The Strategic CISO: How to Know When It’s Time to Switch to MDR

I was recently asked by MSP Insights to share thoughts on the MDR market and on how security leaders know it’s time to switch to a managed detection and response (MDR) provider. Technology has always been about transitions. In cybersecurity, we’ve segued from focusing on fortifying the perimeter with firewalls and other traditional tools to defending an enterprise with no readily defined borders — requiring increasingly innovative approaches to protect digital assets and reduce risk. What is the difference between MDR vs MSSP and which one best fits your organization?

Given the inevitability of change, chief information security officers (CISOs) must routinely re-assess their operational models to determine if they need to rip up the current blueprint. And, more than ever, these CISOs are turning to a managed detection and response (MDR) partner to elevate their maturity and meet today’s challenges. By 2025, half of organizations will be using MDR services for monitoring, detection and response functions in order to contain threats, according to a projection from Gartner. Research firm EMA surveyed mid-sized and large enterprises investing in MDR capabilities and found that a full 37 percent of respondents reported reducing mean time to resolution (MTTR) of attacks by between 50 to 100 percent, reflecting where triage time was slashed or averted altogether.

As a CISO, CIO, or other decision-maker, how do you know when it’s time to transition to MDR services? Here are three telling signs: 

Your MSSP is no longer up to the task

MSSPs (managed security service providers) arrived in an era when IT departments purchased firewalls, antivirus products and email security solutions. Organizations outsourced the oversight of these, because there was no budget to hire, certify, train and manage people to do it internally. But as attacks grow in sophistication and volume MSSPs lose relevance.

Why? Because they often generate too much noise and put the burden on the customer to sift through thousands of alerts. These services were never designed to perform investigation and response — and customers struggle to do that on their own. Additionally, these providers are reliant on simple preventive controls and lack visibility into the bulk of modern attacker techniques. 

In contrast, MDR is a “security as a service” offering in which external teams monitor customers’ networks 24/7/365 to detect suspicious activity and launch effective mitigation/prevention measures backed by proven data. This decreases the number of days, weeks or even months that a threat can hide within a network and compromise/steal data — i.e. “dwell time.” At their core, the most valuable MDR services combine advanced technology, a balance of machine learning and nuanced human analysis (or “authentic intelligence”) and expertise to stay one step ahead of attackers.

What’s more, the best MDR providers will not only tell customers what was flagged — they will explain what it means. If an alert goes off on someone’s laptop, for example, they will dive deep to explore whether the issue is unique to that device, if it has spread to others within the enterprise and if there is suspicious activity associated with it. With the MDR provider sharing a wealth of threat intelligence and data, CISOs obtain a comprehensive view of their entire cyber risk landscape, and make better decisions as a result. 

You want to manage false-positives to avoid false negatives 

MDR services bring the talent of highly experienced professionals who understand how to sift through the endless alerts and make sense of it all. In addition, their outside objective eyes may draw meaningful conclusions from “false positive alerts”,  that others may simply discard as a nuisance. This is preferable to the alternative — a false-negative — where you are missing a threat entirely. 

Consider a physical security analogy: Suppose a package with suspicious features like excess tape, a missing return address and what looks to the casual eye like stains or residue turns up at a warehouse or office, leading someone to sound the alarm. Because the risk of injury from explosives and bioweapons delivered through the mail is so severe, we have to credit alert staff and facility procedures that flagged the package. Even if police and hazardous materials teams confirm it was all a false alarm, it would be a mistake to dial-down physical security and mailroom procedures, because we do not know what will be in the mail tomorrow. However, evacuating the mailroom every time any package arrives would be disruptive.

What if packages could be safely inspected, at speed, by experts, before arriving in the mailroom?  And, the same experts could monitor and respond to threats that may have slipped past preventive controls powered my thousands of similar investigations.

Good cybersecurity analysts and incident responders tune their visibility and control to account for technology evolution, massive shifts like remote work during a pandemic and human errors. This is another example of where MDR capabilities can discern between true and false positives, by providing context and historical timelines in an instant. The problem with false positives is not that they exist, necessarily — it is that internal staff is so inundated with data, that they reflexively want to pare down the firehose of alerts – which can silence true positives.

You’re seeking a seat at the strategic leadership table

CISOs used to keep relatively low profiles — until something is breached. But this dynamic is changing, especially in a pandemic environment in which so many organizations have added new technologies to the CISO’s defensive scope, like remote-access control systems, niche SaaS applications, contactless payment platforms and building automation. C-Suite leaders used to equate “technology” with a “support” function of the business but it is no exaggeration to say that now technology is the business. Meaning the CISO’s team, tools and partners are what stands between business resiliency and an attack or disruption bringing the business to a halt. In other words, CISOs are rising influencers and they must “prove that security is happening” by distilling insights and metrics from all that data.

Yet, it’s difficult to strategize and distill when you’re constantly sidetracked with firefighting duties. By handing off the monitoring and firefighting to the MDR team — and keeping them accountable, CISOs stay focused on the strategic vision, while building, validating and championing an optimal state of protection and risk reduction — securing their seat at the leadership table.

It all comes down to how you’re going to invest your time, energy and budget. Do you pay to build and  run your own security operations center? Accounting for holidays and vacations, it takes about 15 full-time resources to staff a moderate 24/7 SOC. In even large organizations, this pulls resources away from projects and other strategic initiatives. Where will you find your talent? Once trained, SOC analysts typically walk out the door within a year for twice their current salary.  When it comes to maturity, how quickly will your program stand up to C-suite scrutiny when they ask: “Are we secure?” Some enterprises, the security one-percenters, have the talent and treasure to take on this challenge alone — others simply don’t. 

It is too expensive and time-consuming to tackle these requirements on your own. But by partnering with the right MDR provider, you’ll meet and even exceed organizational expectations with more conclusive data to back up your performance claims. Learn more about managed detection and response in my on-demand webinar: Demystifying MDR for the Security Conscious Buyer