Over the past several months, you’ve likely heard the term “Managed Detection and Response” (MDR). And while the term is often used, it is seldom defined, and, when it is, the service description is usually vague. It’s hard to tell if the vendor is using proprietary technology or if the solution is vaporware or still in development. To make matters more confusing, each vendor seems to define MDR differently, making it very hard to compare solutions. This blog post will demystify the term MDR and provide helpful tips on selecting an MDR vendor.
What the experts say
According to Gartner Peer Insights, “Managed detection and response (MDR) providers deliver 24/7 threat monitoring, detection, and lightweight response services to customers leveraging a combination of technologies deployed at the host and network layers, advanced analytics, threat intelligence, and human expertise in incident investigation and response. MDR providers undertake incident validation and can offer remote response services, such as threat containment, and support in bringing a customer's environment back to some form of “known good.” – Gartner Peer Insights
That’s quite a lengthy definition, so let’s break it down. First, this is a combination of products, creating alerts for security issues (or possible security issues. Those alerts are fed to a 24/7 team. Therefore, MDR is a service, not a product. MDR detects threats that your other security layers miss, and then the team reviews those alerts. Finally, the MDR technology (and team) supports you in getting your client’s environment back to a known good state.
How to select an MDR vendor
One of the most important parts of selecting an MDR vendor is finding a relationship in which you are comfortable. If you’ve ever bought a new car, you likely went from one dealership to the next to buy the exact same vehicle. What made the difference? The buying experience or the relationship with the dealer?
Procuring an MDR solution is similar. While every MDR solution is a bit different, the relationship is key. Today’s breaches can start and end inside of 10 minutes. That means there is no need to blink, eat, or sometimes even breathe. Because speed is so important, you must have absolute trust that your vendor has your best interest at heart. They should care about your clients and value their relationship with your company, not just as a client but also as human beings.
Another criteria to consider is the human element. If your biggest client has a breach, you want to be able to reach the support team quickly, understand them without a language barrier, and trust their expertise: this vendor should not learn at your expense during your client’s worst moments.
Is MDR the silver bullet?
It is so easy to yearn for a silver bullet — one solution that will solve all your cybersecurity woes. Unfortunately, that’s not realistic. MDR is an important piece of the puzzle, but it’s not the answer to every problem. In fact, for MDR to work efficiently and effectively, you must have some basic protections in place: patching, anti-phishing, password management, and more. If you don’t have those protections in place, MDR will create a lot of noisy alerts. And while all those alerts are the MDR provider’s problem, you share some responsibility in minimizing the burden. Otherwise, the resulting “alert fatigue” could lead to missing a legitimate threat.
As you evaluate MDR solutions, refer to this overview to understand the solution, see how to select a vendor, and then ask educated questions. Once you’ve found the best vendor for your company, you’re ready to add this solution to your offering and provide even better security to your clientele.