Despite the many benefits of working with MDR service provider, security and business leaders often wrestle with the potential for having to ‘fit in’ to the provider’s way of working. Each business has its own strategy and security operations align with the overall business objectives, without intimate knowledge of a given business culture, how can an MDR service provider be sure they are making the proper judgement calls in response to a critical alert?
Questions to Ask Potential MSSPs During Research
Selecting the right MSSP is critical for success. When evaluating providers, consider asking the following:
- How do you tailor threat detection to my business needs?
- What level of transparency and control will my team have?
- How does your Target Operating Model align with my business operations?
- What is your approach to minimising false positives and reducing alert fatigue?
- Can you provide references from similar-sized organisations in my industry?
- Do you have expertise in optimising and managing Microsoft Sentinel for long-term effectiveness?
Response Times and Escalation Processes: Why They Matter
A critical factor in evaluating an MSSP or hybrid SOC provider is their approach to response times and escalation processes. Traditional metrics such as Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) have long been used to gauge SOC performance. However, the more crucial metric in today’s landscape is Mean Time to Contain (MTTC).
Understanding Key SOC Metrics
- MTTD (Mean Time to Detect): The average time taken to identify and classify a potential threat.
- MTTR (Mean Time to Respond): The time from detection to resolution.
- MTTC (Mean Time to Contain): The time it takes to disrupt an attack and prevent further proliferation.
While MTTD and MTTR remain important, a modern SOC must focus on reducing MTTC by proactively disrupting attacks before they escalate. This requires visibility across the attack surface, rapid decision-making, and automated containment mechanisms.
Proactive Attack Disruption with Sentinel
A successful MSSP or hybrid SOC should enable attack containment through:
- Real-time Threat Intelligence Integration: Ensuring Sentinel queries align with the latest threat techniques.
- Automated Response Playbooks: Using Sentinel’s automation tools to enable instant containment of threats without waiting for manual intervention.
- Continuous Threat Hunting: Leveraging KQL-based threat hunting within Sentinel to proactively identify and neutralise threats.
- Attack Surface Management: Extending Sentinel’s detection capabilities beyond endpoints to cloud workloads, identity systems, and network layers.
