7 things to consider when choosing managed detection and response

Many organizations lack the internal expertise to address threat detection and response effectively; MDR can fill the gap. Here’s what to look for when you shop for MDR services.

radar grid / computer circuits / intrusion detection / scanning
Peterscode / Getty Images

Threat detection and response is a priority for most CISOs because they recognize that the faster a breach is detected and dealt with, the easier and cheaper it is to fix. And since it takes an average of 280 days to identify and contain a breach, according to Ponemon Institute research, there's plenty of room for improvement.

While there are many powerful technologies available to assist with detection and response, real expertise is required to squeeze the greatest value from them and skilled security professionals are in demand, which makes recruitment expensive and difficult.

It should come as no surprise in this climate that managed detection and response (MDR) services are taking off in a major way. Gartner estimates that by 2024, as many as 25% of all organizations will be using MDR services.

If you’re sold on the idea, here are seven considerations to help you find the right MDR partner.

Comprehensive monitoring

For proper 24/7 protection, solid telemetry is key. Effective MDR services gather data from every device on your network, they monitor traffic continuously, and they build a complete view of your organization. It’s vital that your chosen MDR service can pull in data from all of the endpoints, cloud services, and networks in operation across your business. A holistic view serves as a solid foundation for in-depth analysis that’s capable of uncovering anomalies and identifying threats.

Swift response

Detection is of limited use if it doesn’t prompt a swift response. A fast response limits the potential damage, so MDR services should be primed to react in real-time. Some responses can be automated, while other threats will be flagged for expert investigation. That means 24/7 access to experts is crucial. After investigation, threats need to be eliminated or contained. It’s also important to notify the right people based on the threat level, so necessary changes and major decisions can be made in a timely fashion. Make sure there’s a service level agreement (SLA) that stipulates a swift response time.

Expert remediation advice

Having detected and dealt with a threat, the next step is to remediate. If the underlying conditions that allowed the incident to develop are not addressed, then it can happen again. A good MDR service will highlight the cause of any detected incident, whether it’s misconfigured software or a hacked user account. Recommendations must be made swiftly to the right people, so that necessary changes to policies, software updates, or tightened network access can be put into effect immediately.

Support commitment

Any MDR service should provide around-the-clock support when you need it, but different providers will have different policies. Consider whether you would be content with remote chat support or a phone call versus a hands-on site visit to guide you through a security incident and get things back on track. A visit is often faster and more effective in resolving a problem, but make sure you understand whether this is included as part of service or requires an additional fee.

Tailored for your needs

Everyone has a budget to work with and security postures and risk tolerance vary from organization to organization. Try to find an MDR partner willing to work within your available budget, with your existing infrastructure and toolset, and that is capable of filling the gaps in your internal expertise. Depending on your business, you may also require some flexibility and the option to scale coverage up or down quickly based on your business needs.

Compliance and regulatory requirements

Staying up to date with the latest regulations and ensuring compliance can be a full-time job in itself, but dedicated MDR services should fully understand precisely what’s required. An initial audit of your network should prompt advice on how to bolster security and ensure compliance. By adopting leading practices and keeping an eye on the regulatory horizon, a good MDR service will unravel the mysteries and complexities of compliance and ensure your organization fulfils its duties.

Ancillary services

Many MDR providers are well-placed to offer useful advice and other services beyond managed detection and response, or they may have preferred partners they work with to provide more services. Consider vulnerability assessment, penetration testing, and intrusion prevention. If an MDR service is working well for you, then it makes sense to look at ancillary services down the line. Just as you’ll want flexibility to change tiers of service based on your future needs, you may also want to assess any additional services on offer.

Choosing the right MDR service can be challenging, but it’s worth taking time to ensure that you find the best partner for your business. Get it right, and you’ll reduce cybersecurity risk and increase your organization’s resilience.

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)