If you’re aiming to improve your organization’s threat detection and incident response (TDIR) capabilities, I’m willing to bet you’re annoyed and frustrated by trying to navigate the managed cybersecurity market that’s rife with imprecise terminology and vendors willing to bend definitions to fit their solutions. As a result, you have an extremely difficult job in trying to find the right solutions, let alone pick the best one.

So, in short, if you are looking for wider attack surface coverage, deeper threat detection, and faster incident response, I hope this article gives you some clarity and confidence in your evaluation process.

Step 1: Untangle the Market Categories

Unfortunately, cybersecurity market analysts and vendors invent a new solution category every time they simply improve a feature or introduce a new approach. As a result, to improve threat detection and incident response, you have to sift through the following market categories. I’ll explain my take on what actual nuances matter in each category.

• Managed SIEM (Security Information & Event Management): Let’s start here. If a vendor ever says “SIEM is dead”, walk away. It’s not. Cybersecurity starts with visibility. And visibility starts with effective data collection, normalization, and correlation. But also, SIEM is hard. Disparate data sources across endpoints, on-prem networks, cloud infrastructure, and SaaS applications has only made it harder. A vendor that says SIEM is dead is one that simply can’t do it well. But also, while SIEM is a fundamental capability, ask yourself if you need a more comprehensive solution.
• SOCaaS (SOC as a Service): Oh boy, an acronym within an acronym. You’ve outdone yourself cybersecurity market analysts! The SOC (Security Operations Center) should be a functional team of security experts with the right tech and robust processes to handle continuous monitoring, threat detection, and incident response. A vendor offering SOCaaS may have their own SOC technology, or they may be using third-party vendors; and their SOC staff may be employees, or they may be contractors.

• MSSP (Managed Security Service Provider): Taken at face value, this category sounds straight forward, but there is so much to be defined in terms of security scope. You can bank on one thing – it will be a managed service. But will it be 24x7x365 monitoring? Will it cover your entire attack surface? Is the MSSP a cybersecurity generalist that manages your firewall configs, performs penetration testing, conducts cybersecurity awareness training; or is the MSSP truly a threat detection and incident response specialist?
• MDR (Managed Detection & Response): This trips up a lot of people because of the ambiguity of coverage. The problem is there’s a missing word between “Managed” and “Detection”. What does the MDR cover? Endpoints? Networks? Cloud? What? Be aware that the answer is very different per MDR provider. Historically speaking, most MDR providers rely on EDR (Endpoint Detection & Response) platforms.
• Managed XDR (Extended Detection & Response): First and foremost, XDR refers to the technology platform and implies it covers a wide range of telemetry sources across endpoints, network, cloud, etc. But to what degree is of course the important question. How big is their data source integration library? Does it include your data sources? And what response? Ask the XDR vendor about extended response as well. What workflows can it trigger to expedite successful incident response? And lastly, consider the marriage of MDR service and XDR tech – Managed XDR – and investigate closely the vendor’s service level and flexibility to accommodate your needs.

Step 2: Consider Attack Surface Coverage

Once you understand the nuances of the categories and can articulate what scope of technology and service are important to you, next is to evaluate which vendors have the wherewithal to protect your environment. This is a great way to quickly pare down the field of contenders. Look for an online library of data source integrations or similar terminology. Disqualify any platform that doesn’t cover your IT estate, especially vulnerable legacy systems that might not always be fully patched.

Protect more than your “Digital Front Door”
Your business has many points of cyber-attack vulnerability

Step 3: Inspect the Detection

So, you’ve shortlisted the type of provider and shortlisted those that cover your assets. Now, it's time to inspect that coverage as not all data source integrations are created equal. Watch out for really weak integrations that may collect data but not really mine intelligence and serve up actionable alerts. Ask your vendor to explain their Common Indexing Model (CIM) which is what makes it possible for their system to identify Indicators of Compromise (IoCs) across multiple assets. A vendor’s integration is much more than ingesting data. Ask to understand these five (5) elements – Parsing Rules, Correlation Rules, Alerts, Dashboards, and Reports. A common requirement is in-depth Microsoft 365 integration.

Step 4: Be Skeptical About Response

This is where the rubber meets the road as they say. Because of the multiple stages and hands-on activity involved, Incident Response requires particular attention. Reality is you and the vendor should accept a shared responsibility (or “shared fate”) mentality to truly have a successful outcome. Ask your vendor about how much involvement you have in shaping the SecOps Runbook and IR Playbook. Ask about Automated Response as well as Guided Remediation support. Both machine and human involvement should be expected. Speaking of humans, throughout the tuning, monitoring, detection and response stages, insist on a full understanding of their SOC’s dedication to your environment and specialized roles in malware analysis, threat intelligence, threat hunting, incident response, and customer success management.

BONUS: Consider an MSP

Because of their intimate knowledge of the IT environment and advantages of an existing relationship, IT managed service providers (MSPs) are taking on more managed cybersecurity responsibilities including threat detection and incident response. A winning cybersecurity combination for many organizations is to work with an MSP that is a cybersecurity generalist but brings a Managed XDR specialist into the SecOps picture. Such vendors must be MSP-ready and account for multi-tenant management, flexible pricing models for continuous scaling up and down, and simple deployment.