivered and evaluate what out-of-hours threat monitoring looks like. Ask about what their threat response protocol looks like in the event of a successful attack.

#9           What’s the end-to-end delivery capability?

Receiving security alerts with no context will just cause more headaches for your organisation. You need to determine the full range of capabilities of the provider you’re considering. Ideally, you need a provider that can respond to various types of attack, from the moment the attack occurs to the point at which the incident has been fully investigated and your organisation is back up and running.

Having a flexible and highly capable MDR provider will be invaluable to your organisation in a time of crisis. Make sure you work with a partner that can customise their output to meet the specific needs of your organisation – ideally, one that can offer playbooks and pre-defined workflows that enable you to quickly assess and remediate security incidents based on best practices.

#10         Be prepared to test a provider’s claims

During the proof of concept period, it’s a good idea to test out an MDR provider to see if they notice any anomalous behaviours that would be important to you. If you don’t have experienced penetration testers on staff, consider using threat simulation services from a third party to ensure your potential provider is up to the job.

Not all MDR providers offer the same services or technologies, so companies will need to choose wisely by selecting the one that is the ideal fit for their organisation’s size, security controls in place and needs. You can also ask for proofs of concept to validate a provider’s claims.

 

 

Click below to share this article

Browse our latest issue

Intelligent CISO

View Magazine Archive