“You don’t know how MDR services work”

“They are not transparent in their detection”

“If you were to invest in your internal Security Operations you could have something better”

There are some problems with people making these statements:

• High chance of delusion. They think there are no black boxes in their lives.

• Most never even tried to build a team or a security practice.

I’ve been working with different SOCs for the past 10 years, and managing an MDR service for the last 5.

My intention here is to make you aware, as a buyer, of the fallacies you might be falling into. And how these services operates, so you can decide if a Managed Detection & Response service is for you.

Accept Your Delusion

Chances are you don’t know how most services run in your organization. And even if you do, what’s behind them is also a black box. There’s a reason supply chain attacks are a thing.

Have you ever thought about how your EDR works? You flip some switches and that’s it. Are you remotely aware of how the underlying detection engines actually work?

But you trusted Gartner and it’s ok. Did you actually test the solution? How much?

What about your favorite restaurant? How often do you go to the kitchen to check? I could go on. SaaS services, data privacy, whatever. You get the idea.

Even if you had full transparency on something, can you judge if it’s correct? Do you even have the time?

If you are looking for an MDR or Managed SOC, you probably don’t have the required expertise in-house. Or you just want compliance. That’s why you started looking.

Last year, around 60% of my lost deals fell apart because customers couldn’t decide between providers. Not a coincidence.

But there are two things you can do about it: trust and validation.

If you actually care about transparency, go meet the team behind the MDR. Speak with their engineers. See if you like how they think. Check references, do a pentest, test defenses at 3 am.

But know that you are buying a packaged service designed to solve your problems. Which leads me to...

How MDRs Operate

If you hire a service, you must delegate control. No escape from this. But you need it because building it in-house is expensive and hard.

Every MDR operates on operational efficiency. We must serve many different organizations in a scalable, consistent way.

Customization is the enemy. That’s why many MSSPs and MDR services fail. They try to adapt their operation to each customer and it becomes impossible to sustain.

If an MDR tells you their service can be fully customized to your operation, they are lying or selling you something you’ll need to maintain yourself. There are exceptions, some MDRs fully specialize in one industry. But they’re rare.

One of the main levers we use is detection strategy. We define what do we need to do to maximize chances of detecting malicious actions, while keeping resources under control.

Every MDR team knows that missing a true positive can be brutal for reputation.

Deciding which alerts to process, how to triage, what to automate, when to escalate. Processing everything is not feasible. Not even with AI. At least for now.

As the service matures, MDR providers will know that focusing on certain points gives them a 95%+ chance of finding something bad.

We live and die by our detection strategy. If you picked a legit MDR, know there’s real thinking behind it. If we decide not to do something, there’s a reason. Maybe it’s useless, maybe it bloats your team, maybe it was noise.

How To Get More Transparency

The best relationships I’ve had are with customers who want to learn how we work.

Don’t be afraid to test the service. Security monitoring is a complex art and mistakes happen. Maybe you ran a pentest and the SOC missed it. Or a missed detection became a breach.

Don’t wait for them to find out. Challenge the team early, in a good way. Pay attention to how they react. Do they help first before explaining? Do they acknowledge mistakes and propose improvements? Do they actually listen?

Do you understand the reports they send? Ask about them. Do you share the same perception of what’s working?

Do you feel the service is taking work off your plate? Or adding to it?

See your SOC as a partner. Talk to the team from time to time. Learn from them. Ask if one of their engineers can work alongside you for a while.