Managed Detection and Response (MDR) services can help ameliorate these challenges by providing the people, processes, and technologies in a turn-key way to strengthen an organization’s security posture and reduce its risk exposure. This buyer’s guide assesses today’s MDR market space and the key criteria for selecting a suitable MDR partner.
Focusing on MDR Outcomes
Your MDR provider search should begin with a disciplined self-assessment of the outcomes you want to achieve with an MDR service. In addition to preventing breaches, what other specific outcomes should you hope to achieve? Here are the key outcomes that justify the need for MDR:
One drawback of the defense-in-depth approach to security has been the rapid proliferation of stove-piped security tools ingesting billions of events and churning out thousands of alerts daily. Many are false positives, which must still be triaged, investigated, and resolved by over-burdened security teams.
An MDR partner should be able to minimize this noise by continuously tuning and updating detection analytics and rulesets so that only true positive alerts are prioritized for investigation. They can also help identify and close gaps in your security architecture by correlating detection events to events reported in threat intelligence feeds or mapped to tactics, techniques, and procedures (TTPs) cataloged in the MITRE ATT&CK framework.
Minimizing Dwell Time
An MDR provider should help minimize attacker dwell time by rapidly identifying threats and indicators of compromise (IoCs) concealed within your endpoint, network, and cloud system telemetry. As evidence, they should convincingly demonstrate their ability to optimize metrics such as Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) through multiple methods such as ongoing threat research, detection engineering, automation, and analyst training.
An MDR provider should also help prevent an initial intrusion from escalating into a catastrophic breach by moving swiftly to contain and remediate threats. This may include such tasks as terminating malicious processes, removing persistence mechanisms from the file system or Windows registry, and isolating compromised systems from the network.
Incident Response Support
Often organizations mistakenly wait until a breach is discovered to bring in IR experts. By this time, business interruption may have already occurred, and the goal is simply to understand what happened and limit further damage. If an intrusion is suspected, bringing in this expertise as quickly as possible can get you ahead of the game to contain the threat and identify related malicious activity in other systems. Having an IR team working hand-in-hand with the SOC team streamlines the threat investigation, remediation and recovery processes. However, most MDR providers today subcontract IR support to a third party, which can introduce unacceptable delays in response and remediation and can result in finger-pointing between the MDR vendor and its sub-contractor. Common causes for critical delays in these scenarios involve getting the IR team up to speed and having to deploy a new set of agents capable of running adequate remote live forensics.
Types of MDR Providers
MDR is a growth market that many security firms are attempting to enter, so it’s often helpful to consider how well a company’s core business competencies align with its MDR claims.
Evaluating MDR Providers
It's important to evaluate MDR service providers based on their maturity, scope of services, and alignment with the outcomes identified.
Key Questions for MDR Service Providers
How long have you been offering dedicated MDR services?
It takes years to develop the people, processes, and technologies required to provide clients with a comprehensive MDR service. The answer will help you distinguish MSSPs and product vendors from pure-play MDR providers with mature offerings and reputations for proven performance.
It’s important to distinguish early between those with a MSSP history and those with an actual MDR history. Providers with an MSSP history have had to move away from the typical approaches of “ticket counting”, service level-driven monitoring and black-box approach. It’s less throwing opaque alerts over the fence to the inhouse team and more about delivering key security outcomes.
MDR Providers should be poised to respond no matter what, all day every day. This shift in mindset means many MSSPs are behind pure play MDR providers in their ability to deliver high-touch engagement, high-fidelity threat detection across all areas of the environment (endpoint, network and cloud), and effective incident response.
In addition to SOC analysts, what other professionals are on staff to enhance the scope and quality of MDR service delivery? For example, does the vendor have malware engineers deconstructing zero-day malware? Are dedicated detection engineers available to update and refine rulesets based on changes to the threat landscape?
You can distinguish those that have really invested in their services by seeing if they have diverse skills sets across highly integrated teams.
What data sources and telemetry does your team monitor and analyze?
The answer will provide essential clues about the depth of the provider’s detection and response capabilities. MSSP and product vendors are likely to focus only on a limited set of telemetry, impairing their ability to trace a kill chain. In contrast, experienced MDR providers routinely monitor telemetry and alerts across the digital estate, including endpoints, networks, cloud systems, and Software-as-a-Service (SaaS) using a unified threat management platform.
An MDR platform should integrate seamlessly with your existing technology stack (SIEM, EDR, NDR, Cloud, etc.). MDR providers should preserve the value of your current security investments where possible while providing the flexibility to incorporate new tools and technologies as your business and IT infrastructure evolve.
Indicate what level of response you provide as part of your standard MDR service. What role will your MDR team play in remediation and recovery?
Distinguishing whether an MDR provider will only go as far as containment rather than removing malware and understanding the root cause could make or break your business.
Under what circumstances will your MDR candidate take responsibility for actively containing and remediating an incident, or will they merely offer recommendations for you to implement?
Critical response time can be squandered if solely you are responsible for executing and validating containment recommendations. Importantly, how does the provider support incidents that may involve unusual issues such as insider threats or mobile devices? Can the provider provide on-site or laboratory services for physical devices?
Equally, if the provider is sub-contracting incident response to a third-party supplier, what level of business understanding, communication and timing should be expected? Consider eliminating providers that only offer minimum response and focus on those who will go beyond containment to understand the root-cause and remediate the threat.
What is your methodology for introducing new use cases and achieving continuous improvements in detection accuracy?
Today, many traditional providers rely on the default detection rulesets included by their preferred EDR and SIEM product vendors. Some make minor modifications to those rulesets in response to new threat advisories.
Look for information around how the provider uses the MITRE ATT&CK framework and threat intelligence to tune these rules. Some will say they use this internally, but more proficient providers can provide you with a live mapping of your MITRE ATT&CK coverage to help you understand the scope of their services and demonstrate they are on top of your unique threat profile.
A Real-Life Example
Kroll has developed an agile process for continuously developing and tuning detection rulesets based on the latest threat intelligence. For example, on December 10, 2021, a critical vulnerability was discovered in a widely used Apache Log4j Java logging library that hackers could exploit to compromise tens of thousands of systems worldwide. That same day, the Kroll Applied Intelligence team notified clients of the vulnerability and provided recommendations to patch and ensure detection coverage. Shortly after, they had created 60 custom detection rules to ameliorate the threat for customers.
How do you use threat intelligence and hunting to identify potential threats and inform your service delivery?
You should be able to lean on your MDR provider for ongoing insight into the latest threats that may impact your business, while also turning this intelligence into active detection, hunting and response efforts.
Threat intelligence needs to be wide enough as it is deep; wide enough to include a variety of organic, open-source, and proprietary sources but deep enough to identify not just known attacker indicators such as an IP address, internet domain, or file hash – referred to as Indicators of Compromise (IOC’s), but actual methods and behaviors used by attackers – known as Tactics, Techniques and Protocols (TTPs). This kind of intelligence requires access to dark web forums, live incident response and forensic analysis, and exposure to both cybercriminal and nation-state level activity.
Key to this is ensuring the MDR provider has an adversary-driven mindset, or has teams beyond their core SOC that are engaging with live attacker campaigns and using this information to frequently update detections. This requires tight integration between threat intelligence analysts, malware analysts and detection engineers.
Many MDR services equate threat hunting with the reactive process of investigating high-risk alerts and incidents. In contrast, proactive threat hunting is a cyclical, hypothesis-driven process that assumes an undiscovered breach of an unknown type has already occurred. Threat hunters possess the experience and adversary mindset to ensure malicious activity and advanced persistent threats are surfaced, traced, and remediated efficiently. As noted in NIST Special Publication 800-53, public and private sector organizations should view proactive threat hunting as an “enhanced security requirement.”
Ask your provider about the difference between ongoing threat monitoring across all of its customers and proactive, bespoke threat hunting tailored to your organization.
How do you ensure the transparency of your service delivery and processes?
Your MDR partner should be providing you with a nominated team, acting as the point of contact for both strategic security advice and service-related queries. This will enable you to stay informed about the overall service quality as well as the provider’s view of your security posture. MDR providers should offer a service portal that acts as a unified view of alerts and incident activity across your digital estate, along with self-service features for tracking service requests, KPI-driven reporting and defined response playbooks.
Choosing an MDR partner begins with objectively defining what you want to achieve from the service. What gaps exist in your security program and skill sets? What outcomes are you hoping to realize?
Having defined these expectations, you can begin assessing potential MDR partners. The questions above will help you distinguish candidates by type, service maturity, expected outcomes, global footprint, and much more. Once you have a short list, consider intangibles, such as the vendor’s reputation in the industry, ancillary and related services, and degree of alignment with your business culture.
Kroll leverages its unrivaled IR experience and frontline intelligence to run a round-the-clock global MDR service providing active response using seasoned incident responders, not just monitoring analysts. In 2014, Redscan, now a part of Kroll, became one of the first full-service MDR providers, pioneering the approach of layering custom detection analytics and hunting procedures over the security tooling (EDR, SIEM, NDR etc.), investigating the threats and responding on behalf of the customer. Today, Kroll Responder is now one of the only solutions in the market that delivers MDR with what we call “Complete Response”.
At Kroll, we believe the ‘Response’ aspect of MDR shouldn’t leave you hanging. Our response goes as far as you need it to, closing the gap between merely containing the threat to actively removing it across all affected systems and quickly understanding the root cause, to ensure it doesn’t happen again. Our Responder MDR service is backed by the same Kroll IR experts that handle thousands of high-profile breach investigations annually. We extend that service to our customers, which means they get the value of remote digital forensics and incident response without the additional cost.