5 tips on how best to implement MDR

August 1, 2023

Wolfgang Kurz, Managing Director and Founder indevis (Source: indevis)

In addition to strong defences, a powerful threat detection and response is an essential part of a holistic security concept. With Managed Detection & Response (MDR), small and medium-sized enterprises can protect themselves just as well as large corporations. What should be considered when choosing a service provider and how can the implementation be successful?

Cyber criminals today are professionally organised, are increasingly aggressive and use state-of-the-art technology. Sooner or later, they will succeed in breaking through even the best line of defence. Therefore, companies must always expect a cyber incident. To minimise damage, it is important to detect and stop the attack as quickly as possible. This requires not only state-of-the-art security solutions, but also experts who operate them, analyse alerts and develop appropriate countermeasures. All this is usually difficult for small and medium-sized companies to manage in-house. The trend is therefore towards Managed Detection & Response (MDR): A service provider then provides the appropriate security technology and expertise. As soon as he detects a threat, he notifies the customer and supports him in the next steps.

There are now many providers on the market. But how do you find the right one and how do you best implement MDR? Here are five tips.

1. choose a specialised, experienced service provider

MDR requires in-depth expertise. You don’t build that up quickly on the side. Choose a provider who specialises in managed security services and has many years of proven experience in this field. They should be familiar with the latest security technology, threat intelligence and current attack scenarios. Information about this can be found, for example, in certificates, customer references or employee profiles. Managed Security Services Providers (MSSPs) also suffer from a lack of specialists. Make sure that the service provider has enough staff and employs experts. Visit them in person and let them show you how they work.

2. pay attention to a high degree of automation.

How well an MDR service works also depends on which technologies the provider uses. When it comes to threat detection, speed and accuracy are key. This is where a SOAR solution (Security Orchestration, Automation and Response) in combination with a SIEM (Security Information and Event Management) comes into play: they analyse the log files of the connected systems and, based on playbooks, perform automated check mechanisms to identify attack scenarios. In doing so, they use stored logics and incorporate information from various threat intelligence sources. A good SOAR already comes with many ready-made playbooks for common incidents. The MSSP then adapts these to individual customer needs, develops them further and keeps them up to date.

3.Check whether and how your log sources can be connected.

One challenge in MDR projects is the connection of log sources. Not every MDR solution works with every vendor’s endpoint security solutions. Therefore, you should check in advance whether the security technologies of the MDR provider are compatible with your own security stack. This problem does not arise if the MDR service uses a vendor-independent, cloud-native SIEM (Security Information and Event Management) such as Google Chronicle as an intermediate layer. Then a wide variety of log sources can be easily integrated via API and syslog. Telemetry data from cloud services such as Office 365 and Azure ID can also be integrated in this way. Google Chronicle automatically normalises the data so that it is properly prepared for analysis.

4. secure support in the event of an incident.

What happens when the MDR service detects a threat? Together with the customer, the service provider should then investigate the incident more deeply and initiate protective measures step by step. Companies should make sure that the MSSP works closely networked with a specialised CERT (Computer Emergency Response Team), which is guaranteed to be on the spot quickly in the event of a cyber attack. The forensic experts investigate what exactly happened, collect evidence that can be used in court and try to identify the perpetrators. Together with the MDR service provider, they help you make the right decisions, clean up systems and get them back up and running quickly.

5. define internal contacts and processes

To implement MDR, you need to work closely with the service provider. Because you are never completely out of responsibility with a managed security service. Who should the MSSP contact when it detects a threat? Who reports to whom and who makes the decisions in your company in an emergency – for example, whether to take business-critical systems offline? Here it is important to define clear interfaces and processes. In addition, the MSSP determines together with you during onboarding which log sources you want to connect to the MDR platform. You yourself must then ensure that the data is reliably available.

Related Articles

Mobile Road Blocker M30 from Hörmann

Mobile Road Blocker M30 from Hörmann

Flexible and certified protection for events Public festivals, music events or Christmas markets - open-air events require appropriate security concepts to provide the best possible protection for the people on site. An important part of this concerns the protection...

Share This