tools, threat intel feeds, third party data
sources and the IT asset database to identify
not only where there is a threat, but its risk
compared to others in the queue.
While MDR providers are focused on
advanced threats such as lateral movement
by hackers, credential theft and escalation,
and command and control activity, a good
MDR provider won’t let less sophisticated
attacks slip through its fingers. So, check
a potential partner will investigate all
threat types.
4. Don’t be afraid to pursue due
diligence questions
You’ll need to be confident that an MDR
lives and breathes security in everything
they do. Request a copy of their SOC2
certification or any other third-party
security audit or tour their facilities. A good
MDR should also be able to provide you with
the qualifications of their security analysts
and, ideally, request to speak to one directly
so you can come away satisfied that they
are skilled, engaged and experienced
enough to help your organisation.
5. Transparency is vital
Ask about what visibility you’ll have
into a provider’s performance and ask
to see examples of actual reports to
ensure these make sense to you and your
business needs. CIOs/CISOs should have
unprecedented transparency to all aspects
of the security environment through
dashboards and visualisation techniques.
All of which will make it easier to
communicate with an MDR provider about
potential vulnerabilities and threats.
6. Check for industry-
specific expertise
Your organisation is likely to face specific
threats based on the industry in which you
operate – manufacturing is totally different
to professional services or construction
businesses. Which means you’ll need to
choose a provider with experience and
38
Building next-
generation capabilities
for advanced threat
detection and response
is a complex endeavour
that requires significant
investment in time
and resources.
expertise detecting and responding to
industry-specific threats, as well as generic
threats such a phishing.
It’s worth pointing out that it’s important
to establish that MDR is a service provider’s
core competence and they’re not just a
general technology company that’s jumping
onto the bandwagon.
7. What’s your trust level?
Data and privacy regulations will need to be
respected, so it’s important to establish your
chosen provider can meet the compliance
requirements you need to observe.
When defining any organisational
boundary, it will be important to understand
the potential of vendor hold-up. Key to
avoiding this risk is establishing trust in your
MDR provider.
8. Responsiveness is all
Evaluate a potential provider’s
responsiveness throughout the discovery
and sales process.
You need to be certain the provider
you select can operate in a timely manner
with practices that provide the level of
response your organisation expects.
As an extension of your support team,
it will be important that security event
information is communicated quickly and in
a comprehensive way that is understandable
and actionable.
During the evaluation period, check
any promised response time is delivered
and evaluate what out-of-hours threat
monitoring looks like. Ask about what their
threat response protocol looks like in the
event of a successful attack.
9. What’s the end-to-end
delivery capability?
Receiving security alerts with no context
will just cause more headaches for your
organisation. You need to determine the full
range of capabilities of the provider you’re
considering. Ideally, you need a provider
that can respond to various types of attack,
from the moment the attack occurs to the
point at which the incident has been fully
investigated and your organisation is back
up and running.
Having a flexible and highly capable
MDR provider will be invaluable to your
organisation in a time of crisis. Make sure
you work with a partner that can customise
their output to meet the specific needs of
your organisation – ideally, one that can offer
playbooks and pre-defined workflows that
enable you to quickly assess and remediate
security incidents based on best practices.
10. Be prepared to test a
provider’s claims
During the proof of concept period, it’s a
good idea to test out an MDR provider to see
if they notice any anomalous behaviours that
would be important to you. If you don’t have
experienced penetration testers on staff,
consider using threat simulation services
from a third party to ensure your potential
provider is up to the job.
Not all MDR providers offer the same
services or technologies, so companies will
need to choose wisely by selecting the one
that is the ideal fit for their organisation’s
size, security controls in place and needs.
You can also ask for proofs of concept to
validate a provider’s claims.