lock

How to choose an MDR vendor: 6 questions to ask

To reap the benefits of a Security Operations Center (SOC), most small-and-medium-sized businesses (SMBs) will have to turn to Managed Detection and Response (MDR) services.

The reasoning is simple: A fully staffed, 24×7 SOC could easily cost more than $1 million—and that’s not even including the price of the tools SOC analysts use to find threats, including a SIEM, SOAR, and EDR.

With MDR, however, SMBs have access to a round-the-clock team of experts to monitor and prioritize alerts, stay on top of the latest adversary tools, techniques, and procedures (TTPs), and quickly remediate threats as necessary, among other things. 

But there’s a ton of MDR vendors out there to choose from. To help narrow down the field of providers, SMBs interested in MDR service should be asking vendors several key questions. 

Let’s dive into it!

1. What are the breadth of threat detection and response capabilities? 

MDR services are powered by two main things: the technology and the experts operating that technology. Both should complement one another. Think of it this way: You would never send in a master swordsman into battle wielding a pool noodle. 

Look for an MDR service that empowers its top-tier analysts with top-tier EDR, and refer to independent tests (such as MITRE, G2, and MRG-Effitas) to see how the EDR used by your MDR service stacks up to the rest. 

Additional questions to ask:

  • How does the false positive rate of their EDR compare to the industry standard?
  • How often do they update the threat definitions on their EDR software agents?
  • Do they support all the threat EDR response requirements such as network, process, and desktop isolation, as well as automated remediation and rollback of ransomware encryptions so you can restore access to your files?

2. Do they do threat enrichment via SIEM?

A SIEM solution enriches threat analytics with endpoint alerts, correlated with log events and network flow, providing greater context that enables an MDR team to efficiently identify critical threats and IOCs.

Additional questions to ask:

  • How many and which type of security data sources does the MDR vendor use to monitor and identify threats?
  • Does the vendor use MITRE data, network, and third-party threat intelligence feeds to enrich their threat intelligence telemetry data and increase their threat detection effectiveness?

3. How easy is EDR deployment and onboarding?

For MDR analysts to be able to collect crucial security information from your endpoints, you’ll need to install EDR agents on your workstations, servers, and so on. EDR agents monitor activity on the host and send this information back to the MDR team. 

Since the MDR delivery platform is a centrally managed, multi-tenant cloud platform, you also have to create a service account to have access to log management, orchestration, real-time analytics, and a user interface (UI) dashboard. 

You’ll want to make sure that your vendor offers a quick and easy EDR agent set-up, and that the process to get started using a service account is nice and streamlined.

Additional questions to ask:

  • What’s the typical amount of time to install the endpoint agents on machines? Is it a process that can be done in days or will it take weeks?
  • Once the endpoint agent is set up, how much time will it take to establish a baseline profile for alerts?
  • How long will it take before the MDR can enable communications with your internal IT security team?

4. Do they have threat hunting expertise?

Threat hunting is a cybersecurity technique where threat hunters scour networks, systems, and devices for anomalies to proactively search for cyber threats—and it’s a key part of an effective MDR solution. 

Threat hunting typically includes two essential functions in the delivery of MDR services. The first one is research-based threat hunting where security analysts look, or “hunt,” for known attackers or adversarial behaviors listed in threat intelligence services. The second approach is active threat hunting, where security analysts systematically review your organization’s environment to uncover any current suspicious activity or newly emerging IOCs that are in progress.  

Depending on an MDR’s service levels, they may only provide threat hunting based on an identified threat, so you should dig into the fine print here to select an MDR offering that offers both active and research-based threat hunting. 

Additional questions to ask:

  • How many security analysts will be supporting your organization?
  • Does the MDR vendor have cyber security practitioners with well-established and seasoned pedigrees?
  • Do you have strong confidence in the MDR vendor’s ability to identify all levels of threats and swiftly deliver appropriate incident response efforts?

5. How do they plan on communicating with you? Do they do reporting?

Transparent and consistent communication, where MDR analysts share details about their threat detection and response activities, is vital to have in a MDR vendor.

As part of this communication, you should receive summary reports that an MDR provider makes available either via a central dashboard or email. This empowers you to deeply understand what’s happening in your environments and provides the opportunity to make other improvements to your security posture. 

Equally important, these reports allow you to assess the quality of service you are receiving from your MDR provider and to see how the MDR provider is responding to detected threats.

Additional questions to ask:

  • What method will the MDR team use to communicate with you and how often?
  • Can your team easily connect with the MDR service provider when you need support? How about outside of business hours?
  • Are you satisfied with the level of communication offered by the vendor? Does it align with your business needs?

6. Is the pricing affordable?

There’s no question that the ROI of an MDR service is huge: if we assume the average error or threat costs $5,000 to fix, you’re getting a good bang for your buck if your MDR service costs less than that monthly. 

Still, many MDR vendors can charge widely different rates. Some have better security and features than others and charge higher amounts, while others have fewer features embedded for cheaper. 

The features in the cheaper options, however, still might be more enough for your business needs—be wary of vendors looking to upcharge you saying you “need” certain features. Choosing the more economical option will save you a ton of money in the long run and still provide ample protection for your business.

Additional questions to ask:

  • Does the MDR vendor provide transparent and cost-effective pricing? Is it competitive and does it fit within your company’s budget?
  • Is the pricing model easy to understand so you can forecast for your annual security budgets?

Still not sure about MDR? Download our Buyer’s Guide

Cybersecurity is a team sport. It’s time to find your Player 2 (3, 4, and 5).

The MDR Buyer’s Guide helps you identify the critical MDR capabilities you need to bulk up your squad and meet your cybersecurity goals.

Download the MDR Buyers Guide today.