In today’s ever-changing digital landscape, cybersecurity couldn’t be more important for all businesses but effective cybersecurity often feels out-of-reach for organizations. Whether an organization is experiencing talent and skills gaps with their internal employee resources, budget constraints, tool sprawl, an inability for the internal team to provide 24/7 monitoring and response, or a lack of scalability, many have realized the path to reaching their identified security outcomes is partnering with an external resource such as a managed detection and response (MDR) service.
MDR is a service that identifies security threats across an organization’s environment by combining technology, security operations, and human expertise to deliver actionable guidance to remediate and eliminate security threats. It’s a proactive, managed approach that enhances an organization’s ability to detect, respond to, and mitigate threats. And the use of MDR for security is on the rise; according to Gartner, by 2025, 60% of organizations will be actively using remote threat disruption and containment capabilities delivered directly by MDR providers, up from 30% today.
MDR is one of the most effective solutions to improve an organization’s security posture. And with the increasing recognition of MDR’s effectiveness, the number of MDR vendors has skyrocketed. Before your organization selects an MDR service provider, you need to have a clear understanding of what each offers and what criteria are the most important. Following are six criteria you can use as you assess MDR vendors along with an evaluation template to easily evaluate MDR vendors by each criterion.
Security Operations Center & Expertise
An MDR vendor cannot provide an optimal level of security without having an established, experienced security operations center (SOC). Some providers tout MDR versus SOC but what is needed to improve your security posture is MDR with a mature SOC that utilizes both automation and human expertise. When evaluating an MDR vendor, assess their SOC by determining:
- Is the MDR vendor’s SOC providing around-the clock services always ready for incident triage and response?
- How experienced is the SOC (both the team and their service)? What is the average tenure? What is the level/depth of access to threat intelligence and insights into learnings from all their customers? What is the relationship between the vendor’s SOC analysts and threat researchers?
- How does the SOC collaborate with the customer for incident response? Does the vendor offer designated security analysts who are familiar with your organization’s security objectives or desired outcomes?
- Does the SOC perform proactive and/or continuous threat hunting for known and unknown threats?
Incident Monitoring & Response
Without proactive threat intelligence, an MDR vendor won’t be effective with their incident monitoring and response. Advanced threat intelligence is developed through multiple threat intelligence sources combined with intel gathered from customers and detailed analytics that augment data collection. With comprehensive threat intelligence, the MDR vendor can develop insights and implement new techniques for continuous protection against known and unknown threats. Make sure to inquire about:
- Does the vendor offer flexibility to escalate incidents by phone, email, ticketing, or messaging integration?
- How does the vendor’s response capabilities impact mean-time-to-detection?
- Does the vendor offer embedded automated response (SOAR)?
- Does the vendor offer preventive/pre-breach capabilities to minimize the likelihood of a threat as well as detection/post-breach capabilities to minimize the impact of a potential threat?
Some MDR vendors charge customers a fixed amount based on employee count or the company’s revenue. This inflexible approach does not take into account the unique aspects of an organization or its desired security outcome. It also makes it more difficult to effectively budget for security. When gathering information on a vendor, determine the following:
- Is the vendor price based on number of employees, nodes, or revenue? Are tiered services offered for organizations to select the level that is right for their business?
- Does the MDR vendor have flexibility in its pricing structure?
- Will continuous enhancements to the solution, including new features and capabilities, add to the cost?
For an MDR service to be effective, there must be visibility across an organization’s entire IT estate, which would include their networks, endpoints, and cloud workloads. This should be done through a single console that enables the user to quickly identify, detect, and respond to threats. To ensure visibility, an MDR solution should provide:
- Single pane-of-glass view to identify threats, risks, vulnerabilities, and incidents
- Asset discovery and visibility
- Cloud configuration checks
- Container support and/or threat detection
- Endpoint detection
- Log monitoring
- Network monitoring (IDS)
- Vulnerability scanning
Reporting & Compliance
The compliance landscape changes constantly, with new and updated regulations, standards, and laws on the books to ensure protection from breaches and data loss for organizations, individuals, and industry groups. An MDR vendor should help a customer achieve compliance quickly and with minimal disruption to the business. When comparing MDR vendors, find out if they:
- Provide simplified, self-serve, audit-ready reports that are easily accessible
- Maintain the Payment Card Industry Approved Scanning Vendor (PCI-ASV) certification to support customers with their PCI-DSS scanning requirements
- Provide compliance scanning regularly and log storage
- Measure and track progress toward compliance and industry benchmarks
Technology & Innovation
Working with an MDR vendor with years of experience, proven technologies, and a commitment to continuous innovation is critical to enhance your organization’s security posture. Today’s rapidly changing and dynamic threat landscape makes technology improvements and innovations a must. In reviewing an MDR vendor, ask:
- How scalable is the solution to adapt/grow as your organization grows?
- Is there technology purpose-build and optimized for cloud environments with native integration for public cloud providers?
- Do they offer consistent product updates and make them available to customers at no additional cost?
- Do they support public cloud vendors and other third-party technologies and sources? Is API-based integration with SaaS applications included?
As you evaluate MDR vendors and their solutions, ensure you ask the right questions and receive thorough answers to be certain your organization will receive the level of protection you need, today and in the future. While cybersecurity is challenging, with the right MDR vendor working with your organization, it can be effectively executed and managed.
MDR Vendor Selection Criteria
We’ve consolidated the above six criteria, along with their accompanying features, into a vendor comparison chart that can be used when assessing MDR vendors.
For more information on MDR vendor selection, consider the following resources:
How to choose an effective provider
for Managed Detection and
U.S. Managed Detection and
Response Vendor Assessment