Managed Detection and Response (MDR) Service Provider Checklist

When it comes to cybersecurity, it’s no longer a matter of if you’ll get stacks, but when. That’s why so many security pros are turning towards Managed Detection and Response (MDR).

This checklist provides a comprehensive overview of 10 critical capabilities to look for in an MDR service provider – read on to unlock the full checklist.

Content Summary

Cloud-Native Platform
Co-Managed SIEM
24/7 Global SOC Services
Advanced Threat Detection
Proactive Threat Hunting
Automated Response
Risk Management
Suite of Security Services
Case Management
Compliance

In cybersecurity, it’s no longer a matter of if you’ll get attacked, but when. That is why partnering with a Managed Detection and Response (MDR) service provider is one of the fastest growing trends in enterprise security. But what do you look for in a partner and how do you know if you’re getting the most effective security service? Review our MDR checklist to find out.

Percentage of business leaders feel their cybersecurity risks are increasing 68%.

Hackers attack every 39 seconds, on average 2,244 times a day.

Breaches by Vertical: 15% Healthcare Organizations, 10% Financial Industry, 16% Public Sector.

Cloud-Native Platform

MDR service providers that leverage cloud-native architectures are better positioned to deliver flexible and scalable services. These next-generation platforms collect and enrich telemetry from a wide variety of data sources and provide investigators with fast search capabilities. This also provides an easier on-boarding so clients can quickly leverage the provider’s advanced security technologies and begin to receive more effective alerts for critical threats.

Co-Managed SIEM

Many organizations want the flexibility to own and control their own SIEM and log retention infrastructure. MDR service providers should support a hybrid model that complements popular SIEMs, like Splunk, with 24/7 security monitoring, advanced threat analytics, and SIEM administration services, helping clients to enhance and maximize the value in their SIEM investment. Ideally, companies can easily migrate from a fully managed cloud service to a co-managed SIEM model without changing processes or relearning tools and dashboards.

24/7 Global SOC Services

Critical security events can occur at any time, day or night, including weekends and holidays. Look for a partner who has a team of security experts investigating suspicious events, hunting for targeted attacks, and providing remediation advice on a 24/7 basis. Selecting an MDR provider with global SOCs not only means they can attract and retain better qualified security staff, but also have a more complete view of the threat landscape, catching new threats that affect local regions or verticals and applying it to the global organizations, before the cyberthreats become prevalent in other areas.

Advanced Threat Detection

Industry leading MDR service providers use a combination of people, processes, and technology to accurately detect and prioritize indicators of attack or compromise. Components of advanced threat detection should include threat intelligence, use case analytics, business context modeling, MITRE ATT&CK framework, and 24/7 investigations by security experts.

Proactive Threat Hunting

Threat hunting can be an effective way to detect targeted attacks. The traditional approach is dependent on experienced cyber professionals building hypotheses that model the attack techniques and tactics used by adversaries. While that still plays a critical role, many MDR providers today are improving the effectiveness of threat hunting by adding a machine learning element to their hunt for better security intelligence and increased accuracy.

Automated Response

One of the biggest differentiators of MDR service providers is their ability to automatically respond on behalf of their clients. This capability allows for faster response to credible threats and doesn’t rely on the internal team to make critical changes. By using a client’s perimeter or endpoint platforms to automatically trigger response actions, you can quickly contain attacks before they cause damage. More advanced providers can extend the integration of collection, detection, and response functions to technologies including DNS, authentication, WAF, and the cloud.

Risk Management

Understanding your organization’s cyber risk is a high priority for senior management and Boards. Look for an MDR provider who gives you continuous visibility into your security posture and measures your cyber risk compared to others in your peer group. It is also important to have an assigned team of security experts available to look at the strength of your security controls and help identify gaps in your threat protection.

Suite of Security Services

For organizations that lack the internal resources to manage their security products, some MDR service providers have the capability to manage essential tools such as next-generation firewalls, endpoint software, and cloud security tools that keep them running to vendor recommended standards. This managed infrastructure service helps off-load work from internal IT teams, allowing them to focus on other tasks, and maximizes the value of investments in technology. Additionally, providers may provide add-ons such as Vulnerability Management or other professional services, that provide clients with a well-rounded security solution.

Case Management

Having easy access to your notifications and details of the alerts is critical. Many MDR providers use an ITSM tool for case management and workflow automation, often with bi-directional integration, to create closer connections between a company’s IT team and their MDR service provider’s security team. This allows you quick access to their team if necessary and enables better visibility into the service provider’s actions and SLA metrics, so that you can always keep track of how your provider is performing.

Compliance

Many organizations must adhere to compliance mandates and regulations like PCI, HIPAA and GDPR. To help achieve this, MDR service providers should have the flexibility to collect and archive log data in their client’s preferred location, for a range of retention periods. Service providers should also provide their clients with customizable dashboards and reports that monitor key metrics and possible policy violations that pertain to compliance mandates. Leading providers achieve internal compliance certifications, such as SOC 2 Type 2, demonstrating they adhere to strict information security policies and procedures required to protect confidential data.