Seven Questions to Ask Your MDR Provider
Choosing the right MDR provider is an important decision. You need confidence that they will be the right fit for your organisation and have the capabilities to provide a tailored service to protect against cyber threats. A successful partnership becomes an extension of your existing team and frees up time for them to focus on security strategy instead of security monitoring.
In the e2e-assure 2024 Cyber Defence report, security teams face pressure to either consolidate their tools for a more robust defence posture or evaluate service providers for better services. Whether you are assessing an existing service or searching for a new one, we can assist you in cutting through the noise and making the right decision.
We recognise this challenge and, to help, have compiled a list of the top seven questions to navigate the evaluation of service provider maturity, scope, and business outcomes.
1. What drives you as a cyber security service provider?
Understanding the provider’s focus is essential before you embark on a relationship. You need to know that they empathise with the challenge of securing digital infrastructure and provide confidence that their business has the technology and scale to do this, with the proper focus on people and processes and without the need to layer additional technology.
Look for a discussion, not a technology pitch. Your new provider could present a use case as an opportunity to understand your security challenges and craft the perfect solution to assist. Their solution will have proprietary elements, as we have the Cumulo platform at e2e-assure, but it must also work with the investments you have in place today.
2. For how long have you offered your MDR service?
MDR is not a service that can be switched on and offered. It takes time to develop the team, process, and technology stack to provide a fully comprehensive service. You need to work with an MDR provider who has been pure-play in the market, not a single product vendor. MDR has existed since the mid-2000s, meaning there are mature providers in the market who operate comprehensive platforms with experienced teams.
The best providers have a fully evolved MDR offering. Whilst it is not essential to partner with an organisation that’s provided MDR since its inception, it should have a long-standing reputation in the market. The ideal provider is mature with a cross-vendor, flexible and mature offering. Look for six years or more experience with demonstrable customer use cases and a team that includes security-cleared SOC analysts, incident responders, and security consultants.
3. How does your SOC manage the MDR service stack?
The answer to this question should not deep dive into the vendor technology stack; although this shows investment in products, the result can be an inflexible service that will struggle to scale with your needs.
Look for responses explaining the MDR service’s outcomes, how it will manage your security posture, what flexibility is offered to support existing investments and how it will fit into their budget.
4. In addition to MDR, what other services are analysed by your SOC?
Understanding the breadth and depth of your provider’s capabilities is essential. Those from an MSSP or product background may have a limited subset. You’re looking for providers who offer telemetry monitoring and alerting across all digital assets from endpoint to cloud. Their platform must integrate into your existing technology stack to build on investments instead of needing a rip-and-replace.
The response to this question should not be a detailed dive into logs and tracing and should avoid vendor-specific language. Instead, look for a service overview and business outcomes.
5. What response levels does your MDR service provide?
An essential MDR component is tracking a threat from the initial reconnaissance and access stage to its eventual removal, analysis, and root cause identification. Some service providers only offer containment capabilities, which may expose your organisation to high risk during an ongoing attack.
At this stage in the discussion with a potential MDR provider, you need to begin asking service-specific questions – this will help to identify the level and strength of service being offered.
We’ve put together some examples to assist:
- Who is responsible for executing SOC security recommendations?
- Is there detailed playbook automation available for security actions?
- How does the provider detect insider threats?
- What threat-hunting capabilities do you have internally?
- What level of Incident Response service is available?
Detailed answers to these questions ensure that the level of service provided is sufficient in the event of an attack, threat campaign, or breach. In case of a threat, you need confidence that your MDR provider has a playbook of actions, clearly defined and pre-agreed, which will be executed to mitigate the situation – ideally using automation for pre-agreed actions such as quarantining a device. Ideally, the team should carry out and report back on regular threat-hunting activities, which can inform security posture change recommendations.
6. How do you measure a customer’s security posture over time?
Traditional providers relied on detection rulesets that came with their products, perhaps with minor modifications for customer requirements or in response to new threats and vulnerability advisories. While this worked in the past, the speed of threat evolution is constantly ramping up, and as businesses move to cloud and digital assets, the fastest response to threat development is essential.
It used to be enough that a provider would offer text-based service level agreements and availability statements, but no longer. The threat posture of an organisation reflects on the company brand, can affect revenue or even provide a competitive advantage in supply chain opportunities.
Responses to look for include:
- Use cases mapped against frameworks, for example, MITRE ATT&CK, with a continuing compliance level of ISO 27001.
- Ask for the customer input process for defining use cases and demonstrating service flexibility.
- Staff should be security cleared to a relevant level, for example, NPPV3 or BS76858:2019.
- As if the SOC platform can make dynamic recommendations to help customers improve their security posture against threats and vulnerabilities.
7. Can you give me a threat scenario walkthrough?
With the previous questions answered, this final scenario should not be a challenge for any confident MDR provider. You have provided all the data points on what needs to be protected, the level of protection and service required, and an understanding of the security solutions in use. This is their opportunity to demonstrate how all that comes together as a tailored, outcome-based managed service.
It’s the perfect opportunity to show the service and let you see their methodology in action – expect them to offer a case-study example or a live demonstration of the platform, along with the steps to resolve a threat situation and preventative recommendations.
Look for the demonstration to include:
- Show how MDR combines proactive security with threat hunting and tracking to continuously analyse and adapt your security stance, making it harder for cyber criminals to target your business.
- Demonstrate performance against KPIs, including Mean time to Detect and Contain. These metrics provide details on the time taken to neutralise threats.
- Dashboard evaluations enable continuous security evaluation through attack simulations to identify and mitigate gaps.
Achieving the proper Service Level Agreement (SLA)
Whilst this is not a question, it is an essential outcome of any MDR provider discussion. Having the right SLA in place is foundational for a successful relationship. At the outset, you must agree on measurable, achievable performance metrics to ensure service delivery in line with business expectations.
Remembering that the SLA is not a static document is also important. Your new provider should have periodic reviews to ensure the requirements are met, and the agreement levels fit your business needs well.
Carefully review the SLA to ensure it is flexible and can evolve beyond the original contract scope. This can be overlooked in negotiations, resulting in a service that cannot scale with business needs. At the same time, transparency in pricing is essential to avoid the risk of hidden charges appearing following a change request or even a threat remediation situation.
The importance of the right MDR provider.
Selecting your MDR provider is important; getting it right is critical for your cyber security posture and resilience. You need to review all the technical criteria for the service on offer and ensure their pricing and service level agreements can be tailored to fit your budget.
Summary – the e2e-assure advantage
Selecting your MDR provider is important, but getting it right is a critical decision which changes your cyber security posture and stance. At e2e-assure, we have more than ten years of experience in providing advanced managed SOC services, including MDR, which makes us different.
Our drive to innovate is focused on continually reducing the time and cost of protecting your business against cyber criminal. We are meticulous in applying cutting-edge capabilities and will partner with you to solve real-world business problems and ensure that high-value threat signals are identified and addressed fast whilst distracting noise is eliminated.
With e2e-assure, you can rest assured that your organisation is well-protected from constantly evolving threats and vulnerabilities. You can be confident that you have the best security solution to support your digital business today, with the flexibility to scale and support the growth and success of your organisation.
These seven questions are just the beginning of the journey. To assist you in this, we have created a comprehensive MDR Buyers Guide. If you want to learn about the functionality of MDR, the essential features to look for in a provider, and how to negotiate a service level agreement, all the information is included.