Demand for managed detection and response (MDR) is growing rapidly. This growth is being driven by multiple factors — including intensifying threats and a global shortage of cybersecurity talent.
That's why outsourcing threat detection and response to a third-party provider with the right skills, the right tools, and the ability to offer 24x7 coverage makes sense.
Unfortunately, because the MDR market is projected to explode from under $5B in 2021 to almost $22B by 2030, there's no shortage of vendors making a lot of noise about their offerings. Here are five key concepts to keep in mind as you seek an MDR provider that will deliver the most value for you and your organization.
KEY #1: The Foundation of Your MDR Matters
There is a belief that the underlying technology that MDR is delivered on isn't important, just as long as threats are detected and proper response actions are taken. We challenge that belief. Some MDR providers still base their services on endpoint detection and response (EDR). Others claim they use extended detection and response (XDR) — even though their technology stack could better be described as “EDR plus.”
But neither EDR nor “EDR plus” will cut it to back a successful MDR solution. Collectively, we've become so good at endpoint security that threat actors now avoid endpoint-focused exploits. In fact, in recent Secureworks event data, about 60% of today's attacks occurred outside of endpoints — meaning they bypassed EDR telemetry altogether. True MDR requires more than just endpoint detection with a few other data sources added. It needs a true XDR underpinning.
XDR's ability to detect intruders' “breadcrumbs” anywhere and everywhere they appear is central to any MDR provider's value proposition. That means one that unifies all security-relevant data from across your environment. This includes endpoints, cloud, networks, directory services, IDS, and more. Furthermore, true XDR applies analytics to that data to quickly detect malicious activity. It can help you accurately identify the exact nature of malicious activity so that you can act decisively to neutralize it, while working aggressively to minimize time wasted on chasing meaningless alerts. True XDR is essential for MDR.
KEY #2: MDR provider threat intelligence is not a commodity
Another myth is that all MDR providers have access to the same threat intelligence — and that their effectiveness is thus only contingent upon how “smart” their analytics and artificial intelligence (AI) happen to be.
This isn't true. While a good deal of general threat intelligence is open source, the effectiveness of any MDR solution is highly contingent upon several proprietary aspects of threat intelligence, including:
- How current it is. You never want to be late to the threat intelligence party. So it's important to work with an MDR provider who's never the last to know — as is often the first.
- How granular it is. It's one thing to have general knowledge about a new exploit. It's another thing to have direct knowledge about the specific behavioral indicators of each component of that exploit — especially if you want to quickly detect and identify it.
- How quickly and effectively it gets converted into live detectors. The process by which your MDR provider translates new threat intelligence into new detection analytics is crucial.
That's why you want to make sure your MDR provider is using a true XDR platform that continuously, actively leverages truly world-class threat intelligence of their own and from other sources.
KEY #3: Responsive, high-engagement service
When you engage an MDR provider, you want more than just someone who will operate technology for you. You need a true partner who will work closely with you to ensure that your organization is achieving maximum cyber defense against all threats.
In addition to evaluating their tech stack and threat intelligence, look for an MDR provider that can offer:
- Access to cybersecurity expertise within minutes by chat or phone
- On-demand emergency threat-hunting support
- Additional services as needed (incident response, adversarial testing, tabletop response drills, etc.)
Ideally, any MDR provider on your short list should be able to provide client references who can share their experience with that provider's service levels and complementary cybersecurity capabilities.
KEY #4: Experience in your vertical market
In theory, cybersecurity best practices are broadly applicable across all types of organizations. In practice, however, cybersecurity is highly verticalized. There are two primary reasons for this:
- From the outside: Threat actors tend to target organizations in specific verticals with specific types of attacks. This is in part because their success in hacking a victim in that market encourages them to attempt attacks on similar organizations. It's also because the objective of their attacks tends to align with the type of organizations they've targeted: ransomware lockups of patient records at healthcare targets, exfiltration of credit card numbers at retailers, etc.
- From the inside: Organizations in the same vertical market tend to have similar digital environments. Manufacturers have OT infrastructure that's quite unlike traditional enterprise IT. Financial services and law offices have a high volume of confidential document exchange with external clientele. College campuses have an exceptionally high volume of guest Wi-Fi accounts.
It's best to work with an MDR provider who understands the unique operational considerations and particular threats faced by organizations like yours.
KEY #5: Sane, predictable pricing
MDR value isn't just about what you get. It's also about how much you pay for what you get. Given your current budget constraints, you want a very clear understanding about how much you're paying — and what you get for the money.
Part of that understanding entails knowing exactly what's included in the price you're being quoted. For example, an MDR's provider's quoted price may only include 90 days of data retention. That retention may be insufficient if you suffer low-and-slow exfiltration. It may also be worth examining how well a provider can respond versus simple detection. After all, a provider won't meet your needs or expectations if they're only good at detecting problems — but not so great at helping respond or provide remediation.
One other factor to consider when evaluating pricing: those dreaded, variable costs. For example, if your MDR provider is using SIEM, they'll probably have to charge you for your total volume of cybersecurity data. The result: unpredictable costs that penalize you with a “data tax” for both your diligence and the growth of your business activity.
The bottom line: MDR is far from a commodified service. Make sure you find a true cybersecurity partner using a true XDR platform driven by truly exceptional threat intelligence.
To learn more about your MDR options based on Secureworks Taegis XDR™ platform, read our latest solution brief.