Look back and look forward when walking into a new MDR relationship

The managed services market is bringing more and more providers into the mix, as an increasing number of organizations decide it makes fiscal and operational sense to outsource key functions, even those which traditionally have been considered especially critical, such as certain information security-oriented tasks. Perhaps the fastest-growing segment of service providers in this space is MDR -- managed detection and response.

The MDR concept is relatively young in the service provider space. MDR offerings are typically designed to augment your SOC (security operations center) function by providing detective and reactive tools and expertise. In some cases, it may even replace your tier one, or triage-level, security analysts, who are focused on reviewing and confirming the sometimes overwhelming flood of incoming security alerts.

Having this expertise and the underlying tooling available on an outsourced 24x7 basis can be a huge win, regardless of the size of your organization. It is an especially compelling value when we think of how hard it is to hire and retain cybersecurity workers today. But, like all security products and services, there are important considerations to keep in mind when evaluating an MDR service.

MSSP vs MDR

We can’t start a conversation about MDR without first addressing MSSPs, managed security service providers. The MSSP market is more than two decades old and came about as the technology landscape grew increasingly complex -- a challenge which certainly isn’t going away -- which is why there is still a strong and compelling need for MSSPs today. The modern MDR service delivery model was born out of this MSSP space.

Just as the SIEM market (security information and event management) was propelled forward over roughly the same timeframe by regulatory and compliance needs, many MSSPs also focused on those same drivers. What this means for you is that a classically defined MSSP isn’t necessarily looking at your environment holistically, but rather as a subset of compliance-required technologies such as firewalls, authentication, data loss prevention, and change management platforms. It also means they are likely to prioritize check-mark compliance over true security.

MDR, in contrast, offers a related but distinct set of services. However, MDR looks at the same environment with a strong focus on security and daily security operations. They are measured not by compliance checkmarks, but on successful information and organizational security.

MDR providers emphasize tools and technologies which directly support a detection and response use case, collecting network traffic and logs generated by devices, applications and users, as well as data from more traditional endpoint devices like laptops and servers and even devices running within your IoT (internet of things) environment. The magic happens when these disparate data planes are brought into a single environment to be stored, accessed, analyzed and acted upon in a unified, coordinated manner. It is such an effective approach that, not surprisingly, it is the same goal driving the trend to XDR tools as well.

While the most obvious benefit of an MDR offering is shifting eyes-on-glass triage to an outsourced provider, it goes far beyond that. An MDR service, after all, isn’t working for you and your organization alone. They have other customers too, both within your industry segment and outside it. Because they see so many customers, a good MDR provider can see larger threat trends as begin to form. Like a meteorologist tracking a developing storm, your MDR provider sees not just the impact to the first victim, but the potential impact to all its clients. It is a unique vantage point that combines detection and response expertise, along with the ability to see a “big picture” that proactively helps protect and MDR’s entire customer base.

There is clearly a lot of value MDR can bring to your organization! So how do you get started?

Questions to ask up front

MDR is not a replacement for having a well-considered incident response (IR) plan in place and up to date. Rather, you want it as an extension of your IR plan.  For example, does the MDR provider offer IR services as an add-on capability? In the event of a larger, high-impact incident, having the responders (the IR team) and the monitoring team (the MDR team) on the same page is absolutely essential. What better way to do that than to source both functions from the same provider?

And don’t overlook a very cost-effective way to get started on this point, by leveraging an IRR (incident response retainer) which ensures you are prioritized if you get hit with a major attack.  Handling a serious incident on your own can be a painful and often costly experience, which makes it well worth putting an IRR in place before you need it.

Some other questions I encourage organizations to ask as they shop for an MDR provider: You say you offer threat hunting, but can you define exactly what that means? How do we get access to real-time data on your dashboard or even directly to the monitoring system itself? How do you leverage threat intelligence and other types of content to my benefit?

And don’t forget to quiz them on what may be the most important non-technical concern you should have: One of the reasons we need an MDR provider is that we’ve found staffing these SOC roles to be extremely difficult – how do you staff your team, and what are you doing to retain those analysts once they are on-board and trained?

Avoid friction, and be realistic

One of the places where organizations often experience extra friction with their MDR provider is the ticketing and tracking of incidents, regardless of who needs to investigate, whether it be them or you. It’s worth spending extra time up front understanding how exactly your prospective MDR provider will integrate into your existing ticketing and case management platforms. They will find the threats, but your team may be responsible for some or all of the remediation and cleanup. It’s 2023: try not to settle for a case management integration plan is no more than their system sending an email to your system. Today’s modern MDR players offer a true two-way connection between their ticketing environment and yours.

It’s also very important for you to recognize and acknowledge that contracting an MDR service is not a set-it-and-forget-it deal. While your MDR provider brings significant expertise and technology to the table, you and your team are still the ones who know your environment the best. Your MDR provider will bring to your attention alerts of interest, but you’ll still want and need to investigate these directly in some circumstances. You want to ensure that as you wrap up your subsequent investigation of those alerts locally, there is an established process to close the loop with your MDR to notify them as well.

And don’t make the mistake of thinking that the initial lift of getting your new MDR service into production is the only time you need to spend optimizing their technology to work well with yours. You need to plan on investing additional time post-rollout to work with them to tune their technology and processes with your environment. For example, how will you communicate your own operations process which kicks off whenever new log sources or new endpoints appear on your network?

Threats will continue to evolve, and so must your MDR provider

MDR providers are multiplying because there is a pressing need for their services -- a need which will continue to accelerate well into the future. Threat actors know your attack surface is growing larger, not smaller. They know that your trove of sensitive data isn’t just challenging to make secure but to keep secure over time. They know your users are consuming more and more apps, whether supplied and secured by your organization or not, any of which represent either a potential entry point into your organization.

Some MDR providers may not be able to keep up with the constant pace of change, so it is possible that the MDR provider you select today may not be the ideal partner for you tomorrow. Walk into an MDR contract with a clear understanding of both how to begin the relationship and how to possibly exit the relationship in the future. Are there penalties for terminating the contract before its end date? Given the intimate knowledge your MDR has about your internal environment, how does the MDR provider handle that data when you exit the relationship? Is that data transferred to you and then destroyed, and if so, how exactly? Is the provider willing and able to work with your new provider to ensure a clean transition between vendors?

Finally, your extra credit goal is this: Work to make the MDR relationship positive and educational. Don’t be the passive customer who simply accepts inbound alerts and notifications blindly. Set up regularly scheduled touchpoint meetings and ask for a member of the team who is monitoring your environment to be present and participate. Make it a learning experience for your organization. Good MDR providers should welcome the opportunity to transfer knowledge to you about their threat hunting techniques and custom detection-oriented content they develop in support of your unique environment.

Don’t waste this opportunity to build your security maturity. Find an MDR service that goes above and beyond defending your environment, an MDR that truly partners with you to teach you how to better defend yourself.

Image Credit: donscarpo / depositphotos.com

Ben Smith is NetWitness Field CTO.