Top Considerations for Choosing a Managed Detection & Response Provider

by Ellen Zhang on Wednesday March 6, 2019

A panel of data security experts discuss the the top considerations for choosing a Managed Detection & Response provider, including scale, technology, experience, and cost.

18 Data Security Experts Reveal the Top Considerations for Choosing a Managed Detection & Response Provider

Companies outsourcing security need Managed Detection & Response providers (MDR) more than ever to improve cyber resilience. With the security landscape growing more complex, and the costs of maintaining adequate in-house security teams high, it makes sense for many companies to outsource the tasks of threat hunting and response to ensure that they can promptly identify potential threats and react swiftly to mitigate damages. Managed Detection & Response providers often integrate tools such as Endpoint Detection & Response and other solutions to detect threats, analyze risk, and correlate threat data to pinpoint patterns that could indicate a larger attack.

Because Managed Detection & Response providers play an integral role in maintaining a company's security posture, it's vitally important to carefully weigh all considerations when selecting a MDR provider. To help you understand the various factors and other considerations you should evaluate when selecting a provider, we reached out to a panel of data security experts and asked them to answer this question:

"What are the top considerations for choosing a Managed Detection & Response provider?"

Julia Tokareva
Dmitry Nikolaenya
Nate Masterson
Cassidy Collins
Jon Zayicek
Eoin Hinchy

Christopher Gerg
Kendall Blaylock
Sean Spicer
Rodrigo Montagner
Rob Black, CISSP
Zachary Stern

Read on to find out what our experts had to say below.

Nik Vargas

@switchfast

Nik is the Chief Technology Officer at Switchfast. He is responsible for the overall client experience delivered by the Operations Team and works every day to maximize and protect Switchfast’s clients' investment in their IT infrastructure. With over 12 years of experience in IT managed services, Nik joined Switchfast as a Systems Engineer and helped build the company into the thriving business it is today.

"If you are looking for an MDR provider..."

You already understand the value of security and maybe you have tools like SIEM and have some security-minded people on your IT staff, but you are looking to take your security posture to the next level. This is a great idea because MDR providers embrace the fact that a security incident will happen, and they seek not only to prevent, but also respond as quickly as possible to incidents; furthering an organization's cyber resilience.

When choosing an MDR, don’t let their marketing dazzle you; it is an evolving service offering and often over promised, and under delivered. Speak in terms of what matters to you and your business; give them specific scenarios and listen to how they would not only seek to prevent, but more importantly how they would react to a specific security incident. In addition, don’t let their technology be the answer to everything. They should be able to provide you with qualifications for their security analysts, and ideally you get to speak with one directly and come away satisfied that they are skilled, engaged, and experienced enough to help your organization. Ask them what visibility you have into their performance, and ask to see actual reports they produce to ensure they make sense to you and your business needs. Lastly, you can ask to test the MDR’s services using penetration testing from another firm, or threat simulation services. This can get a bit expensive because you have to pay a second vendor if you don’t have experienced penetration testers on staff, but you get the full experience of their response services through a simulated attack.

Dan Moyer

@calnettech

Dan is the Marketing Director for Cal Net, a NexusTek Company and full-service provider of IT solutions to small and mid-sized businesses throughout Southern California. Since 1995, Cal Net has equipped clients with the right combination of technology support and strategic guidance they need to reach their full potential.

"Here are some things to consider when assessing a Managed Detection & Response Provider..."

Your Managed Detection & Response Provider should combine numerous data inputs from security detection tools, threat intel feeds, third party data sources, and the IT asset database to identify not only where there is a threat but its risk compared to others in the queue.
Assess your company's present and future technology needs and initiatives. Qualify, quantify and communicate those needs throughout your company. Is the Managed Detection & Response Provider able to address your range of needs?
Technology strategies should encompass people and processes as part of the organization's mission and strategies. Do they offer ongoing employee training as part of their service?
Does the Managed Detection & Response Provider continuously assess your organization's performance for meeting objectives? You want a partner that focuses on continuous evaluation and improvement of your objectives.
Review your company's goals and mission. Ensure they are clear and concise and can be communicated to all organizational stakeholders as well as your new IT partner.
Perform annual policy and process reviews to assess organization's readiness for external reviews and incident response.
Identify and create teams within your organization to define current challenges and align initiatives to those challenges.
Through playbooks and pre-defined workflows, you can quickly assess and begin to remediate security incidents based on best practices. Ask a Managed Detection & Response Provider if they include such materials as part of their package.
CIOs/CISOs should have unprecedented transparency to all aspects of the security environment. Through dashboards and visualization techniques, CIOs/CISOs will be more easily able to communicate with Managed Detection & Response Providers which vulnerabilities and threats exist and the risks of inaction.

Scott Madsen

@gardnermediaco

Scott Madsen is the CEO of Cingo Solutions.

"The top considerations for choosing a MDR Provider are..."

Communication and Transparency: Technical people have a bad habit of making non-technical people feel embarrassed to ask questions. After spending money and entrusting their company data to a MDR that isn't transparent, a client can be lost in translation. Any MDR lacking transparency isn't deserving of a long-term relationship. If accountants are expected to explain complex tax code to a layman, your MDR provider should do the same for you.
Customization and Flexibility: A good MDR provides customized solutions to your company-specific problems. Conduct an interview with any prospective MDR and present problems you are facing to make sure their approach makes sense, addresses your concerns and assures you that you're not being forced into a generic solution.
Internal Security: Request a copy of their SOC2 certification or any other third party security audit. If your MDR can't provide a copy of a current SOC2 report, tour the MDR's facility. If that facility doesn't have internal security on site (security clearances separating service centers from administrative offices, for example) you may want to consider that their security culture doesn't match their marketing.

Dennis Chow

@scissecurity

Dennis Chow is the CISO at SCIS Security, a Houston based cybersecurity consulting firm. He has led a nationwide threat information-sharing architecture and has a design grant with the U.S. Department of Health and Human Services. Dennis is an active practitioner that focuses on penetration testing and network forensics.

"One of the largest problems clients face is..."

Determining who is qualified for their price point. We've seen very affordable to very expensive MSSPs that perform detection and response services. Among all the clients we onboard, it's usually because of a bad breakup from a different provider. Here are some things we urge potential clients to consider:

Operational Scaling: Does the provider have enough staff to properly monitor the number of customers they need in a 24x7x365 SOC operation?
Evolving Threat Surface Solutions: Most SOCs don't have full packet capture inspection, only logs. And even if they do, do they advise customers to have SSL/TLS and SSH decryption capabilities to overcome evolving threats?
Content Engineering: Does the provider create custom use cases or other content engineering designed for their customer environments? Or do they rely only on canned SIEM vendor signatures. How is threat intelligence validated and weighted?

Sean Si

@SEO_Hacker

Sean Si is the CEO and Founder of SEO Hacker, Qeryz, Sigil, and Workplays. A start-up, data analysis and urgency junkie who spends his time inspiring young entrepreneurs through talks and seminars.

"Choosing a Managed Detection & Response Provider can be..."

Quite difficult because most business owners do not know what to look for in a Managed Detection & Response provider. However, with thorough research, everyone can know the criteria for a competent and effective Managed Detection & Response provider. Some of those considerations are:

The Team: You have to do your own research about your providers. Check if there are any reviews of their service and product. The better the reviews you see, the more competent and effective your provider will be. This is because Managed Detection & Response providers need to have a team that can communicate well with their clients while still possessing the necessary skills to detect threats to your business, or has the capability to train you to use their products.

Technology: You also have to be dedicated enough to research what the most updated and recent breakthroughs with the devices and tech used in this certain aspect and how much they cost. This is to avoid paying for exorbitant amounts while not knowing that you’re not getting your money’s worth.

Experience: Much like most things in the world, you can’t be good at anything without experiencing the pros and cons of it. This is the same with Managed Detection & Response providers. You will not know if they’re able to accurately, competently, and effectively detect threats without having experience. So, it would be best for you to directly ask them for cases or experiences they had while providing for other clients. This will also assure you that they know what they’re doing.

Ron Winward

@RonWinward

Ron Winward is a security evangelist at Radware, a cybersecurity company. Ron has 20 years of experience in the internet service provider space and helps execute the company’s thought leadership on today’s security threat landscape. With expertise in network architectures and DDoS mitigation, Ron has helped design solutions for carriers, enterprises, and cybersecurity service providers around the world.

"When it comes to choosing a Managed Detection & Response provider, there are six elements to consider..."

Assets: What assets are you trying to protect? Many providers tailor their solutions to protect either networks or applications. Don’t assume what works for one will work for the other. It’s important to understand what your vendor is capable of and what you need to secure.

Location: Are the applications hosted in a data center or cloud? The answer will define how you can protect the asset.

Latency: How sensitive is your business to latency when it isn’t under attack? If you use an always-on cloud-based protection, you could be increasing your latency and application responsiveness. Other cloud-based solutions include content delivery network (CDN) functionality designed to reduce latency. Make sure you understand the impact of latency on your solution.

Diversions: How sensitive are your applications to disruption due to diversions? For example, if you only divert to a provider on an incident-level basis, perhaps for cost or policy reasons, the diversion can sometimes cause disruptions. Are you prepared for that? You can often reduce or eliminate diversion disruptions with a runbook or incident response plan.

Expertise: Do you have the in-house expertise to manage on-premise appliances? Industry analysts suggest that hybrid protections are the best solution for many businesses because they offer constant protection, visibility, control, and flexibility. However, if you have a device on-premise, you need to make sure you can manage it effectively at all times, including when there’s an incident and the server is under attack. If you don’t have this expertise, you can often partner with a vendor to manage the on-site device as well as the cloud protections.

Security: How sensitive is your business to application-level and SSL-based threats? Many solutions don’t offer SSL protection, even as traffic on the internet is increasingly encrypted. You need to check and see whether your vendor can open an encrypted session on your behalf to determine the legitimacy of the encrypted traffic. It’s also important to consider whether you need to provide them with your certs and keys to do so and if you’re okay with it.

Julia Tokareva

@RubyGarage

Julia Tokareva is a Software Development Consultant for RubyGarage.

"If you’re thinking of choosing Managed Detection & Response (MDR) providers to..."

Increase your organization’s security posture, here are a few important factors to consider:

1) MDR providers enhance your current tools and expertise. If you haven’t had the opportunity or resources to do a deep dive into your organization's security, take into account only those providers with a more comprehensive technology stack. If you already have tools, choose a provider that can enable you to have a different set of tools than what you have.

2) Data and privacy regulations should be respected. You should make sure that you choose a provider that can meet the compliance requirements you need to observe.

3) Not all MDR providers offer the same services or technology. Select only the one that is ideally suited to size of your organization, security controls in place, and requirements. You can also ask for proofs of concept to validate a provider's claims.

Dmitry Nikolaenya

@ScienceSoft

Dmitry Nikolaenya is the SIEM department coordinator at ScienceSoft with more than 10 years of experience in delivering SIEM solutions for customers in healthcare, banking, financial services, telecommunications and public sector. Today, Dmitry is actively working with IBM QRadar, a security intelligence platform. As a SIEM expert, Dmitry has also participated in the creation of IBM Security QRadar SIEM tests, a part of IBM Professional Certification Program.

"These are the two most critical considerations for choosing an MDR provider..."

1) Use of advanced technologies, such as Endpoint Detection & Response, behavioral analytics, specialized forensics tools, and proprietary security event management platforms.

2) Investigation of all threat types. In many cases, MDR providers focus heavily on advanced threats, such as lateral movement by hackers, credential theft and escalation, and C2 activity. A good MDR provider won't let less sophisticated attacks slip through its fingers and ultimately cripple your business.

Nate Masterson

@MapleHolistics

Nate Masterson is the Marketing Manager for Maple Holistics.

"When searching for a for a Managed Detection & Response provider..."

There are a few things you should know about the MDR provider. Here are some questions you should ask each provider to get a better idea of what to expect. It’s important to shop around and see what everyone provides and at what price.

Does your system detect both known and unknown threats? What methods do you use?
Can you detect threats across multiple platforms?
Ask for an example of what kinds of threats they can protect you against.

By asking these questions you can get a good idea of what the standard practices are and you can then compare different vendors based on their answers.

Cassidy Collins

@infinitysav

With more than 16 years in the IT industry, including over five years as a Certified IT Banking Officer, Cassidy Collins has a wealth of experience running thorough risk assessments. He is currently on the team at Infinity, Inc., a MSP based in Savannah, Georgia.

"When looking for a Managed Detection & Response solution..."

You need to consider what you're trying to accomplish. Are you only interested in meeting the minimum required to comply with a regulation, or are you looking for a solution that will provide lots of ancillary services for a more complete protection solution?

Top considerations for choosing a MDR provider:

Your institutional risk and needed mitigation strategy, including any regulatory compliance requirements.
Consider the types of information you have on your systems. What are the risks of the compromise and/or loss of it? How will this impact your business operations?
SLA Response Times, including failure rates.
The vendor may state great response times in their SLA but regularly fails to deliver service in the times stated, so be thorough in your reference checks.
Residual responsibilities for end users.
How much initial setup and ongoing work will be needed from on-staff personnel?
Budget/cost of solution. You may not need all the services they are offering, such as a retainer for on-site teams to assist in the event of an issue.

Jon Zayicek

@JonZayicek

Jon Zayicek is a computer and cybersecurity expert with 17 years of hands on experience in both network administration and security policy development and implementation who now has a focus on cloud implementations as well as cloud security. He currently serves as Practice Principal, Risk and Security at Cask.

"The top considerations for choosing a Managed Detection & Response provider include..."

Technology offering:

Integration points are a necessity to pull in alerts from existing security tools.
Is there an API and the supporting API documentation?
Detection: Can the offering detect known and unknown threats?
Is the response tailored to your processes or are they out of box with no flexibility?

People:

What industry certifications does the company and the people hold?
What is the makeup of the security team?
Will training be provided at the end of deployment?

Service Level Agreements:

Does the vendor provide 24x7 support, monitoring, etc.? This is very important to consider, given that if the tool is not accessible, alerts will be missed.

Eoin Hinchy

@eoinhinchy

Eoin Hinchy is founder of Tines, a security automation start-up that allows cybersecurity teams automate their manual workloads. He has previously held security leadership positions in eBay and DocuSign.

"The top considerations for choosing a Managed Detection & Response provider are..."

Your security program's maturity level. The maturity level of your internal processes and technology stack, will be a key factor in determining the right Managed Detection & Response (MDR) provider for your goals. There's no point investing significantly in threat detection if you have no internal capability to respond to potential incidents. Similarly, if you have an existing internal detection and response capability, it might be worth choosing an MDR to supplement your internal capabilities, rather than outsourcing the entire program.

Your industry: Your organization is likely to face specific threats based on the industry in which you operate. It's important to choose a Managed Detection & Response provider with experience and expertise detecting and responding to the threats specific to your industry face, as well as generic threats such as phishing.

Your trust: When defining any organizational boundary, it's important to understand the potential of vendor hold-up. Key to avoiding this risk is establishing trust in your MDR provider.

Christopher Gerg

@gwforensics

Christopher Gerg is the Vice President of Risk Management at Gillware. He is a technical lead with over 15 years of information security experience. He is experienced in the challenges of information security in cloud-based hosting, DevOps, managed security services, e-commerce, healthcare, financial, and payment card industries.

"Apart from the normal due diligence you would perform for..."

Any service provider or important vendor (references, SLAs, clean contractual language, proper insurance, etc.), consider these additional items:

Ensure that Managed Detection & Response is their core competency, and that they are not a general technology company that is jumping into the MSSP industry. This will help ensure that they are staffed with qualified personnel as there is a significant talent shortage in the Information Security industry.

In addition, look closely at the underlying technology. Is it something they grew themselves? It is in the technology “goldilocks zone”? (not based upon older technology, but also not absolutely bleeding edge and thus not proven). A good example is an IDS technology that is entirely signature-based, and which only watches the network (most traffic these days is encrypted and as a result network-based IDSs will not see the traffic). You should look for IDS technology that is installed on and watches the activities of the individual nodes on the network. Behavior and anomaly-based mechanisms would be preferred. This is just one example.

Test your Managed Detection & Response provider, even during a proof of concept period, to see if they notice anomalous behavior that would be important to you. Consider bringing in an expert to perform these tests.

Kendall Blaylock

@HORNECyber

Kendall Blaylock is the Director of Cyber Intelligence at Horne Cyber.

"When identifying a Managed Detection & Response provider it is important to..."

Look for a team that can identify events from multiple sources and apply those events to the big picture impact or possible attack against your organization. The greatest consideration for a Managed Detection & Response provider is to ensure that the provider you select can operate in a timely manner with practices that provide the level of response your organization expects. Because the provider is an extension of your IT support team, it is important that the security event information is communicated in a comprehensive way that is understandable and actionable.

Installing a product that provides security alerts with no context will only cause more headaches for your organization. It is also important to determine the full range of capabilities of the provider you are considering. It is critical to select a provider that can respond to various types of attacks from the moment the attack occurs to the point when the incident has been fully investigated and your organization is back up and running. Different organizations have different needs and a provider should be able to customize their output to the meet the needs of your organization. Having a flexible, but highly capable Managed Detection & Response provider will be invaluable to your organization in a time of crisis.

Sean Spicer

@Agile_IT

Sean Spicer was a OPSEC and COMSEC professional before turning his interest in social engineering into a career in digital marketing. He studied Philosophy of Media at U.C. Berkeley and holds a Computer Science certificate from Harvard. He presently heads Marketing for Agile IT, a four-time Microsoft Cloud Solution Provider of the Year.

"The most important two considerations for selecting a Managed Detection & Response provider are proof and people..."

There are many managed IT services on the market, and many of them also offer security features. The team you select should have proof that they have managed security successfully in the past and that they have a true passion for protection. The threat landscape changes daily, and having a security partner that only pays attention to patches provided by their tool providers are fighting a war of attrition. Entire toolsets can be rendered obsolete overnight, meaning that security professionals must pay as much attention to the threats as their tools.

The people aspect is more complex. You should pay attention to the company's responsiveness through the entire discovery and sales process. The Ponemon Institute reports that it takes four minutes for a breach to occur after a phishing attack, but detention can take up to seven months. If your security provider relies on weekly reports, you could be neck deep in a ransomware attack by the time they see that a breach has occurred. Be clear during your evaluation period, and ask what response time is promised, what their off-hours threat monitoring looks like, and what their threat response protocol looks like in the event of a successful attack. Security is a unique service offering, as the main difference between a good a great provider is how they respond to the failure of their tools.

Rodrigo Montagner

@RodrigoMontagn3

Rodrigo Montagner is an Italian-Brazilian IT Executive with 20 years of experience managing multiple IT environments internationally, with significant experience in ERP, infrastructure, cybersecurity, automation and digital management. He is currently CEO of OM2 TECH Consulting.

"With the prevalence, endurance and muscular growth of..."

Cybersecurity needs on each and every organization, DR or in some cases simply EDR (Endpoint Detection & Response) software has floated from large enterprise environment and governmental fields into the sometimes spooky universe of SMB IT as well. In that sense, the options have flourished with good and fairly decent service providers. A few key points have to be taken into consideration when choosing a MDR or EDR system:

1. Company Size: In general, most traditional vendors have less flexibility on pricing and product volume for small and medium businesses. So you have to be careful to analyze the size of your company aligned with the potential vendors and its main customers. Within time, each vendor tends to specialize on a segment almost naturally.

2. Industry: Your business process, encompassed by the type of industry you are part of. Manufacturing is totally different from professional services, construction and technology businesses, for example. As a reminder, do a good research on your potential vendor's list, crossing it over with customers similar to you. The risk of lack of knowledge about your pains is smaller if you do your homework upfront.

3. Mode of Delivery (Cloud Only, On Premise, Hybrid): Each and every one of these options can be good and fluid, but depends of a series of factors from your infrastructure and within the way your business operates.

4. Standard of Security Levels (SOSL): If you have never implemented that before, you should start with a medium level of standard security on those systems, and enhance it on the fly, after the first trail period of usage, just after your project goes live.

It's a very interesting and rich field to implement. The more you can be detail oriented and business observer, the more efficient results your MDR solution will be.

Rob Black, CISSP

@IoTSecurityGuy

Rob Black, CISSP is the Founder and Managing Principal of Fractional CISO. He helps organizations reduce their cybersecurity risk as a Virtual CISO. Rob earned an MBA from the Kellogg School of Management and two engineering degrees from Washington University. Rob is the inventor of three security patents. He consults, speaks, and writes on IoT and security.

"When selecting a Managed Detection & Response provider, here are some of the top considerations that we discuss with our clients..."

What is the methodology that the solution uses in regards to unknown threats? Of course, handling known threats should have a streamlined process. For unknown threats, however, the security team can only investigate a small percentage of potential threats. The tool needs to be tuned and tunable to the volume that the client’s security team can handle. If the machine learning algorithms are “too loose” then the client will be inundated with work that may or may not improve their security posture.
The first item in our list ties into the second item: Is the data from the software validated by humans at the vendor? Maybe the vendor has awesome machine learning so humans don’t need to be involved. We have not seen any solution today that does not require a person to filter the results. Human evaluation of the threats by the vendor minimizes the amount of work that needs to be performed by our clients.
Separate from the quality of the output, is what kind of coverage does the solution provide? It is great if it handles threats from laptops but enterprise security is much broader than that. If the solution has narrow coverage, then we will have to stitch a solution from multiple vendors. Custom building a solution is a lot of work! Also, it is debatable how effective the various solutions are together. I have some clients that have over 50 security tools in their environment. For these situations, it is difficult for the client organization to get the proper value out of all of these solutions without an enormous staff.
Finally, what is the client’s return on investment (ROI) for the solution? Understanding the current risk the organization is undertaking is critical for evaluating the ROI. If threat detection on the covered assets would reduce the risk greater than the fully burdened cost of the solution then we may have a fit between the client and vendor.

Zachary Stern

@1SEOITDigital

Zachary Stern is the Technical Support Team Lead of 1SEO I.T. Support & Digital Marketing.

"When choosing a Managed Detection & Response provider..."

The two biggest concerns should be the staff and the technologies the company employs. The best managed-service providers will have an in-house staff of experts, not outsourced help. From around-the-clock analysts and responders to proactive threat researchers, your Managed Detection & Response team is only as effective as the people it employs.

You’ll also want to ask about the technology the company uses and how it will integrate into your existing systems. If you have a specific security concern for operation, be sure to discuss it with your provider, and ask for detailed explanations as to how their product will integrate into your systems to protect against these threats. If you sign on with an IT company trusting they’ll have your entire operation covered, you’re risking a security breach.

Tags: Cybersecurity