February 24, 2021
(Updated April 2022)
The success of your managed detection and response deployment hinges on asking the right questions.
Managed detection and response is a valuable element of your enterprise’s security posture. With the right technologies in the hands of competent, highly trained analysts, you can significantly reduce security risks while paying a fraction of what an in-house team would cost.
However, not all MDR vendors can promise the same results. The discipline and training your MDR analysts enjoy are as important as the technologies they use. Both these factors must fit well with your existing enterprise IT environment and have open lines of communication with security stakeholders.
It should come as no surprise that completing a successful MDR deployment is easier said than done.
We’ve identified five of the most common questions clients ask MDR vendors during procurement, and five questions they should ask when talking to MDR sales teams. Use these insights to get to the bottom of what your MDR vendor really offers your organization.
1. Ask About Complexity, Not How Many Employees Their Largest Customer Has
One of the first things you might want to know about your prospective MDR provider is how large an operation they run. It’s an understandable question, but ultimately the answer won’t tell you much.
Serving enterprises with tens of thousands of employees is an impressive feat. However, the number alone doesn’t provide any information about how well those employees are protected or how security policies impact their day-to-day work.
Although the number of employees is a convenient stand-in for the complexity of an enterprise, it’s not an accurate one. Focus your questions on the complexity of some of their deployments.
How do they handle complicated implementations? What about proprietary data? Mergers and acquisitions? The answers will tell you a great deal about how meaningful a contribution your MDR vendor can make in a complex enterprise environment.
2. Ask About Renewal Rates Instead of Counting How Many Customers They Serve
Nobody wants to work with an overworked vendor who can’t give them the attention they need. At the same time, vendors with low adoption rates should be viewed with a healthy dose of skepticism.
Enterprise IT leaders are right to assign risk to any vendor with too many or too few customers.
However, there are better ways to assess that risk. Instead of trying to qualify MDR vendors according to an intuitive “sweet spot” between having too many or too few customers, consider focusing on customer renewal rates as an indicator of quality.
Custom renewal rates give you clear, quantifiable insight into how much attention vendors offer their customers, and how competent those customers believe vendors are. This is a much better metric than simply counting how many customers a vendor serves.
If an MDR vendor stops providing value to its customers, those organizations will take their business elsewhere. In a growing, competitive field like cybersecurity, managed service vendors must continually demonstrate the value of their work!
Castra has a 90.24% renewal rate!
3. Ask About Automation, Not How Many Analysts They Have
Another common line of questioning revolves around the number of analysts an MDR vendor employs. It’s a valid question, but not one that necessarily provides deep insight into how effective the vendor’s service really is.
That’s because excellent training and technology can multiply the productivity of a single analyst. A small group of highly competent analysts equipped with best-in-class tools will readily outperform a less experienced, less equipped team.
There are many ways you can measure the training and technology of an MDR provider. In today’s cybersecurity environment, automation is one of the best indicators of a highly trained technical team.
The average enterprise SIEM solution handles an overwhelming volume of security alerts. This is one of the biggest factors slowing down analyst performance. Highly automated workflows allow analysts to concentrate their efforts on the highest-priority processes first, leading to better outcomes than painstaking manual analysis can provide.
4. Ask About Threat Intelligence Capabilities, Not Just Threat Detection
You might feel compelled to ask your MDR vendor how many threats they detect per month, on average. They’ll respond with an impressive-sounding figure, and you’ll assume they are competent and highly qualified service providers.
The problem is that there are many kinds of threats. Some are easier to detect and mitigate than others. Throwing obsolete computer viruses in the same category as of today’s most advanced persistent threats simply isn’t helpful. It doesn’t paint an accurate picture showing how well-prepared your potential MDR vendor really is.
Threat intelligence data is different. MDR vendors who invest in threat intelligence can tell you how many new and evolving threats they’ve detected in the last month, week, or even day.
They can also tell you how they’ve used that data to identify and reduce false positives, and what they do with that data once they’ve obtained it.
When Castra learns about a new threat, we apply that knowledge to relevant systems across our entire client environment. Similarly, when we discover a false positive, our team proactively removes it from other clients and updates sourcing locations accordingly.
5. Ask What Makes Them Different, Not Why Their Tech is Better
Technology is an important part of managed detection and response, but it’s not the only thing that matters. Treating an MDR vendor as a purely product-based business may cause you to miss out on some of the most valuable contributions that a business can make for you.
Of course, many MDR vendors proudly consider themselves technology-first product enablers. They may have built their own internal SIEM solution and outfitted it with powerful features. However, this doesn’t guarantee that your organization will receive the attention and competent analysis it deserves.
Product-based companies and service-oriented vendors are two entirely different organizations. Even if your product-based MDR vendor has great technology, you won’t get any transparency or insight into how it works. They may even try to lock you into your contract with them, preventing you from leaving without giving up all your data and technology.
Ultimately, MDR performance is about more than technology. It’s about the way technology is implemented at scale, the infrastructure that it relies on, and the degree of visibility that IT leaders gain in the process. These advantages don’t translate well to a list of technical specifications and policies.
A Mystery Box vs. Glass Box℠ MDR Partner
Want to Know More? Speak to a Castra MDR Expert Today
Castra is a service-oriented vendor that uses best-in-class technologies from the world’s most reputable providers. We teach customers how to disconnect from any service – including our own – without losing data or endangering their security posture.
Instead of asking you to put a “Mystery Box” on your network, we deploy a transparent Glass Box℠ MDR solution that offers unprecedented visibility into every aspect of your security environment. Find out how our approach can transform our organization’s security posture by scheduling a demo now.