Cloud Security

Is your MDR actually MDA?

Is your MDR actually MDA?
Written by ga_dahmani
Is your MDR actually MDA?

As security talent shortages loom and IT infrastructures and security technologies become more complex, many companies are turning to outsourced services as a way to rapidly improve their security efforts. Threat detection and response are top priorities in reducing an organization’s critical mean time to detection (MTTD). And what could be better than offloading the huge volumes of logs from across your network to a team of experts who monitor them 24/7/365, look for threats, and then block them? commitment incidents based on what you see? The challenge is to make sure a provider lives up to this promise. This blog can help.

There are thousands of vendors that list Managed Detection and Response (MDR) as a service offering, and almost as many variations of what those offerings include. How can you tell if you’re getting a true MDR or just managed detection and “alerts” (MDA), which leaves the “R” in your hands?

DevOps Connection: DevSecOps @ RSAC 2022

Here are 3 ways to ensure you’re getting actionable answers, not just noise, from your vendor:

1. Visibility and Context

Remember that analysis can only be performed on data that is actually ingested into your provider’s MDR platform. If you share only perimeter firewalls, for example, scanning will be limited and expose the rest of your environment.

It is your responsibility to validate that the types of data being sent (network traffic, firewalls, endpoints, servers, etc.) give your cyber security provider complete visibility into your distributed environment, including logs showing both ingress /egress as lateral movement.

What you can do: Engage with your cybersecurity company to discuss all the different possible data sources from the cloud, SaaS, on premises, or within your supply chain to maximize the effectiveness of your MDR services. Be sure to ask how your vendor enriches the data they provide with global visibility beyond their network sources, including dark web analytics, threat intelligence, and other threat detection sources.

2. A response playbook

When your provider identifies an alert, it triggers a response. That may mean the vendor addresses the suspicious activity, active threat, or attack on your behalf, or provides guidance and details for your to tackle it. For many environments, the answer is a combination of both.

The key, however, is in the definition of an alert. Not all alerts identified by the system or analyst have the same level of criticality, and some are false alerts. Alert validation by expert analysts can filter out the noise to keep your team from getting tired of alerts and help them focus on the alerts that count. It’s a benefit of outsourcing to an MDR provider, but only if it’s done right.

What you can do: Your cyber security company should work with you to develop and document a customized response playbook at the beginning of your partnership. The playbook defines what constitutes an alert for your specific organization (severity ratings). It also documents processes for how the provider will handle alerts based on their severity, including escalation routes, who in your team or organization is notified and how, and which response actions are the provider’s responsibility and which are yours. .

3. Methodologies and Experience

Your MDR service should be more than the next evolution of a security alert system. You need insight into what’s happening inside and outside your network, the ability to partner in the event of an incident, and the confidence that your cybersecurity company is blocking threats you can’t see, with full transparency of your analysis and response.

What you can do: Look for partners with global operations and a heritage of serving customers whose organizations are similar to yours, such as company size, industry, network complexity, and geography. Additionally, a vendor’s technical certifications and regulatory experience must match your case studies. For example, a vendor working with the healthcare industry must have a thorough understanding of HIPAA’s implications for security controls and compliance.

An MDR provider should remove the burden of managing threat detection and response in-house, not just inundate your already overworked security team with loud, unvalidated alerts. Use the 3 tips we’ve outlined here to ensure your vendor effectively meets the “R” of MDR and provides proactive and reliable security protection for your organization.

Looking for an MDR Provider? See if they tick all the boxes with our handy checklist, Questions to Ask an MDR Provider. download now.

*** This is a syndicated Security Bloggers Network blog from silver sky written by michele-johnston. Read the original post at:

About the author


Leave a Comment