Relentless threat actors and complex technology stacks make it challenging for IT teams to keep up with the volume of cybersecurity threats – and even more difficult to respond to them rapidly. Compounding matters is the tight cybersecurity labor market characterized by too many job openings and a growing talent shortage. In this environment, security leaders are increasingly partnering with Managed Detection and Response (MDR) service providers for cost-effective 24/7 security monitoring and breach prevention.
The growth in demand for MDR services is attracting new entrants such as commodity resellers looking to pivot to a services business model. When evaluating providers from the pool of new and established players, vendor selection can be difficult as many claim similar capabilities. While reputable analysts, like Gartner, have helped narrow the field by recognizing some of the top organizations offering MDR capabilities, here are our five key requirements to look for when selecting a Managed Detection and Response service provider:
Rapid Response Capabilities
Organizations must be able to effectively detect and respond to threats around-the-clock regardless of whether it is an evening, weekend or holiday. One of the main motivations behind partnering with an MDR service provider is to improve your company’s security posture with a team that can quickly respond to and contain security threats.
While most organizations can only investigate and respond during business hours, the ability to quickly contain threats on a 24/7 basis is crucial to any organization. Automated response capabilities provide incident responders time to further investigate and remediate before there is a serious breach. While many MDR service providers claim they offer response services, not all capabilities are equal. Some providers only focus on accelerating response times for your security team through actionable guidance and recommendations, relying on a manual action to contain a threat.
True MDRs have developed automated and/or semi-automated containment capabilities, such as isolating infected host systems or blocking IP addresses. An effective service provider will correlate high-fidelity events to detect indicators of attack as well as help you determine what actions best align with your business requirements and the type of automated remediation that will be most effective. Secondary validation plays an important role to reduce the risk of responding to false positives, especially where business critical users or operations could be affected.
Given that the use of identity-based attacks and credential abuse are growing rapidly, and frequently at the core of ransomware and supply chain breaches, advanced response offerings should also protect users’ identities. Identity Threat Detection and Response solutions can suspend a user account when an identity-based threat is detected.
When selecting a Managed Detection and Response service provider, make sure you know what level of response capabilities you want in a provider and find one whose capabilities extend beyond mitigation guidance into response actions. Industry leading MDR providers combine Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) to maximize protection from targeted attacks.
Support for Cloud Environments
Motivated by cost savings, greater flexibility, and more efficient collaboration, businesses continue to adopt and expand their cloud infrastructure. In fact, a majority of businesses planned to host or move more than 50% of their workloads in the cloud over the next 12-18 months. However, while there are many benefits of moving to the cloud, the complications of setup can be overlooked. Issues such as misconfigurations, API vulnerabilities, account compromise, and malicious insiders all pose threats to the security of your environment and your sensitive assets hosted in the cloud.
Given that cloud infrastructure can pose a risk to organizations, how can you work with your MDR provider to secure these assets? When sourcing a suitable provider, it’s best to look at the amount of cloud support that a provider offers. One that has limited monitoring capabilities for cloud environments may leave a significant part of your IT infrastructure unprotected, unmonitored, and exposed to threats that you won’t have visibility into. In addition, some MDR service providers may be able to help guide you in best practices for proper setup and maintenance, ensuring your cloud environments aren’t being left open to cybercriminals.
At a minimum, select a Managed Detection and Response service provider that supports the three main public cloud vendors—AWS, Azure, and Google Cloud Platform. They should not only be able to monitor these critical log sources but also have experts on their team who can provide guidance. If your organization is using virtual servers and firewalls, find a provider who can manage these and help you implement best practices, so you can ensure your cloud hosting platform of choice is set up to vendor recommended standards.
If you host your own SIEM, using a vendor such as Splunk Cloud, seek out an MDR provider that has the capability to work with that type of system as well. They should have a team of certified experts on the platform, dedicated to helping maximize the value of your investment.
Detection in Depth
While tools such as Intrusion Prevention Systems (IPS), anti-virus solutions, and firewalls, strengthen your perimeter, they may not be enough to keep your networks secure from advanced cyberattacks. Many of today’s cyber threats, like ransomware, are complex, multi-phased attacks that often evade perimeter controls and can lurk undetected for a long period of time. That is why it’s essential to use a combination of narrow-band and broad-band approaches to best detect adversarial actions. This additional visibility allows providers to better detect and discover threat activity, such as ransomware pre-cursor activities.
This use of a detection in depth approach can make valuable use of log or telemetry data from these tools to detect indicators of suspicious activity and threats that might have bypassed your systems. As a natural expansion of defense in-depth, detection in depth was evolved to emphasize multiple layers of visibility into network activity. This layered approach reduces the risks associated with dependency on a specific solution or vendor and better enables you to catch one of the many early warning signs of an attack.
For example, today’s ransomware attacks are often complex, multi-stage attacks that attack that attempt to compromise one or more endpoint devices and install malicious software that blocks access to those devices. With multiple security monitoring tools at both the endpoint and network levels, it is easier to detect and discover the early stages of ransomware related activities, allowing you to stop cybercriminals before they get into your networks.
When selecting a Managed Detection and Response service provider, look for one whose detection capabilities provide benefits beyond the level of preventative controls. Using machine learning models and advanced correlation analysis can power detection in depth through identifying signals of suspicious behavior, making your MDR service provider better able to spot potential threats and act quickly.
There are various frameworks and models an MDR service provider can use to break down the typical cyber-attack into a series of several tactics, objectives, or stages. The MITRE ATT&CK matrix, for example, has 14 distinct objectives while the cyber kill chain traces out 7 attack stages. Whatever model you or the MDR service provider follows, it’s prudent to seek out a partner that goes deep with their detection capabilities across all phases of cyberattacks rather than being limited to the surface level controls.
Investment in Threat Hunting
Your MDR service provider should have a threat hunting team that takes a proactive approach to search through your network, data, and systems to unearth hidden threats and adversaries lurking in your environment. These threats may have gone undetected by existing tools or use cases, but with the help of a dedicated threat hunting team, the risk of a data breach can be minimized.
Global MDR service providers can add more value from threat hunting by applying their findings from one client’s network to improve threat hunting efforts for other clients. Machine learning models that identify anomalies and score them based on how unusual they are in the context of baseline behavior should be part of your MDR provider’s threat hunting tool chain. Many MDRs have some senior advisors that can play an important role by digging through client logs, dashboards, and visualizations to hunt for threats.
Clear Communication and Visibility
When evaluating an MDR service provider, it’s critical that you set expectations for how you would like to be able to communicate with your partner. Some MDR service providers might have limitations on communication hours or specific mediums that might not work well for your business. Given that an attack can happen at any time, you should look for a team of SOC analysts who not only monitor your environment around-the-clock but also one you can access when you need additional help. It is also beneficial to have multiple communication options, such as phone, web portal and email.
Select a Managed Detection and Response service provider that goes the extra mile by displaying real-time data, dashboards, and other valuable security information. Some MDR providers can improve your security posture by identifying gaps in controls that can be exploited by attackers. Executives can use this data to demonstrate team improvement over time or justify spending for additional headcount or tools.
Proficio’s MDR services provide your business with around-the-clock security monitoring, advanced threat detection, investigations, and automated response capabilities. You can learn more about our Managed Detection and Response or find out what Gartner recommends you ask MDR providers and Proficio’s answers.