QUESTION #2
What do I want from a provider?
They best way to get what you want from a MSSP is to have a clear understanding of your requirements and your non-negotiables. Everything else can be worked out.
BACKGROUND
When it comes to security (and picking the best provider), the path forward can be unclear, because there are many options and variations to choose from. Additionally, past the big metrics of Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) things get very difficult to define (or get a Service Level Agreement for). Similarly, MTTR can mean different things. Is “response” simply sending you an email? Or, is it sending you an email with useful, enriched data so you and the MSSP can work the issue together? Or, is it more (or less)?
There are thousands of providers operating today. When there are so many competitors, it can be hard finding the best one for your organization. Here are a few quick ways to narrow down the list.
First, what are you looking for?
Unfortunately, the acronyms and lexicon move so fast that not everyone agrees. For purposes of this paper, MDR (Managed Detection and Response) is a service that can include endpoints, cloud, SaaS, etc. XDR (eXtended Detection and Response) is a technology platform, similar to SIEM and SOAR, and increasingly leveraged to deliver MDR.
MXDR (Managed XDR) is a term used to explain managing the XDR technology, similar to a Managed SIEM, and sometimes used improperly in an attempt to differentiate a MDR provider from other MDR providers because they consume more sources of telemetry besides EDR and/or because they use an XDR platform. Put more simply, figure out what tools you have (and/or want to plan for), and who you want to manage them. A quick review of your security tooling and an evaluation of what you want included (particularly around endpoint, SIEM and identity) will make this conversation easier.
Another factor to consider is integration and authorization.
How many different security tools do you want your MSSP to interact with or to manage on your behalf? Do you want them to perform actions on your endpoints (e.g. isolation)? On your Identity solution (e.g. turn off a user’s account or reset their credentials)? How do they want to securely achieve access into these things? How can you be sure they’re out of your environment if the contract is not renewed? How far are you willing to let (or do you require) your MSSP take actions or make changes in your environment? You can outsource responsibility but you can’t outsource accountability. That ultimately remains with you.
TIP: Get a partner to help you decide. There are thousands of MSSPs out there. Which one is the best fit for you? A partner who is familiar with the industry can help you narrow the list of candidates and select a provider that will meet your requirements.