Is Your Managed Detection and Response (MDR) Service ‘Right Sized’ for You?

Is Your Managed Detection and Response (MDR) Service ‘Right Sized’ for You?

Managed Detection and Response (MDR) is a relationship. ‘Ever feel like your MDR partner just doesn’t get you? It might be them, or it could be you. At least it could match the scales of your respective businesses. For this discussion, consider ‘right-sized’ to mean on a scale that matches your business.

What follows is a consideration of some of the factors MDR services aspire to, as seen through the lens of scale. Although some may be slightly technical, many are intangibles that affect the satisfaction of the undertaking over time. 

Finding the Right Managed Detection and Response Partner

Choosing the right MDR partner is a decision that is up there with the most crucial relationship choices in life. It is a decision with equal parts ‘know yourself’ and ‘know your suitors.’

After all, these people will operate at the core of your business and be responsible for its preservation. When arriving at this choice from a position of security self-doubt, there is a temptation to connect with the most prominent providers under the assumption that their breadth of market equates to a depth of service and knowledge.

Certainly, there are opportunities to leverage that scale like a rising tide to raise all boats. With discipline, large providers can achieve this. After all, managed detection and response teams are made of people, and the team’s character is a core intangible that could be related to any MDR team anywhere. However, consideration should be given to the idea that bigger may not be better for several reasons.

Instead of going to the usual metaphor of a life partner, ask yourself about another critical relationship, perhaps a ‘best man’ or ‘maid of honor’ role, where their lifelong service will affect your outcomes. Their duties in the near term, as well as over a lifetime, reflect the virtues of how they get the job done as much as the individual tasks performed. Take this as a model when considering this other important relationship.


Service Components of an Effective Managed Detection and Response Relationship

There are many practical considerations to choosing an MDR Service. Some ingredients that you live with day in and day out. Other ingredients, while not initial considerations, strongly define the relationship.


  • Communication

Communication in all its forms is a vital aspect of constantly adapting an MDR service to evolving IT forms and flare-ups in threat posture. Communication and a constant convivial access to team members is essential. Periodic. New business is solved – weekly meetings between organizations ensure execution goals are met, whether adapting to IT reengineering or new policy changes.


  • Execution

Execution of the analytic mission is the fundamental requirement of an MDR analyst. Within right-sized MDR teams exists a limit to the span of client architectures, which becomes a fundamental contributor to the analyst’s ability to execute. In all settings, analysts are tasked with the ability to explore within their tech stack and, equally important, within the span of the client’s IT stack. While there is no expectation of lessened execution levels from providers with large clientele spans, the difficulty for the analyst multiplies with the increase in the number of IT environments serviced. For the right-sized MDR team with a limited scoping of the client, architecture is a secret weapon for better execution.


  • Sense of Mission – Perhaps the Intangible

Personal relationships from focused communication develop a sense of connection, which is a vital contributor to the effectiveness of a service. Where right-sized MDR teams truly shine is in the ownership and sense of mission that come from the time spent developing these relationships. Right-sized MDR teams allow for a comradery between client and provider that drives and motivates the analyst to solve deep issues beyond the first bit of evidence. The more clients that are managed at a single time, the greater the division of dedication to mission among them.


  • Attainment of Knowledge

Knowledge development from information gathering is a common task for teams of any size. Wholistic knowledge, including understanding threat modeling, threat hunting, and research, is necessary for the modern MDR team. The overlap of duties of a right-sized team brings synergistic approach alternatives that expand the means to address issues. Given the need to transition between these tasks on a day of analysis, we feel compelled to spread these duties under one directorate, sharing opportunities to sharpen the skills.


  • Value

Often, but not always, providers of right-sized MDR services provide a more direct, pared-down structure featuring a flatter management hierarchy and fewer ancillary services. If so, cost structures may be more reasonable with the added side effect of driving decisions through a limited channel of decision-makers, hence improving communication. The scale match drives efficiency full stop. This may be the point for introspection and self-reflection. One might ask how perhaps needy am I for incidental extras as surrounds to the service I seek? An effective provider will provide extras, perhaps through performance metrics and discussion. However, if more luxury, comfort, or marketing-based items are sought, the rugged efficiencies of SMB-focused providers may rule those out.


  • Flexibility

Finally, inherent in the presence of a potentially pared-down, flatter structure comes the follow-on to more direct communications being flexibility. With a lower span of effect for service decisions combined with limited management layers comes an ability to adapt to requests and changes that more rigid hierarchies may not match. More flexibility brings speed of adaptation that may prove vital in the defense of a network. 


Business Pressures and Tendencies Versus Service Components

When interpreted through the lens of business tendencies, the components above may change depending on the size of the service provider. While not completely universal, competitive environments for larger providers tend to favor, over the long term, realities of service more conducive to their economies of scale than perhaps the mission of your security group. If you are large and matched in size to your provider, this may be an advantage. You may reap the benefit of the lion’s share of attention while having smaller firms subsidize your service levels. Likewise, providers at a scale common to their clients should have an opportunity to outperform in a variety of areas.

Business pressure at larger scales often means divided attention and interest at the analyst and management levels. Larger providers may adhere to the focused approach of a right-sized MDR team for a smaller client. However, through the years, cost-cutting incentives and resource shortages naturally incentivize larger providers to divide the attention of their analysts. A large provider must have a codified, zealous, even intention if it is to maintain its small business approach through cycles of management change, personnel shortages, and fluctuating quarterly performances. Historically, it is not an easy culture to maintain.

Ultimately, anyone interested in a managed detection and response service wishes for concern from the provider that matches or exceeds that of yourself. On the opposite side of the coin of mission orientation, a smaller client firm can face a stair-stepped focus of attention and concern where larger providers emphasize the larger contracts they hold. For their smaller clientele, the potential to vie for normal attention is always possible. In essence, if every client is not essential, then the opportunity to fill that lower niche with a revolving set of filler revenue can become enticing to those doing the selling.

Conditions do exist where larger firms are favored. If a client has a vast IT organization and resources, they “may need a bigger boat.” Suppose a client requires specific and unusual niche capabilities related to a wide-ranging geography or a combination of specific ICS/OT technology. A larger firm might be more likely to fulfill that need in that case. However, in the latter case, room exists to consider a boutique specialist right-sized MDR firm specializing in the area of need.


The Maturing Tech Stack – No Longer a Limiting Factor

Given the maturation of the SaaS market for security, security providers find themselves in an enviable position. They may make their best choice selection of providers without the necessity of utilizing an in-house product. When the phrase “we eat our own dog food” arises, it should conjure in your mind a question of why it should be necessary to say that. Is there a notion of sacrifice to run in-house software to maintain testing of it for a diverse audience that may not look like your business? If they are one of one in the market with a capability that none other can match, then they argue, but otherwise, you may be contributing to product development. In essence, you are part of the product.

Our managed detection and response team has chosen a high-quality tech stack of EDR, Next Generation Intelligent SIEM, and SOAR, which we highly favor. That luxury is available to all conscientious SMB providers, and the once true but now-dated assumptions to the opposite should be reconsidered. We have the opportunity to choose the Artificial Intelligence adjunct that best suits our experience of capability. We have the additional opportunity to choose between a wide variety of options that integrate well into the modern, cloud-centric IT environment. Given the SaaS ubiquity for SMB providers, it goes for our competitors as well. More than ever, capability is truly in the hands of the provider of SMB MDR services.


VerSprite’s Managed Detection and Response Services

At VerSprite, Threat Intelligence Group, our MDR services with 24×365 capabilities bring our advanced tech stack, including Highly Adaptive Cybereason EDR, Intelligent Next Generation Stellar SIEM, and the adaptation and custom content capabilities afforded us by D3 SOAR. Additionally, our strong integration services adapt to components of a variety of tech stacks.

Our consulting services effectively meet the missions of the businesses we serve. Let us demonstrate these important intangibles in your environment.

Contact VerSprite today to understand more about our MDR services.