As the name implies, Managed Detection and Response (MDR) is a cybersecurity service providing detection and response capabilities that minimize the impact of an incident. But what does that mean? We’ll dig into the topic and share questions you should ask your service provider.
MDR is a combination of technology and services. The technology provides a range of protection, detection, and response capabilities. The Managed piece consists of technology and services:
- The technology centralizes the information and enables experts to operate and maintain the solution using a management console. Security analysts and incident response teams also use this console to analyze and respond to threats and attacks.
- The service is the human element. It describes the type of activities a provider will perform to meet the service objective: minimize the impact of an incident. If that sounds vague, it’s intentional. Read on.
Why are organizations interested in MDR?
CISOs and CIOs realize that risks don’t disappear by adding cybersecurity technology, no matter how much AI and automation are included. There’s no silver bullet, no easy button.
Without a team trained to use the technology to quickly investigate and respond to threats and attacks, a company is betting on a solution’s “autopilot” to never crash into anything or anyone. It’s not a realistic objective.
That doesn’t even account for the need to maintain the technology; there’s no magic here; whether you hire and train them yourself or outsource the work, you need people.
So how do you find the solution that’s best for your organization? Start by asking the right questions.
The five key questions to ask
1. What threats are covered?
While an MDR’s objective is to minimize the impact of an incident, there are limitations to the types of threats that a given service provider will cover. More coverage means more technology to deploy and potentially more complexity. Additional ideas for questions on this topic:
Is the service strictly focused on ransomware and malicious activity?
What is their definition of malicious activity?
Will they inform you of policy violations, shadow IT, and potential privacy issues?
2. What are my day-to-day responsibilities as a client?
Don’t assume the service provider does everything for you. They should explain what they do, and their expectations for you as their client. Typically, you are responsible for deploying the software and making any changes to your firewall rules. You may also be responsible for software updates, which means you need to keep track of one more software.
Threat hunting: Do they search through the available historical data to find indicators of compromise, or is that something your team has to do? Is it an optional service?
While this sounds like an advanced capability, it must be performed to ensure nothing was missed. Most providers can’t review all alerts generated by their EDR or XDR technologies. So they only review the most severe alerts (think top 10-30%).
Not investigating all threats means malicious activities can slip through the cracks. Threat hunting is intended to catch them after they’ve already made it onto your system, but before the attack causes serious damage.
3. What are my responsibilities regarding incident response?
How the service provider defines the term “response” is a critical differentiator. Unfortunately, for many, it simply means they are processing alerts and sending them to their customers. This burdens you to engage their security team, to contain and eradicate the threat.
An alternative approach is for you to authorize the service provider to perform certain actions on your behalf, reducing the time to respond. To be successful, it requires you to share information about your systems and context. For example, should the provider limit network communications or shut down a device when new or unknown malicious activity is detected? What if it’s seen on a device for someone in the C-Suite?
This is where automated responses can become complex to enable, as there’s no “one size fits all”. However, the technology can handle the complexity as long as you can provide the context and rules of engagement.
4. What data is collected, and how is it handled?
Cybersecurity technologies are all about the data: about your devices, networks, applications, users, processes, and the list goes on. There’s this preconception that more data will help create more information and, with more context, helps machine learning and Artificial Intelligence make better decisions.
At CYDEF, we don’t believe it’s that simple, and collecting more data isn’t as important as retrieving the right data. Nonetheless, when looking for an MDR provider, you need to be concerned with the data collected and who has access.
- What data is being collected, exactly
- Where (and how) is it sent?
- Who has access to it? Any third parties? Can you access your data?
- Will you be notified of a change in data collection or access?
- What happens to the data if you stop using the service (and technology)?
5. What is the total cost of ownership?
We believe MDR and threat hunting are vital components of a cybersecurity program to reduce risks. It makes sense, since it’s what we do!
But why would you go through the effort and incur the cost?
First, the service must help you mitigate identified risks. Furthermore, if you’re thinking of MDR, you want to outsource the responsibility to a specialized firm.
To compare apples to apples, collect the following information:
The time you need to spend managing:
- The technology (patches, alerts, operations)
- The service provider (tickets, service delivery)
Expertise your staff requires:
- To deploy the technology
- To use the underlying MDR technology
- Cybersecurity expertise to respond to, and manage incidents
Lastly, software costs. Assuming the solution only requires installing an agent on devices might be OK, but ask for minimum network and internet bandwidth requirements.
Answering these questions will better equip you to understand the effort and costs involved in mitigating a certain number of risks. Ideally, your organization has identified and understands the potential impact of risks such as data loss, data theft, and operational disruptions caused by malware, ransomware, and phishing. While no one can guarantee eliminating these risks, investing in a service such as an MDR with threat hunting can significantly reduce the chances of a successful attack.
For our part, threat hunting is built into our service; we review all anomalies, not only the top 10-30%. This means earlier detections of unknown threats, and a capability to help you reduce policy violations. In turn, reducing incidents of all severity ultimately improves your security posture.