The increase in cyber-attacks and evolving threat of ransomware over the past 5 years has led to a rapid rise in the amount of security and IT vendors marketing themselves as having Managed Detection & Response capabilities. This has created a disparity in the level of service many security leaders should expect from a Managed Detection & Response vendor.
In this blog, we’ll discuss the critical criteria that internal security teams should evaluate when considering Managed Detection and Response (MDR) providers – not only before they bring the vendor into their environment, but also during that continued engagement and relationship.
Defining Managed Detection & Response (MDR)
Let’s start with how we define Managed Detection & Response (MDR).
Managed Detection & Response is a cybersecurity service that emphasizes the rapid detection and response to threats in customers’ environments. An ideal MDR provider will bring the technology and threat hunting experts to its monitoring, detection, containment, and technical guidance service offerings. The individual pain points that the Managed Detection & Response service will be solving for clients may vary by internal client needs, but the ultimate outcome should be rapid and accurate detection of malicious activity reported to the client in a way that enables them to proactively take steps to mitigate the attack or damage.
To bring the analyst perspective, Gartner defines Managed Detection & Response as “a service that provides customers with remotely delivered modern security operations center (MSOC) functions. These functions allow organizations to rapidly detect, analyze, investigate, and actively respond through threat mitigation and containment. MDR service providers offer a turnkey experience, using a predefined technology stack (covering areas such as endpoint, network, and cloud services) to collect relevant logs, data, and contextual information. This telemetry is analyzed within the provider’s platform using a range of techniques. This process allows for investigation by experts skilled in threat hunting and incident management, who deliver actionable outcomes.”1
Here at Binary Defense, we talk about Managed Detection & Response as a human-driven, technology-assisted approach to alleviate an organization’s gaps in security and shield our customers from cyberattacks. Our Security Operations Task Force proactively identifies threats, investigates alerts and recommends remediation steps to help contain the threat.
The 5 Critical Criteria for evaluating a MDR Service
Now that we’ve defined what Managed Detection & Response is, lets discuss the criterial criteria that security leaders considering MDR should be looking for from their vendors.
Managed detections are the primary reason that security leaders turn to MDR providers, so it only makes sense that detections should be the primary method of evaluating them. But, how do you vet the quality of the detections that a vendor provides? Here are a couple of ways you can evaluate a vendor’s detection capabilities:
- Ask about their behavioral-based detection techniques
- Signature-based detection is great and significantly reduces the chance of known threats sneaking past your security measures before getting caught. The problem is that this approach only applies to known threats. You should expect your Managed Detection & Response vendor to move beyond just signature-based monitoring and into behavioral-based detections, which better detect novel threats that signature-based approach miss.
- Ask for a Proof of Concept (POC)
- The only way to truly determine the strength of the vendor ahead of signing a contract with them is to run through a trial or proof of concept. A POC will not only give you additional insights into the quality of their detections, but it also gives you a chance to understand how you and the MDR provider will work together, and what that relationship will look like. You’ll get to interact with their SOC team and get a feel for how your team works with their team, which is essential for a successful MDR engagement. You’d be surprised how many vendors refuse to provide a POC of their services.
Your Managed Detection & Response vendor has detected a potential threat and escalates an alert to your internal team with the log information – so what’s different than running the tool internally?
When selecting a Managed Detection & Response vendor, the response is just as important as the detection itself. When a threat is detected the MDR security analysts begin the process of investigation – documenting the threat, identifying root cause, and supplying guidance to the internal security team on steps to respond, mitigate, and potentially remediate. The goal of Managed Detection & Response is to decrease the mean time to detection (MTTD), mean time to investigation (MTTI), and mean time to remediation (MTTR).
According to a Forrester survey, a majority of MDR customers want to own the response actions. This means that it is the MDR vendor’s responsibility to ensure that when they alert a customer of a potential threat, it includes the contextual details needed for the internal security team to quickly respond and mitigate.
To provide an example, below are some contextual details that Binary Defense analysts append to alarms, and that you should expect from any Managed Detection & Response vendor’s alerts.
- What happened to cause an alarm?
- Why did this activity raise an alarm?
- What assets are involved?
- How do I resolve this?
- How did we detect this?
- How can I mitigate risk from occurring again
- Event Data and Raw Log
Contextual alerts are especially important because they provide your team with insights they need to address the threat. If a vendor only provides alert details in a way that requires deep technical knowledge to understand, you may have a harder time acting on those alerts and making an informed decision about what steps to take. Working with a MDR provider that simplifies the alert language as much as possible will make it easier for internal teams to quickly digest and act upon the information they receive.
It’s 2 am on a Saturday of a holiday weekend and one of your Linux servers makes a call out to an unknown domain that it has never contacted before. Do you want you and your team woken up to investigate the server?
When we ask our customers this question during onboarding, the answer is usually no. That is why containment capabilities are a critical criterion when evaluating a Managed Detection & Response service. The ideal MDR vendor will take that anomalous behavior, monitor it, investigate it to determine the potential for malicious intent, then contain the server from connecting out to both your internal network and external network connections. This containment action provides the MDR security analysts time to investigate further, build out a recommended remediation course of action, and disrupt the threat actors from gaining control of the server – all while letting your team maintain their peace of mind and sleep schedule.
At Binary Defense, we will contain threats on Windows, Linux, and Mac environments. Our onboarding analysts work directly with your team to identify key assets and build workflows and use cases to help determine when our Security Operations Task Force analysts should contain your assets, at what point your team wants to be notified, and when we need to raise the alarm bell – no matter the day or time. A strong MDR provider should develop a containment plan with you ahead of time, so when an issue does arise, they know when and how to bring your team in.
Deception technology and capabilities is not a tactic you’ll see often within Managed Detection and Response services. In fact, it’s not something that the industry analyst community currently evaluates when researching Managed Detection & Response vendors. But that doesn’t mean it shouldn’t be part of your evaluation process when looking at Managed Detection & Response vendors.
Deception is an offensive weapon to your defensive security approach. The reality is that no matter how much money is spent on threat intelligence, hunters, analysts, frameworks, and tools; at some point some new threat will slip through the cracks. That’s where deception plays a critical role in your defensive security posture. If a threat manages to get through the first round of defenses, with deception tactics you have another line of defense to capture and contain the threat using honeypots, ports, nets, and various other decoy tactics. This protects your actual environment from exposure to the threat while giving your MDR security analysts the ability to do a deeper investigation into the root cause and provide that critical feedback to your team to mitigate the risk of that threat breaking through again.
Strong EDR Background
This last criterion may be surprising, given the industry’s focus on eXtended Detection & Response (XDR) over the past two years. While XDR brings many positives to organizations security posture by monitoring a whole new host of log sources, that doesn’t change the fact that, according to IDC, over 70% of all successful breaches happen on the endpoint. Therefore, it is crucial that your Managed Detection & Response vendor has a strong history in Endpoint Detection & Response (EDR) capabilities. There are many vendors looking to capitalize on the XDR market shift that have little to no background in endpoints, viewing them as just another source of logs that can run through their AI/ML programs and build detections.
The Closing Criteria
We know, the title was named ‘5 Critical Criteria for evaluating Managed Detection & Response (MDR)’, but we couldn’t leave this last point out. At the heart of any Managed Detection & Response vendor is the service they provide, because at the end of the day, that’s what you’re purchasing. All the expensive point tools in the world do not make for a quality MDR vendor – unless the service experience backs up that investment. You should feel like the vendor and its analysts are a part of your extended security team.
Ultimately, you should find a vendor that has the security practice, team, and processes in place to adapt to your organization’s individual security requirements. MDR is not one-size-fits-all, and it’s important that your provider takes the time to understand your unique environment, team structure, and way of working. That’s why Binary Defense prides itself on being an extension of your team – giving you peace of mind with 24x7x365 eyes-on-glass security monitoring, improving your security posture, and keeping your internal team focused on their mission-critical projects.
HOW IS Polar MDR DIFFERENT?
Hunting threats and responding to them once discovered, Polar Bear Cyber Security Group’s MDR provides a wide array of security services, including investigation, analysis, response and recovery of incidents through a detailed remediation plan. To mention the main benefit of MDR, it helps rapid identification of threats and limits the impact of threats.