Gartner estimates that 15% of organizations will be using managed detection and response (MDR) services by 2020, up from less than 5% today. For many buyers (including myself), past bad experiences can make it difficult to consider outsourcing critical components of your security program. Whether the experience was caused by poor service, ineffective product, or a vendor who did not innovate post-purchase, it sets the stage for not wanting to consider outsourcing again. We can’t always build out our security program to match a managed provider; therefore, with limited budget we have to pick “best effort” vendor in hopes it works out.
So how do we ensure we select the best vendor? How do we know we’re getting a best-in-class, “11 star” experience compared to a 1 to 5 star experience? When I was a security architect evaluating partners, I often looked at three primary areas of consideration: people, technology, and innovation. Of course, your MDR evaluations will ultimately go much deeper, but these big picture areas can help you understand where to focus and make an informed decision.
Being close to the endpoint side of the MDR market, Red Canary has been asked hundreds of questions by security teams as they look for a partner to operationalize their endpoint detection and response (EDR) deployments. Here are some of the top questions and discussion points across the three key consideration areas.
#1: People
Look for a partner that staffs its security team with experienced analysts, responders, security engineers, threat researchers, and forensic experts with years of expertise. Detecting and investigating endpoint threats requires a low-level understanding of endpoint operating systems, how threats manifest themselves across operating systems, and the ability to discern good activity from bad activity. Many current managed security service providers (MSSPs) may mask themselves as an MDR vendor, but they rarely staff for the required skill set.
True MDR vendors will hire experts who have hands-on experience with the EDR product. Many of these hired experts have either deployed, managed, or utilized EDR products. The most important factor is that each one of these experts understands endpoint telemetry data.
Important discussion points and questions to ask:
- What is the composition of your security team?
- How do you leverage the product to perform detection?
- How do you assign analysts?
- How will the analysts supporting my organization transfer knowledge about my environment? What systems do they use?
- Who will I be communicating with during my service engagement? What is his/her background, and what expertise will he/she provide?
- Will you train me on the product?
- How many people would an organization of my size need to hire to run this tooling?
- What skill sets would they need to have?
As a security professional, I love to hear answers to these questions. It provides insight into the operation of an MDR vendor and how well they operationalized their practice. I’m making an investment, and I want to ensure the people on the other end of the phone know what they are doing with my data in regards to responding to threats, as well as ensuring that I am selecting the best in the industry to watch over my environment.
#2: Technology
At the end of the day, you should clearly understand how the vendor will integrate with your technology, workflow, and team. You want a return on security investment? Make sure it works with your current product lineup by integrating with your Help Desk, log management, communication, and incident management solutions. A mature offering should also be able to integrate with your own custom solutions via an Application Programming Interface (API).
Important discussion points and questions to ask:
- What integrations do you offer?
- Do you have an API and API documentation?
- Can you help me set up ?
- Are integrations free? Or cost per integration or type?
While the questions above should tease out specific use cases, it is always best if you’re able to provide a few of your own. Provide the vendor with some actual problems that you’re looking to solve with your current security stack, but also talk about how you want to evolve and reduce mean time to detection. Have they encountered these problems in the past? Can they provide implementation details during the course of a proof-of-concept? If you are going to do a evaluation of the service, I always recommend allocating your time to focus on it as much as possible. Without providing the right attention to the evaluation, you risk not understanding the service offering and making a bad mistake.
Download an EDR Buyer’s Guide to learn 15 questions to ask potential vendors.
#3: Innovation
When reviewing MDR vendors, look at their past and ask them about their future. You want to understand where they came from and where they are today. Looking forward, you want to understand their vision and roadmap. How are they evolving as a company, and how they are improving security for their customers and the industry?
Important discussion points and questions to ask:
- What are your top three use cases and why are they important?
- What are some use cases for which you think your platform/service are underutilized?
- Provide details on the evolution of your team and their breadth of expertise.
- How does customer feedback feed your solution, if at all?
- Describe your roadmap. What major innovations do you plan to launch in the next 12-18 months?
Organizations have evolving problems to solve and if the vendor being evaluated is not able to keep up with tomorrow’s threats, then you have to look elsewhere. Detecting yesterday’s threats is a problem for antivirus vendors to solve, while using an effective MDR vendor can truly take you to the cutting edge of detection and response.
Key Takeaways
Choosing an MDR vendor requires careful evaluation, but it should not be a headache. Take your time during the evaluation process, determine your needs, ask questions, and apply as much rigor to the selection process as you can afford. Run through an evaluation of the service offering and put the vendor through related assessments. This should lead you to the MDR provider that best meets your stated needs.