With so many security products and vendors on the market, it can feel like there's no practical way to evaluate them all. Sometimes, we take the approach of selecting the product with the most recognizable brand and then hope it was the right decision. After all, you can always replace it later if it doesn't work the way you want it to, right? The problem, of course, is that deploying tools is time consuming, costly, and potentially disruptive. There's also the cost associated with removing tools which turn out to be a bad fit.
The challenges associated with selecting the best security solution for your organization become more complicated when dealing with newer technologies. One such offering is Managed Detection and Response (MDR).
What is MDR?
According to Gartner, MDR delivers threat monitoring, detection and response leveraging a combination of technologies, advanced analytics, threat intelligence, and human expertise in incident investigation and response.
How does MDR work?
MDR typically involves a centralized Security Operations Center (SOC) where a team of security analysts, engineers, and researchers work together to provide threat hunting services and initiate killchain measures against any threats that are discovered.
MDR companies will often provide their customers with various levels of access to the team in the SOC, allowing both management and in-house technical teams to send in requests that effectively customize the service they're receiving. This enables the creation of a baseline of what the organization's normal activity looks like versus what constitutes a threatening deviation, thus helping their partner's technical teams shore up potential gaps.
When done well, this leads over time to a highly bespoke, carefully tailored system of security alerts and procedures that is specific to an organization's environment.
MDR relies on an interplay of expert human knowledge and sophisticated technology in order to deliver the maximum amount of protection. The overall goal for good MDR is to use this combination of human intelligence and technical innovation to provide a service that goes far beyond simply sending out an endless list of non-valuable alerts.
MDR companies typically centralize security data gathered by various tools into a Security Information and Event Management platform (SIEM) that allows their security team to correlate information for better analysis. A SIEM usually pulls in data from multiple sources, some common examples are advanced endpoint protection (next generation anti-virus), operating system logs, firewall alerts, network traffic, and cloud services. This data gets displayed both in raw format and graphically, and MDR companies often create specific views, data tables, trend graphs, and other visualizations that the operations center team uses to look for anomalies.
Most importantly, because MDR focuses on the link between its own experts and the partner organization's team, it largely avoids the pitfalls of unmanaged security software deployments. If the partner organization needs a specific type of data to be considered higher risk than usual or needs to ensure that a specific need of their network or software environment will be met, they can simply bring this to the attention of the MDR team, whose primary goal is to customize and refine the service offering.
How to select the best MDR offering?
So, how do you identify the best MDR solution for your environment and avoid the pitfalls of poor security solution selection? There are a number of elements that need to be weighed:
- What technology is offered as part of the MDR solution? Not all bundles offer the same level of protection and it's important to do as close to an apples to apples comparison as possible.
- Is there an opportunity to recognize cost savings by eliminating existing security expenditures? MDR solutions will vary in their ability to allow you to eliminate existing tools and maximize your investment.
- Where is your data being stored? Some MDR companies utilize international hosting providers, with the advent of GDPR and CCPA, it's necessary to understand where your data lives.
- What level of Incident Response (IR) experience does your MDR vendor have? A critical part of your MDR service is their ability to capably guide you through an IR should one occur.
MDR is an invaluable addition to an organization’s defense in depth security strategy. With careful deliberation and appropriate due diligence, selecting the best MDR solution for your organization will result in increased environment visibility and effective cybersecurity risk management.
Ingalls Information Security
Ingalls Information Security is a specialized, cyber defense company with a mission to prevent and respond to data security breaches. Our consultants, analysts, and engineers are certified and experienced professionals with diverse backgrounds ranging from military and defense intelligence, network security, and information technology, giving us domain dominance and a leading edge in cyber defense.
Our Managed Detection and Response (MDR) service is designed for advanced detection, threat hunting, anomaly detection and response guidance utilizing a defense-in-depth approach. We do this by utilizing the very latest in cloud, big data analytics technology, and machine learning along with the cybersecurity industry’s leading incident response team, to identify threats to your environment.