IS Your MDR Service ‘Right Sized’ for You

MDR is a Relationship. ‘Ever feel like your MDR partner just doesn’t get you? It might be them .. or it could be you. At least it could be the match of the scales of your respective businesses. For this discussion consider ‘right sized’ to mean on a matching scale to your business. What follows is a consideration of some of the factors MDR Services aspire to as seen through the lens of scale. Although some may be slightly technical, many are in fact intangibles that nevertheless affect the satisfaction of the undertaking over time. 

It goes without saying choosing the right MDR partner is a decision up there with all of the very most important relationship choices in life. It is a decision with equal parts ‘know yourself’ and ‘know your suitors’. After all these people will operate at the core of your business with responsibilities for its preservation. There might be an honest temptation, when arriving at this choice from a position of security self-doubt, to connect with the largest providers under the assumption that their breadth of market equates to a depth of service and knowledge. Certainly, there are opportunities to leverage that scale like a rising tide to raise all boats. In fact, with discipline, it is possible for large providers to achieve this. After all MDR Teams are made of people and the character of the team is a core intangible that could be related to any MDR team, anywhere. However, consideration should be given to the idea that bigger may not be better for a variety of reasons.

Instead of going to the usual metaphor of a life partner, instead ask yourself about another critical relationship, perhaps a ‘best man’ or ‘maid of honor’ role where their lifelong service will affect your outcomes. Their duties in the near term as well as over a lifetime reflect the virtues of how they get the job done as much as the individual tasks performed. It’s worth taking that as a model when you consider this other important relationship.

Service Components of a Good MDR Relationship

There are many practical considerations to choosing an MDR Service. Some ingredients that you live with day in and day out, while sometimes not initial considerations, strongly define the relationship.

• Communication

Communication in all of its forms is a vital aspect of constantly adapting an MDR service to evolving IT forms as well as flareups in threat posture. Important to communication is a constant convivial access to team members. Periodic perhaps weekly meetings between organizations ensure execution goals are met and new business is solved be it adapting to IT reengineering or new policy changes.

• Execution

Execution of the analytic mission is the fundamental requirement of an MDR analyst. Within right sized MDR teams exist a limit to the span of client architectures and that becomes a fundamental contributor to the analyst’s ability to execute. In all settings analysts are tasked with the ability to explore within their tech stack but equally important, within the span of the IT stack of the client. While there is no expectation of lessened execution levels from providers with large spans of clientele, nevertheless the difficulty to the analyst multiplies with the increase in the count of IT environments serviced. For the right sized MDR Team limited scoping of client architecture is a secret weapon for better execution.

• Sense of Mission – Perhaps the Intangible

Personal relationships from focused communication develop a sense of connection which is a vitally important contributor to the effectiveness of a service. Where right sized MDR teams truly shine is in the ownership and sense of mission that come from time spent developing these relationships. Right sized MDR teams allow for a team comradery between client and provider that quite frankly drive and motivate the analyst to solve to deep issues well beyond the first bit of evidence. Conversely, the more clients that are managed at a single time, the greater the division of dedication to mission among them.

• Attainment of Knowledge

Knowledge development from information gathering is a common task for teams of any size. Wholistic knowledge including an understanding of Threat Modeling, Threat Hunting and research are necessity in the modern MDR team. I will argue here the overlap of duties of a right sized team bring synergistic of approach alternatives that expand the means to address issues. Given the need to transition between these tasks in a day of analysis, we feel compelled to spread these duties under one directorate sharing opportunities to sharpen the skills.

• Value

This will be the metaphor breaker for good measure so .. often but not always, providers of right sized MDR services provide a more direct paired down structure featuring flatter management hierarchy and fewer ancillary services. If so, cost structures may be more reasonable with the added side effect of once again driving decisions through a limited channel of decision makers, hence improving communication. The scale match drives efficiency full stop. This may be the point for introspection and self-reflection. One might ask how perhaps needy am I for incidental extras as surrounds to the service I seek? Certainly, a good provider will provide extras perhaps in the form of performance metrics and discussion. However, if somewhat more luxury, perhaps comfort or marketing-based items are sought, the rugged efficiencies of SMB focused providers may rule those out.

• Flexibility

Finally inherent in the presence of a potentially paired down, flatter structure, comes the follow-on to more direct communications being flexibility. With a lower span of effect for service decisions combined with limited management layers, comes an ability to adapt to requests and changes that more rigid hierarchies may not be able to match. More flexibility brings speed of adaptation that may prove vital in the defense of a network. 

Business Pressures and Tendencies Versus Service Components

When interpreted through the lens of business tendencies, the components above may change depending on the size of the service provider in question. While not completely universal, competitive environments for larger providers do tend to favor, over the long term, realities of service more conducive to their economies of scale than perhaps the mission of your security group. If you are large and matched in size to your provider this may be an advantage. You may reap the benefit of the lion’s share of attention while having smaller firms subsidize your service levels. Likewise, providers at a scale common to their clients should have an opportunity to outperform in a variety of areas.

Business pressure at larger scales very often means divided attention and interest not only at the analyst level but additionally at the management level as well. Certainly, larger providers may adhere to the focused approach of a right sized team for a smaller client. However, through the years cost cutting incentives and resource shortages naturally incentivize larger providers to divide the attention of their analysts. A large provider must have a codified, zealous even intention if it is to maintain its small business approach through cycles of management change, personnel shortages and fluctuating quarterly performances. ‘Historically not an easy culture to maintain.

Ultimately anyone interested in an MDR service wishes for a concern from the provider that matches or exceeds that of yourself. On the opposite side of the coin of mission orientation, a smaller client firm can often face a stair stepped focus of attention and concern where larger providers emphasize the larger contracts they hold. For their smaller clientele, the potential to vie for normal attention is always a future possibility. In essence if every client is not essential, then the opportunity to fill that lower niche with a revolving set of filler revenue can become enticing to those doing the selling.

Certainly, conditions do exist where larger firms are favored. If a client has a vast IT organization and resources, they “may need a bigger boat”. If a client requires specific and unusual niche capabilities perhaps related to a wide-ranging geography or a combination of very specific ICS/OT technology, then potentially a larger firm might be more likely to fulfill that need. However, in the latter case room still exists to consider a boutique specialist right sized firms specializing in the area of need.

The Maturing Tech Stack – No Longer a limiting Factor

Given the maturation of the SaaS market for security, security providers find themselves in an enviable position. They may make their best choice selection of providers without the necessity of utilizing an inhouse product come what may. When the phrase “we eat our own dog food” arises it should conjure in your mind a question of why it should be necessary to say that. Is there a notion of sacrifice to have to run in house software in order to maintain testing of it for a diverse audience that may not look like your business. If they are one of one in the market with a capability that none other can match then they have an argument but otherwise you may be contributing to product development, in essence you are part of the product.

In our MDR Team naturally we have chosen a high-quality tech stack of EDR, Next Generation Intelligent SIEM and finally SOAR which, no surprise, we really favor. Again, that is a luxury that is available to all conscientious SMB providers and the once true but now dated assumptions to the opposite should be reconsidered. We have the opportunity to choose the Artificial Intelligence adjunct that best suits our experience of capability. We have the additional opportunity to choose between a wide variety of options that integrate well in the modern, cloud centric IT environment. Given the SaaS ubiquity for SMB providers, so it goes for our competitors as well. More than ever capability is truly in the hands of the provider of SMB MDR Services.

All that said, Our Service:

At VerSprite, Threat Intelligence Group, we offer MDR Services with 24×365 bringing our advanced tech stack including Highly adaptive Cybereason EDR, Intelligent Next Generation Stellar SIEM and finally the adaptation and custom content capabilities afforded us by D3 SOAR. Additionally, we offer strong integration services adapting to components of a variety of tech stacks. We offer additional consulting services for a variety of needs, for instance Threat Vulnerability Management. We are dedicated to your mission and will consider ourselves part of your team. We would appreciate the opportunity to demonstrate these important intangibles in your environment.

Contact VerSprite today to understand more about our MDR Service.