If you’re in the market for a Managed Detection & Response (MDR) service provider, what you’re really looking for is a partner. Your MDR company should be transparent in what they do and what they don’t do. Many times, people are promised the world and then find out that’s not quite the reality. We want to help you ask the right questions and find the right fit.
Transparency about capabilities is an essential first step. You can weed out some candidates with softball questions.
- Can they explain their technology stack and how they look at alarms?
- How do they do threat hunting?
- What kind of trends are they seeing?
A solid MDR partner should be able to speak to what they’re seeing with ransomware and malware, common threats they’re responding to every day, and how the technology stack they have in place assists them with finding and mitigating issues.
Will your MDR candidate give you access to the platform should you want it? An MDR provider shouldn’t shadow or keep anything secret.
At Agio, we believe in complete transparency and access for our clients. It’s true. Ask us. We’re more than happy to share our processes with you. Our commitment to openness has empowered all our business leaders to tell clients what we’re doing and what we’re not. On the MDR side, we’re very clear with our clients about what products we use. We explain our road map, and we share what we’re hearing from other clients.
Don’t be shy about asking what an MDR shop can and can’t do. When you’re talking to any provider, they’ll sway the conversation in favor of the remarkable problems they’re solving. That’s great, but you should be equally interested in what they’re not doing or wish they were. Do you want to be in a partnership with somebody who’s OK with being good but isn’t driven to be great?
Ask the hard questions. If they’re only patting themselves on the back but aren’t talking about problems, bring them up. What are the challenges like? What are they struggling with, and what are they doing to address that?
For example, Agio has recently added validated testing to its repertoire. Rather than just talking about how great our SIEM is and how capable it is, we’ve added a product that does a breach emulation exercise, which helps us find the holes in our SIEM. We do that regularly because it’s necessary to have that process. We recognize that we’re not going to have everything perfect, and that’s OK because we have something else in place to help find those gaps—we aren’t waiting until a customer brings them to our attention.
Many larger companies are siloed. If you subscribe to their MDR service, you get MDR and nothing else. One of the perks of partnering with a smaller company like Agio is flexibility and shared knowledge. If you only subscribe to our MDR service, that doesn’t mean we won’t draw in talent from across the entire company should you have an incident or need some specific expertise. So, if there’s something super complex with Office 365, for example, we’ll go to a subject matter expert (SME) in that product and bring them in to assist with the situation.
A successful MDR partner has clearly defined roles and a stable structure of dedicated functional areas. They should always have people well-versed in incident response on hand in case an incident requires a war room situation.
Agio has a squad model. That means we have part of our team dedicated to analysis work doing daily threat hunting. Then we have an engineering team concentrating on doing initial implementations focused on break-fix issues as they come in, updates and changes to the systems, and making sure those systems are functioning correctly. Finally, we have the analysis side, which digs into the data day-in and day-out.
More than a few MDR companies put their laurels on one or two individuals. They say, “Well, look at this person. We have this person that has all this engineering background and all this knowledge. Pick us.”
You may want to dig a little deeper than that. Ask who’s on their MDR team. Have them explain how they train their crew. Where does their expertise lie?
Agio doesn’t put everything into one person. We make sure everybody on the team has a minimum of five years’ experience in cybersecurity with various industry-standard certifications.
We believe that to offer successful MDR services, it’s necessary to have in-depth knowledge from a broad background. Regular training is especially important because everyone on the team should be well-versed in the tools MDR uses every day.
We’re deliberate about hiring people that come from a Security Operations Center (SOC) background. We look for people who have experience from a diverse background—we have people from the military, financial services, and healthcare. Our people know everything from coding to systems engineering to SIEM platforms to malware analysis, and reverse engineering.
As I mentioned, there are MDR services out there that rely on one or two people who have the bulk of the team’s knowledge. What happens if those people leave the company? Does the organization have a log of the company’s institutional knowledge so the show can go on?
Agio’s MDR team has implemented Atlassian Confluence as a wiki. Whenever the team’s doing something, whether it’s engineering, analysis, or sharing how-to articles everybody can benefit from, we put it in the wiki. We’re adding to our body of knowledge every day because we understand the importance of finding and tracking institutional knowledge. We don’t rely on one or two people to get us by.
Finding a dependable MDR partner isn’t easy, nor should it be. You want to know that the company you choose is transparent, always learning, shares information, and hires the best people across the board.