It can be difficult to understand the differences between the various managed detection and response (MDR) services in the market today. But there are several key elements that can help an organization choose the best option for its cybersecurity needs.
Medallia VP of Cloud Security Ray Espinoza singles out the importance of customization, effective alert triage, incident response and threat hunting when selecting an MDR service.
According to Ray, these features augment and build on Security Information and Event Management systems (SIEMs), which are inadequate on their own in today’s security ecosystems.
There’s a growing trend in cybersecurity: Many companies (especially tech companies) are choosing Managed Detection and Response (MDR) services instead of building in-house teams. As organizations of all sizes face ever-sophisticated threats and attacks, increasing security costs coupled with the prospect of hiring expensive security analysts, they are – by necessity – forced to seek smarter solutions. Whether or not MDR is right for your company depends on where it is in its security journey.
Former Medallia VP of Cloud Security and current Chief Information Security Officer (CISO) at Inspectiv, Ray Espinoza, has spent over 15 years working in security information management.
Over the years, Ray built, managed, and grew a number of security teams — but he also offloaded some capabilities to MDR providers. Ray explains that there are (4) key components he considered when selecting the right MDR service: customization, effective alert triage, incident response, and threat hunting. These features augment outdated Security Information and Event Management systems (SIEMs), which fail to effectively deal with the huge volume of security alerts most organizations face.
SIEMs Have Significant Limitations
If your business relies solely on a SIEM, you have a problem. The reason being is that SIEMs do one thing well: collect large volumes of security data. But after more than two decades, they’ve become a bottleneck to effective threat detection.
SIEMs rely on poring over data to find “bad” (potentially threatening) files. Log aggregation and correlation solutions like Splunk — which has a huge security detection market share — are built on this premise.
But organizations need to determine whether they have the right teams in place to pull data out of their SIEMs. Very few tools highlight data sources in ways human analysts can easily understand. The result is that security teams drown in thousands of daily alerts.
Any SIEM-based success involves spending time fine-tuning these alerts, identifying relevant threats and determining how to find them. But the more SIEMs collect data, the bigger the workload for people. Back in 2008 when Ray built eBay’s security operations center (SOC), “data access” was all the rage. But it was limited to security logs, firewalls, endpoints, and network IDs.
Things have changed now: During triage, SOCs must account for contextual asset- or individual-based information. More data sources make it increasingly difficult to deal with threats in the right way. Ray believes it's possible, but that it requires consistent daily efforts. SOCs need more than SIEMs — they need advanced automation.
MDR services are a great fit for small and midsize security teams
As CISO at [LogicHub customer] Cobalt, Ray scaled the security operations of a small team that needed 24/7 security coverage to identify and defend threats but didn’t have enough staff power.
Why not? First, it’s extremely hard to find the right people with the right expertise. Mastering new technologies while growing is even harder, especially on a demanding timeline. Staff burnout, attrition, and shortages are a daily challenge for any security operation team. Automating security processes captures valuable tribal knowledge for any individual business, preserving it despite fluctuations in staff and resources.
Ray turned to LogicHub MDRto leverage dedicated SOC expertise that relied on an ongoing feedback loop powered by advanced AI and automation.
What to look for when selecting an MDR service
Capabilities are everything. Today’s SOCs require smart people and advanced tools. Ray provides his key go-tos for an effective MDR (some of which might surprise you):
A great partnership
Operationalizing and building the relationship between an MDR service provider and an organization takes time. You can’t fast-track understanding a company’s operational environment, relevant threats, or specific company requirements. Expect a “getting to know you” period.
Realistic expectations, coupled with the right partner that can grow with an organization, can provide meaningful value.
Both sides need to “lean in” for the partnership to work. MDR vendors that don’t customize their clients’ experiences create additional operational burdens. Team structures and workflows are different across organizations, so coordinating processes together is paramount.
While at Cobalt, Ray found that (after initial augmentation and team maturation), better understanding of product usage and workflow contextualization is fundamental to building internal SOCs. In fact, it can be integral to success.
Some MDR customers expect vendors to handle every outcome but understanding how triage playbooks are structured is part of getting the best possible service. This level of interest can help vendors to improve alert fidelity.
Defining metrics helps with spot checks and decreases false positive rates, giving better insight and understanding into a company’s unique processes and capabilities. A positive feedback loop that progresses as analysts and data provide input help to provide even more value.
No matter how effective any tool, customization matters. Out-of-the-box integrations are important, but so are customized integration capabilities. Edge cases are necessary for MDRs to learn and adapt.
Many organizations use public cloud providers that offer some level of protection against universal threats and events. MDR services aren’t cheap — nor, Ray believes, should they be. They provide critical protection on a full-time basis, which would be cost prohibitive if matched by human efforts.
For custom integrations, a good MDR service is the unrivaled solution.
Effective alert triage
Hundreds or thousands of unfiltered (and very similar alerts) necessitate consolidated, context-rich cases. A seemingly minor alert can turn critical if it affects just two dozen endpoints. Setting baseline expectations about data consumption feedback enables effective triage.
When building in-house security teams, Ray says grouping alerts with appropriate contextualization is key. Useful feedback from engineers and security analysts minimizes false alerts, creating a smooth and painless automated workflow.
Detection and response
Whether you’re using SOAR, XDR or MDR, security operations are about detection and response — automating as much of the latter as possible. For specific alerts, automating the process of gathering context eases triage for both MDR services and the in-house teams a managed service augments. This is especially important for smaller teams.
A good MDR should not escalate non-actionable and non-contextualized cases. Contextualized threats help in-house teams take actions more quickly. Long-term, organizations can look at processes holistically and determine what to automate. Their bottom line demands efficient detection and response.
Ray would rather incentivize his teams to focus on investigating, understanding, and remediating issues rather than measuring how quickly they close tickets. A thousand alerts, each taking 15 minutes and five or more steps, can all be automated. This frees up analysts to spend their time and energy on next-level challenges.
Ray admits that he fell prey to the myth of the super ninja threat hunter with a sixth sense. He soon experienced the more prosaic reality: mapping threats and utilizing data sources to understand the presence of environmental threats before establishing whether to build a solution in-house or seek an MDR provider.
Not every MDR correlates threat intelligence from various sources. But human analysts behind an excellent MDR service utilize solutions for issues affecting other customers to proactively hunt and eliminate threats.
We are proud that our customers treat our SOC team as partners. We have open communication and dedicated 24/7 support to follow up on any concerns with “can-do” actions. In turn, we benefit from repeat business.
Customer satisfaction should never be an afterthought. With LogicHub, you’re a valued partner — and a valuable resource.