Resources Blog Managed Detection and Response

5 common mistakes organizations make when choosing an MDR provider

Here’s what not to do when shopping around for an MDR provider.

Seth Geftic

As one of the first Managed Detection and Response (MDR) providers, Red Canary has been a part of hundreds of competitive evaluations over the years. These evaluations have kept our finger on the pulse of how MDR services differ, what customers are looking for, and which features actually lead to positive security outcomes.

To help you avoid some of the common mistakes we’ve seen some MDR buyers make, we put together a list of 5 things to consider before you start shopping around for a security partner.

Mistake #1: Getting distracted by the wrong metrics

One of the more common questions we get asked during evaluations is “how big is your security team?” The truth is, we really don’t like to answer this question. This might seem directly at odds with one of our company’s values, which is to be honest and transparent, but we’re not avoiding the question because we have something to hide. It is because we think it is the wrong question to ask.

The reason we get asked about the size of our team is because the person asking is really trying to understand whether we have enough coverage and expertise on staff to keep their organization safe. Of course they would want to know that when deciding on an MDR vendor!

However, the number of people on staff is not a great way to determine if an MDR provider is properly resourced. Nor should this be seen as a proxy for the maturity of their security practice. For example, while one SOC might use 10 Tier 1 analysts to ensure coverage, with help from Red Canary, another SOC can instead do the work of 10 analysts using automation developed over years and years of real-world experience. And another SOC might need to have a higher analyst-to-customer ratio because they waste a ton of resources on inefficient processes. (Fun fact: we eliminated the tiered analyst structure years ago at Red Canary).

How to avoid this mistake

Instead of focusing on the size of an MDR provider’s security team, organizations should ask about the metrics they use to evaluate their SOC, what technology is aiding the analysts, and how they balance automation with human expertise.

Mistake #2: Only focusing on the endpoint and ignoring other sources of data

In their Market Guide for MDR Services, Gartner wrote that “MDR services are evolving to include a larger set of technologies and coverage, beyond endpoint detection and response (EDR).”

Why? Because in many attack scenarios today, the initial entry point into an environment is via a non-endpoint vector, and throughout the intrusion chain adversaries jump around the network. Other data sources such as email, network, and identity may very well pick up signals that detect this suspicious activity, but it is not easy for security teams to identify the threats that really matter across disparate tools and the avalanche of alerts.

For many organizations, their security stack is complex and noisy, and their teams struggle with managing the multitude of security solutions and alert fatigue. This problem isn’t limited to just endpoint data. While endpoint data is certainly important, it is not the only data source that matters.

How to avoid this mistake

Security teams should be less focused on data sources and instead, as Gartner states it, they “should be focusing on risks and outcomes that will directly impact their business objectives.”

Mistake #3: Undervaluing the “R” in MDR

Mean Time to Response (MTTR) is a common metric SOCs use to evaluate their performance. Improving on this metric is often a key driver for evaluating an MDR service in the first place, so it would make sense to look at the remediation tools a provider offers when determining which service to go with.

Gartner states that organizations should “assess how the MDR provider’s containment approach can integrate with your organization’s policies and procedures and, where practical, accept providers performing threat containment and disruption actions on your behalf to enable quick responses to detected threats.” They also recommend that organizations “attain the maximum benefit from MDR services by preparing response workflow processes and integrating existing ticket management systems to ensure a business-centric response.”

Red Canary’s intuitive user experience makes it easy to build and automate consistent and efficient incident response processes and playbooks, powered by expert guidance from the Red Canary team. We automate important steps, allowing responders to focus on activities that require human touch to reduce MTTR. Organizations that want to take response a step further can add hands-on keyboard remediation from our security experts. This is especially helpful when time is of the essence, as is the case with pre-ransomware activity.

How to avoid this mistake

Make the “R” in MDR a sticking point with providers by asking them how closely they support your team through automation, guidance, and active remediation.

Mistake #4: Assuming incident response is included

We hear about “guarantees” and “warranties” so much in the security industry. You wouldn’t blame security buyers for assuming that if a serious incident does occur, their MDR provider will handle that as part of their core service.

Unfortunately, that is not always the case. Many MDR contracts do not include incident response. They either pass you along to a third party that specializes in breach response or sell you their in-house service for an additional fee when you are under the intense pressure of trying to handle an active incident.

At Red Canary, we take pride in the fact that it is extremely rare for one of our customers to engage an outside incident response provider in response to an incident while on Red Canary’s watch. Not only are serious incidents quite rare but, if one does occur, expert incident handling is included as part of our standard MDR offering.

How to avoid this mistake

Ask your prospective MDR provider if incident response is included in their service and real-world examples of what it would look like for your team.

Mistake #5: Not realizing that many MDR providers just triage alerts

All MDR providers, including us, will take alerts from customers’ security products and do their best to filter out the signals from the noise. This is a pretty standard (and valuable!) capability of an MDR service. However, very few MDR providers add any additional detection advantages beyond the manpower needed to investigate all those alerts.

The goal of an MDR service isn’t just to reduce noise, it is to ensure an organization is protected 24/7. That is why elite MDR providers detect threats that would otherwise go unnoticed, not just ones that are lost in the noise. The threats aren’t easily uncovered by looking at security product alerts and are usually only visible by analyzing raw security telemetry.

Security buyers who don’t dig deep into the detection engineering capabilities of their potential MDR provider are likely to overestimate the value they will bring to the table.

How to avoid this mistake

Find out if an MDR provider is analyzing raw telemetry to detect threats and filter out the noise—or simply regurgitating alerts back to you. The difference is night and day.

 

Handle security incidents like a pro

 

Balance human expertise and machine-led security

 

IR in focus: Isolating & containing a confirmed threat

 

Take MDR beyond the endpoint with Red Canary Threat Investigation

Subscribe to our blog