Even with the best preventative security technologies in place, no organisation can completely eliminate the risk of suffering breaches. Being able to detect and respond to threats as swiftly as possible is now essential.
Traditional Managed Security Service Providers (MSSPs) have long proved popular with organisations looking to bolster their threat monitoring and alerting capabilities.
The problem with legacy MSSPs, however, is that the level of threat visibility and remediation support they provide can often prove insufficient. With in-house resources stretched, organisations using MSSPs may find that they don’t receive the support they require when they need it most.
A Managed Detection and Response (MDR) service goes well beyond the scope of an MSSP by providing organisations with the specialist expertise, technology and intelligence to identify, contain and eliminate the most complex and persistent of threat actors before they cause damage and disruption.
Gartner predicts that by 2020, 15% of organisations will be using MDR, up from 5% today. Gartner does, however, advise companies to exercise caution when selecting an MDR provider, with many traditional MSSPs claiming to offer MDR-type services without the necessary toolsets and insights to do so.
This blog outlines the key criteria organisations should use to help evaluate service providers plus differentiate MDR companies from legacy MSSPs.
1. Extensive security expertise
By supplying the personnel needed to monitor networks and endpoints 24/7, managed security services act as an extension of in-house resources, helping organisations to bridge the cyber resource and knowledge gap.
When choosing a managed service, it’s important to select a company with an in-depth understanding of the cyber threat landscape, the tactics used by adversaries and the tools that can be used to defend against them.
Legacy managed service providers often employ generalist support staff who lack the specialist skills and knowledge required to closely monitor organisations’ cyber security and investigate incidents. It’s essential to look for an MDR provider that prioritises staff training, has a wide range of security accreditations, and is experienced at using multiple threat detection technologies.
It is also important to look for a provider that demonstrates a strong focus on customer service and service delivery. Unlike many MSSPS, top MDR companies work hard to develop a detailed understanding of their clients’ networks and security risks. This ensures they deliver the tailored insight and advice needed to proactively detect and respond to threats.
2. The latest security technologies
With so many cybersecurity technologies on the market to help organisations prevent, detect, contain and remediate threats, it can be difficult and time-consuming to evaluate the options and select the right solution(s).
Most organisations need a range of security technologies to protect their environments, but simultaneously managing and monitoring multiple disparate systems is a challenge. What’s more, with threats continually evolving, expensive technologies can quickly become obsolete.
Buyers should look for a managed security service that offers a wide range of detection technologies, including SIEM, IDS, EDR, vulnerability scanning and behavioural monitoring, to provide extensive network and endpoint visibility in order to identify and respond to threats in their infancy.
Many service providers work solely with specific, rigid technology sets. Working with an MDR provider that has a vendor agnostic approach to technology will provide confidence that any solutions deployed will be best suited for each environment.
Managed security services with orchestration and automation (SOAR) capabilities will be able to aggregate and contextualise the vast amounts of alerts generated by security technologies and consolidate them into a single platform, removing the time consuming task of having to pivot between multiple systems.
To further improve efficiency, some providers offer dev ops capabilities and can integrate their services into client workflows and ticket management systems.
3. Actionable security outputs and insights
One of the most common criticisms of traditional managed security services is that they fail to deliver tangible insight and guidance, with many MSSPs accused of simply ‘passing alerts over the wall’.
MDR provides much more than just observation and monitoring, offering a more proactive and outcome-focused approach to threat discovery and remediation. MDR providers go far beyond the scope of traditional MSSPs, utilising the latest tools and intelligence to provide actionable insights and analytics for improved incident awareness and swifter, more reliable decision making.
4. Proactive threat hunting
With threats now more persistent, sophisticated and evasive than ever before, the passive monitoring approach favoured by MSSPs is increasingly ineffective.
MDR providers call on the services of real-time threat hunters, who use the latest behavioural analytics and up-to-the minute security intelligence to proactively hunt for new types of threats which evade existing defences.
By baselining and optimising a range of technologies, including AI, UEBA and machine learning tools, configuring custom rulesets and watchlists to flag specific behaviours, and performing deep forensic analysis, threat hunters are able to rapidly identify indicators of compromise (IOCs) and break the kill chain of attacks.
5. Integrated incident response
Without a high level of support and advice on how to respond to and remediate incidents when they are identified, organisations using MSSPs are often left in the lurch, unable to react quickly enough to breaches to limit damage and disruption
MDR providers place a heavy focus on incident response, providing detailed incident notifications, reports and remediation guidance to ensure threats are shut down rapidly, before they have a chance to spread.
Buyers should look for an MDR company that has EDR capabilities to isolate and contain threats, incident playbooks to support swift response to a wide range of threat scenarios and can also provide additional virtual or onsite support to assist with high-priority incidents.
6. Fast and flexible deployment
No two IT environments are the same, with many organisations adopting a combination of public and private cloud, hybrid and virtualised infrastructure. Protecting fragmented and constantly changing environments can be challenging, but security and efficiency needn’t be mutually exclusive.
To ensure hassle-free service deployment, it’s important to seek out a provider who can rapidly deploy their solution, tailor it to specific client requirements and scale it to meet changing business needs. These are areas where traditional MSSPs can often fall short.
With more and more organisations using cloud services, businesses investing in managed security services should look for an MDR partner with the specialist knowledge and toolsets needed to achieve threat visibility across AWS, Azure, Office 365, G-Suite, Hyper-V and VMWare environments.
7. Up-to-the-minute security intelligence
Another crucial component of an effective managed security service is high quality security intelligence. A key benefit of an MDR service above that provided by an MSSP is that it typically utilises a broader range of intelligence, combining external threat information with in-house research and first-hand insights from clients across a range of industries.
By utilising a diverse range of intelligence sources, MDR helps organisations to identify adversarial tactics, techniques and procedures (TTPs) and IOCs more effectively and provides deeper and better contextualised security analytics. Quality intelligence is used to help improve detection processes, including the development of correlation rulesets and incident response playbooks.
8. A deep understanding of offensive security
Identifying a partner with offensive as well as defensive security expertise is also highly advisable. Choosing a managed service provider with a purple team mentality can help organisations develop a culture of continuous improvement whereby red and blue team experts work together to maximise the effectiveness of security controls and processes.
The top MDR services offer scenario-based testing to assess the performance of security operations against the attributes of specific types of attacks. Regular scenario-based testing, often aligned to models of offensive security tradecraft such as the MITRE ATT&CK framework, helps to validate the effectiveness of controls and processes and improve threat hunting, breach detection and incident response.
Why choose Redscan?
Redscan is a multi-award-winning provider of managed security, testing and consultancy services.
ThreatDetect™, Redscan’s MDR service, integrates market-leading offensive and defensive security expertise with a wide range of technologies and intelligence sources to help organisations detect and respond to advanced cyber threats across networks and endpoints. Our CyberOps analytics platform, included as part of the service, consolidates all system outputs, intelligence and reporting into a single platform
Offering rapid, flexible and scalable deployment options and a customer-centric and vendor agnostic approach, we work with our clients to deliver the tangible insights needed to significantly improve their cyber security posture and meet compliance standards.