Cybercrime, job openings, and vulnerable software are at an all-time high.
Everyone is knee-deep in planning or executing a digital transformation strategy. But resources and budgets are limited, the skill gap is increasing, and on-demand access is adding complexity. Outsourcing is becoming the norm, and standard MSSP’s are falling to the wayside.
Marketing terms can be confusing, and everyone “says,” they do the latest buzzword.
MDR is one of those items. MDR (Managed Detection & Response) is the evolution of an MSSP, whereas they move past the “alert” fatigue phase and do deeper level investigations. Forensic investigations require broader tools access, higher skill level, and deeper processes and knowledge, including threat hunting.
Threat hunting is a term for a skilled security analyst to manually look through (hunt) logs and packets to find out of the norm activities that otherwise got passed all other security tools.
How often does this happen, you might ask? Well, that depends but generally, often. Attackers are continually coming up with new evasion techniques or exploiting tools that have little or no logging.
Finding an MDR provider is easy, but how do you find a good one? When looking for an MDR provider, there are many things to consider, and we hope the below points help you identify one.
Ensure Full Packet Capture
Make sure you understand what technology the provider is deploying and if it is proprietary or off the shelf. Ensure the technology accepts multiple sources of data, including logs, packets, endpoints, and cloud data. Packet capture is often a differentiator in an MDR provider as it allows them to see actual data in transit. Not all tools do “full” packet capture, but instead, do a signature capture where you get packet capture from known threats.
Have a Holistic Threat Intelligence Approach
Not all threat intelligence is the same; it’s easy to pull in a ton of feeds. Instead, find a provider that uses standard threat intelligence gathers its own and uses your company’s information to build profiles of your network and data.
Determine Access and Ownership
Are the tools in the providers’ network or yours? Do you have full access to the data, and does the data belong to you?
Team Compatibility
Make sure you have a central point of contact and can you contact an engineer or an analyst anytime you need 24x7x365. It’s essential to be able to look to your outsourced provider as an extension of your team and not a typical vendor.
Ensure your MDR company can handle incidents and goes out of their way to ensure incident management with care and urgency.
Information Access
Pick a provider who gives quick access to tickets, information, dashboards, and metrics and follows common frameworks such as MITRE ATT&CK.
Accreditations Matter
Do they hold any accreditations? Pick a provider who has the knowledge needed to support you if an incident occurs. Make sure they understand cloud, networks, and applications. Often providers cannot develop custom content that allows searching for new threats quickly. Do they do anything to understand your infrastructure, applications, and data? Lastly, a provider should be open to knowledge share and training of your staff.
Conclusion
Outsourcing your security operations is a critical business decision, and not all companies are the same. When evaluating us or any other MDR vendor, please do your due diligence and ensure the MDR provider indeed does what they say they do.