Top 10 Considerations for Choosing an MDR Provider

In today's rapidly evolving cybersecurity landscape, choosing the right Managed Detection and Response (MDR) provider is crucial. Here are the top 10 considerations you need to keep in mind when evaluating providers:

1. Open vs. Closed Ecosystem
   When evaluating providers, consider whether they offer an open approach that allows customization and integration with your existing security stack. Given organizations have an average of 45 security tools, leveraging an open ecosystem ensures flexibility, scalability, and the ability to adapt to future threats while maximizing current security investments. On the other hand, closed ecosystems may limit your flexibility and tie you to a single vendor's products which also makes it more difficult to switch out in the future should you want to.
2. Broad Telemetry vs Endpoint Centric
   Look for a provider that goes beyond endpoint-centric visibility. We have found that 60% of threats come from outside of endpoints, so a comprehensive MDR solution should provide telemetry across various data sources. This includes network traffic, cloud services, identity, email, and more. By adopting a broader view, you enhance threat detection and gain a more contextual understanding of security incidents.
3. Response vs. Notification
   Some vendors focus solely on notifying you when threats are detected, often to the point where your internal team may be overwhelmed and suffer alert fatigue. Some may even crow about a leading 'Mean Time To Detect.' However, true MDR does not just throw alerts (and work) over the fence, but involves a combination of noise reduction and robust investigation to enable proper response. Otherwise, the burden of proper triage, investigation and response will fall to your team, negating the value of working with an MDR provider. Focus your attention on enabling analysts to prioritize what is most important - the balance of vendor and internal work and Mean Time to Resolve.
4. Robust vs. Basic Response
   Traditional solutions tell you something is wrong and may even take some initial containment and remediation actions. However, proper response involves a deeper level of forensic investigation, comprehensive remediation, and help with recovery if needed. Seek providers that offer comprehensive response capabilities that also include out-of-the box options to automate response across integrated systems. In addition, the value of having direct, timely and unlimited access to experienced SOC analysts to answer questions and collaborate on threat response shouldn't be underestimated.
5. Expert-Guided vs. Fully Automated
   Striking the right balance between human expertise and automation is crucial. MDR should combine the insights of skilled analysts with AI-driven automation and trigger the right level of automated actions to suit your needs. Analysts contextualize threats, while automation enhances speed and efficiency. Over-reliance on automation opens gaps and could have unintended consequences over the long haul, requiring additional time and money to resolve.
6. 1 Year vs. 1 Week of Data Retention
   Having a sufficient amount of data that spans a full year is essential for proper threat hunting. Providers analyzing historical data over a year can uncover persistent threats and patterns. Many providers offer a minimal amount of data retention with the hopes of upselling longer coverage. In addition, holistic threat hunting should span all data sources, not just recent endpoint logs.
7. Flexible and Transparent vs. Fixed and Opaque Model
   Choose an MDR partner that adapts to your security journey. Seek flexibility in terms of integrations, workflows, and deployment models to meet you where your organization is today and support your growth into the future. Transparency is also paramount - your team will appreciate the ability to work within the same systems as your MDR partner's analysts for collaboration and skill development. This leads to more timely response as part of a cybersecurity partnership, versus providers who operate in a pure vendor/customer model.
8. Unlimited vs. Limited Response
   Imagine facing a large-scale attack. Ensure your MDR provider offers unlimited response support across connected systems. When your organizations security is at stake during an attack, you don't want to be worried about running out of hours or lax response capabilities on non-endpoint systems.
9. Predictable vs. Upsell Pricing
   Transparent pricing models are crucial, especially for organizations with limited budgets who can't adjust to hidden costs. Per-endpoint pricing simplifies budgeting, and included features such as integrations, threat hunting, and log retention ensure you get value for your investment without surprises.
10. Available In-House Services vs. Third Party Services

Having an in-house incident response team accelerates incident handling should the need arise. Additional in-house Services capabilities should also be available to assess, test, and prepare for incidents, plus options for expanded threat hunting and optimizing your security tools to help you rapidly get to a robust security posture.

Remember, the ultimate motivation of the vendor should align with your needs. Is the vendor focused on constant upselling more features? Or are they providing everything you need for robust protection with options to align more closely with your unique needs? One way to find out is by requesting a Proof of Value (POV) exercise to test which of these considerations are most important to your organization to find the right MDR partner.

To explore POV or other options to evaluate Secureworks® Taegis™ ManagedXDR, speak with one of our experts.