When selecting a vendor for your Managed Detection and Response (MDR) requirements, what are the most critical considerations?
Personally I had always considered that the size of the organisation providing my MDR needs was a strong point in favour of vendors like CrowdStrike, SentinelOne, Rapid7, FireEye etc etc…… Once upon a time there was also a company called “Symantec” (I seem to recall)…..
But MDR is not like a traditional software vendor solution, MDR is providing realtime (or near) Detect and Respond capabilities to an end customer organisation. An MDR solution collects information from many telemetry sources to build up a risk profile (score) that will garner a complete insight into what is occurring within a network – more data sources mean better insights but this comes at a cost….
The problem with more imported telemetry information is there are more dots connected and much bigger data sets. This data is processed using ML, AL rules or algorithms before human expertise might add the final review. More dots means that more false positives start to surface as the AI and ML routines as well as the experts become overwhelmed and then information gets miscategorised.
Miscategorisation is dangerous because “TOO MANY” false positives cause fatigue, leading to Complacency. False positives hide the real issues which start to be drowned out and ignored when they may have in fact need to be actioned urgently to prevent, or stop a breach in progress.
What to do
When looking for an MDR vendor, look for the vendor who will provide the capability that your organisation needs, what is their in-region capability because timezones make a difference. When talking to you vendor ask the important questions and make sure that you will be supported when you need help and build this into your incident response plan, contact numbers and escalation points. This may be a reseller working with the Vendor or the vendor directly.
As the number of incidents increase exponentially as they will, the smaller MDR providers have a uniquely advantageous position, they are faster, they are more nimble and they are able to treat their customers with a higher priority than a large vendor can ever do. The smaller MDR vendors are also able to base their platforms off the latest and greatest in technology to reduce the noise and false positives, there is no doubt that Artificial intelligence has huge ability to change security forever, read here for more. These innovations can not be adopted easily or in their entirety by large vendors as too many “moving” parts have to be changed to work across the huge client base that they have.
Veness recommended that cybersecurity professionals at the smaller, emerging providers as they are learning from the gaps of large vendors. He said that part of the cybersecurity skills gap is that “sometimes the tools we use are a little bit dated and require a very specific subset of skills to bring all that data into effectiveness.” Broadening the pool of vendors you consider can help address that, he said.Jason Veness
This quote is very appropriate, large vendors have legacy to support, this makes using the latest and greatest in AI and ML difficult for them to implement.
The MDR market is a crowded one and the winner will not be a single Vendor but many vendors across the industry, when deciding on who to partner with, remember the important points:
- EDR/XDR/MDR IS necessary, no ifs or buts
- When an incident happens, who will be there to help me?
- Who can I tap on the shoulder if I need to escalate
- Choose the best capability, not the biggest brand – Marketing is inversely proportional to Software Dev.
And consider an in region MDR provider, APAC based MDR providers tend to be closer with the customer because to the regional MDR provider local customers are critically important.
I will be back next week with more details …… exciting stuff is happening!
Linked article below with above quote: