3 Keys to Getting Maximum Value from MDRPrinciples to help you get the most from your managed detection and response provider By: Bud Ellis, Product Marketing
We may not even realize it, but managed security services are in place all around us. And if you're already using managed services for your organization's security, there's a good chance you're going to be using even more of these services in the near future.
As such, taking advantage of a managed detection and response (MDR) solution is commonplace. But do you know what technology is sitting under that surface? Not all MDR solutions are equal. Some solely rely on endpoint detection and response (EDR) technology, which is great if you're only worried about your endpoints — but the attack surface is much broader. Other solutions are based on SIEM technology, but still require feeding and configuring and lack response actions.
The technology MDR is delivered on does matter. And based on expanding attack surfaces along with the need for rapid response, we believe the best MDR requires a much more robust platform underpinning the solution. One such platform is Extended Detection and Response (XDR), which ingests broad telemetry across endpoints, network, cloud, identity, OT, email, and business applications.
Managed services are especially appealing as you adopt XDR, since XDR's broad telemetry and sophisticated event correlation make it inherently more complex than conventional EDR. And for many organizations, it makes sense to turn the whole thing over to a managed detection and response provider whose economies of scale can easily maintain the specialized expert staff vital to successfully delivering 24/7 security monitoring and response.
But while managed security services are a wonderful benefit to many organizations, be cautious that you don't undermine your total security posture by failing to remain engaged or maintain quality infrastructure as a foundation of the service. This is why more and more providers are differentiating the service they offer by the technology foundation. And from our standpoint, MDR – when done correctly – relies on an XDR platform as that foundation.
So while MDR certainly has value for organizations, MDR with XDR as its foundation is where forward-thinking organizations should look as they seek to improve overall security posture. Beyond leaning into an MDR offering that includes XDR technology, here are three additional principles to abide by when working with your MDR provider.
Principle #1: Demand an MDR partner that delivers 100% transparency
Organizations often outsource detection because it's simpler to buy the turnkey capability than to invest in a lot of in-house capabilities. In fact, 57% of those surveyed by ESG chose MDR because they believed it would do a better job than their in-house teams.
As appealing as this turnkey approach may be, there are several downsides to treating MDR purely as a "black box" that produces alerts for a monthly fee. Those downsides include:
- Underestimating the value of collaboration. You need more than just alerts from your MDR provider. You need the collaborative capability to apply the expert insight of what those alerts signify and how to respond to them. Detection is of little value if you can't take cogent response actions.
- Missed opportunities for continuous improvement. If your MDR provider's technology is a mere "black box" to you, you'll miss out on the feedback loops that enable you to continuously improve performance. In fact, whether you employ XDR internally or rely on MDR to deliver the technology, security events should be learning experiences that help you incrementally increase SecOps efficacy and reduce false positives.
- Vendor lock-in. If you don't have any visibility into what your MDR provider is doing, it's going to be painful if and when you ever want to change vendors. That's why you should have direct visibility into the same alert console your MDR provider's staff is using. And this is important, because not every vendor offers this kind of direct visibility.
You need your MDR provider to be more than just a disengaged figure you look to for raw information. You need them to be an interactive, high-touch partner who's engaged in your overall risk mitigation program with 100% transparency.
Principle #2: Re-invest wisely and aggressively
An MDR solution built on XDR technology can save you money in two ways. The first source of savings results from the fact that MDR providers deploy XDR with significant economies of scale so that they can deliver XDR-as-a-service for less cost versus if you did it yourself.
The second source of savings results from the fact that when you adopt MDR with XDR technology, you can retire or reduce your spending on several other technologies — such as EDR, network monitoring, log management, and cloud monitoring.
Consultants emphasize re-investing these cost savings into other aspects of your cybersecurity program that may need attention. These investments can include:
- End-user cyber hygiene training, along with ongoing assessment of problematic behaviors
- Adversarial testing and tabletop drills
- Enhanced/accelerated patching and CVE response processes
Principle #3: Automation
There's one area of re-investment that warrants its own individual mention: automation.
Automation is a vital component of any cybersecurity strategy. Repetitive, manual processes cannot scale to the volume of threats that organizations experience as cybercrime-as-a-service enables more threat actors to launch a larger number of attacks. They also can't keep up with the rapid threat surface growth that accompanies business growth.
Without automation, your costs will keep going up — potentially uncontrollably. Your risk of a breach will also increase, no matter how much money you spend on MSSPs, internal headcount, or both.
The automation issue isn't one that you can address by simply turning over your XDR deployment to a typical MDR service. Instead, consultants advise that you leverage your MDR engagement to focus on automating more of your threat hunting and resolution processes.
This may require re-allocating some of the budget you save through XDR outsourcing and the associated retirement or reduction of some of your software tools. This can allow you to either build the programming skills of your in-house staff or purchase the work hours you need to build some useful workflow runbooks.
But you can't automate immature, inadequate processes. The trick is to work with your MDR provider to create smarter groupings for your alerts and then use those groupings to build automated response processes.
What if you're not quite sure how to connect your MDR engagement with your internal process automation and maturity? That's easy: give us a call.
Secureworks® can help you adopt all three of the principles listed here. And we believe that if you're going to adopt an MDR solution built on XDR, you should do so with a leader in the MDR space — one that offers a purpose-built, open platform.
To see how Secureworks Taegis™ ManagedXDR stacks up in the market, check out Forrester Wave™: Managed Detection and Response, Q1 2021.