Searching for a quality-managed detection and response (MDR) service provider can be daunting, with dozens of vendors to choose from. However, in its 2023 Gartner® Market Guide for Managed Detection and Response Services, Gartner confronts the challenge head-on.
"Misnamed technology-centric offerings and vendor-delivered service wrappers (VDSW), that fail to deliver human-driven managed detection and response (MDR) services, are causing challenges for buyers looking to identify and select an outcome-driven provider," Gartner writes.
However, the need for MDR is undeniable. With organizations drowning in cybersecurity alerts, MDR offers professional help to quickly weed out false positives, analyze the remaining alerts, and focus on those that represent potential threats.
It's little wonder that Gartner predicts 60% of organizations will employ MDR by 2025, up from 30% in 2023.
How to Evaluate MDR Providers
Gartner's report offers valuable advice on selecting a provider.
"MDR buyers must focus on the ability to provide context-driven insights that will directly impact their business objectives, as wide-scale collection of telemetry and automated analysis are insufficient when facing uncommon threats," the Gartner MDR report says.
"Context-driven insights" and "uncommon threats" are the key phrases. Most MDR providers can detect well-known threats, but it takes a provider with deep resources and experience to find new or otherwise unusual threats and put them in context—meaning understand the danger they represent and what to do about it.
When evaluating MDR providers, it makes sense to ask about the resources each one has at its disposal to identify and respond to threats. As previously discussed, the "response" part likely gets into what other ancillary services the provider offers, such as whether it has a Digital Forensics and Incident Response (DFIR) team.
The ability to identify threats depends on at least a couple of critical factors. One is the tools the provider uses, including your endpoint detection and response (EDR) platforms and a security information and event management (SIEM) platform. Another is the threat database the MDR provider has at its disposal.
Why the MDR Threat Database is Crucial
That threat database is where things can vary widely from one MDR provider to another. Some may rely, for the most part, on the EDR, SIEM, and other tools being up to date with the latest threat signatures. Others have research teams that do original threat research, meaning they have security professionals dedicated to finding new threats.
At the same time, some MDR providers offer other offensive security services, such as penetration testing and threat hunting. In the course of their work, these offensive teams also find new threats, which are then added to the threat database – and are shared to the benefit of all MDR customers.
For example, Trustwave discovers more than 1 million new malicious URLs monthly across its various products and services, including MDR, pen tests, DFIR engagements, threat hunting, the SpiderLabs research team, and the MailMarshal email security offering. These URLs can be new forms of malware, spam, or phishing sites just waiting to lure in victims, often from phishing attacks.
What's more, between MailMarshal and the SpiderLabs research team's artificial intelligence-based engine, Trustwave detects some 12,000 previously unknown threats daily. You read that right: 12,000 previously unknown threats each day.
These threats immediately become available to all Trustwave security offerings, including MDR. The depth and breadth of the threat database are differentiators for the Trustwave MDR service, along with the availability of additional services such as DFIR and threat hunting that can help you eradicate any threats the MDR service turns up.
We encourage you to ask other providers how they're keeping up with the latest threats and whether they've got their threat research team, like Trustwave SpiderLabs.
