25 September 2024
Matthijs van der Wel - ter Weel
Strategic Advisor
Choosing the right technology when considering Managed Detection and Response (MDR) services is a bit like finding the perfect moment to break away from the peloton during a cycling race. Timing is everything, and appearing at the start line with the right technology can make all the difference.
We are often approached by companies asking us to provide a quote for MDR services. In these quotes, they would like to include various technologies such as EDR (Endpoint Detection and Response), NDR (Network Detection and Response), SIEM (Security Information and Event Management), or XDR (Extended Detection and Response). We notice that too often they have not thoroughly thought out their choices.
Therefore, we have a tool on our website to guide you through this process. Our experts also have more advanced tools and offer workshops that provide you with a comprehensive understanding. But for those who do not want to use these tools or participate in a workshop, I will explain simply in this article what you need to know to make a better-informed choice when it comes to your ideal MDR service package.
To truly see the threats lurking in your system, we need to look at Gartner's SOC visibility triad:
• EDR helps you see what is happening with your computers;
• NDR monitors your network;
• SIEM keeps an eye on your devices and applications.
In addition, there is SOAR for automatic responses and the newest member, XDR, which uses AI to detect and address threats.
Each of these technologies has its benefits but also requires an investment of time and effort to truly excel. Even when purchased as part of a service, you will still need to invest time with your provider to optimize threat detection and develop real-world scenarios tailored to your business.
Our recent research report Security Navigator 2024 provides an overview of how MDR helps you achieve your business goals and how quickly you can see results.
To fully benefit from the power of MDR, the right setup is required. EDR requires a small piece of software to be installed on each device. This can be either simple or challenging depending on your IT situation. And you need to coordinate this with your privacy team and works council because you are monitoring devices. NDR needs to be physically installed and connected to network hardware, which can be complicated if your network is a maze of segments and switches.
Then there is SIEM, which requires your log files, but choosing which ones and ensuring they contain the right information is crucial. What do you want to watch for? Despite SIEM's experience in this area, older is not always better to start with. Be aware that SIEM solutions, such as Microsoft Azure Sentinel, often charge based on the amount of ingested log data, which can vary and potentially lead to unexpected, and sometimes high, costs.
Each of these technologies comes with default scenarios they are looking for, such as when your email server starts communicating with an online file-sharing service - that usually is not part of its duties. So, you get an alert, and then it's up to you to determine if it's a real problem or just a false alarm. Maybe your IT staff does indeed download files from the cloud once a month - that's normal for you, so no alarm. And if it's just someone from marketing downloading ad designs, then it's a false alarm. This is what we call "tuning" - adjusting the system to know what is normal for you.
Monitoring is also personal. Suppose you don't want outsiders to have direct access to your network but always have to go through a secure checkpoint. Your MDR service can then set up special rules to catch any violators. These special rules (use cases) will need to be created.
In Security Navigator 2024, we analyzed large amounts of data to see how many alerts were actual incidents compared to false alarms. You want to keep the number of false alarms low because they are time wasters. It turns out that EDR is usually accurate and provides more precise alerts than the rest.
When it comes to your applications and network equipment, things are not so uniform. Your MDR may then be inundated with false alarms if it is monitoring those. And if your IT environment is constantly changing, your custom scenarios will require constant updates - that's a lot of work on your part.
You don't want to just hand over your SIEM to an MDR service and leave it at that. You'll need to roll up your sleeves and get involved, especially if your company is serious about cybersecurity, has a stable environment, and you have the time to collaborate with your managed security service provider.
Starting with EDR is less cumbersome. It requires fewer adjustments because operating systems like Windows, MacOS, and Linux are more standardized. You can further reduce the number of false alarms by deploying XDR with its AI intelligence. And if you combine EDR with NDR, even better!
Responding to alerts is another story. That's where SOAR comes in with its playbooks. These are like the manuals that precisely describe how to handle each type of alert. Again, this is entirely customized and dependent on how your business operates.
XDR and some EDR solutions that offer AI-driven responses introduce some ambiguity. Even with extensive testing, allowing AI to make important decisions, such as disabling a system, is something many are cautious about.
In summary, it's a good idea to start with EDR when you're new to MDR. Add XDR and AI to learn how to handle alerts. Bring in NDR later if you have devices where an agent cannot be installed. As you get better at this, add SIEM and SOAR.
Your ideal provider of Managed Detection and Response should be a guide that helps you grow in security. But also, a business partner that helps you accelerate digitally with confidence. Feel free to call us or send a message to create a roadmap together for MDR technology and services that align with your current and future organization.
Matthijs van der Wel - ter Weel
Strategic Advisor
Matthijs has over 20 years of experience in cybersecurity with a focus on incident response and cyber threat intelligence. With his technical expertise and business background, he explains complex cybersecurity issues and translates them to the level of management and the board of directors. Matthijs is also a guest lecturer at the Erasmus School of Accounting & Assurance (ESAA) and a sought-after speaker.
Detection and response require time, skills, resources, and investment. If you want to get an idea of what the best option is for your organization, try our Managed Detection and Response Buyer’s Guide.
Try out our MDR Buyer's Guide!