Top 10 MDR/MSSP Selection Criteria

July 22, 2019 | 5 min read


The following is a guest blog, composed by Bill Frank.

Until recently, organizations without the internal cybersecurity resources, staffing, and expertise to build their own Security Operations Centers had no choice but to rely on managed security services providers despite the providers' limited capabilities. Now these organizations have the opportunity to move to a new type of provider that meets all ten of my top criteria for selecting a managed security services provider.

The first four represent new capabilities that only a few providers have architected into their services. The next two represent capabilities that were always critical, but the requirements have increased. The last four have always been critical.

1. Technology stack built to leverage "intelligent" security controls

Managed Security Services Providers have been around since the late 90’s. However, they rarely have met customers’ expectations due to the limited functionality of the tools they use, whether home-grown or commercial-off-the-shelf. They suffer from the same problems that traditional SIEMs have. We have learned that it’s simply not possible to build a high quality threat detection engine with only the limited information provided by asset logs.

We are currently experiencing a revolution in “asset-level” security controls where experts in specific asset types are building controls/ countermeasures that take advantage of their deep knowledge of those asset types to (1) apply advanced algorithms that monitor the asset events over time in addition to (2) the traditional “microsecond” decision time frames they have used in the past. The result is that these “intelligent” controls generate higher confidence alerts.

My first experience with intelligent controls began about four years ago with endpoint agents that leveraged the cloud to provide prevention, detection, and response capabilities. Considering that cyber adversaries are so focused on compromising endpoints (workstations and servers), this represented a major breakthrough to help organizations improve their cybersecurity posture.

The importance of intelligent endpoint controls is supported by the fact that most of the cyber adversarial tactics and techniques identified by the MITRE ATT&CK Matrix ( can only be detected and/or blocked by an endpoint agent. You can use the MITRE ATT&CK evaluations ( to help compare endpoint agent capabilities. I discussed endpoint security in detail over a year ago here:

What started with endpoints is now spreading to a variety of asset types including email, web application security, and network traffic analysis. Note that I use asset types and attack surfaces interchangeably. (From my perspective an asset type is also an attack surface.)

Therefore the value-add of a managed security service provider is shifting. It’s becoming less about correlating a blizzard of low-quality raw events from dumb controls, and more about rapidly evaluating the extent of detected attacks, and responding quickly so as to minimize their impacts.

In reaction to this revolution, we are seeing new managed security service providers architect their technology stacks around these “intelligent” attack surface controls. Note, just as I have seen before in other areas of cybersecurity, in the face of rapid technical innovation, legacy providers adapt their marketing messaging, but don’t actually re-architect their underlying technology stack.

2. Ability to rapidly respond to detected attacks

Traditional managed security service providers simply alert their customers when they think they might have detected a threat. That left the hard work of responding to the specific alert, i.e., first to determine if it’s a true positive, then determining the full extent of the possible attack, and finally to take the appropriate actions to end the threat. Furthermore, too often the alert was either benign or even an outright false positive.

A modern managed security service provider has the ability to respond quickly to the high-confidence alerts generated by intelligent controls, as well as alerts generated by the provider’s internal algorithms and automated playbooks. Automated playbooks built using SOAR (Security Orchestration, Automation, and Reporting) tools are a critical provider capability.

3. Threat hunting leveraging threat intelligence

Threat hunting is much more than generating results from a set of pre-defined queries. Effective threat hunting depends on high-quality threat intelligence that is expensive to produce internally and/or purchase from third parties. Open-source threat intelligence by itself is not enough. One area that has become critically important is DNS traffic analysis because that protocol is often used for exfiltration. Collecting and analyzing DNS traffic from customers is not enough. A far broader amount of traffic must be collected and analyzed. There are only a few providers with this capability.

4. Uses commercial tools with open APIs

There was a time when managed security services providers tried to differentiate themselves by building proprietary detection engines themselves. Unfortunately they were never able to keep up with software manufacturers who have a much broader market over which to amortize development costs. Today, it’s imperative for providers to use commercial-off-the-shelf solutions in order to stay at the forefront of available capabilities.

5. Portal with metrics to keep customers informed

A good customer-facing portal has always been a key criteria. But the metrics required have expanded to cover incident response.

6. Substantial capital to prosper independently

During the past few years we have seen many value added resellers attempt to bootstrap managed security services offerings. Unfortunately this approach generally leads to mediocre services and difficulty meeting the stringent SLAs customers expect. We have reached a point in time when anything less than $100 million in capital seems inadequate.

7. Deep, provable cybersecurity expertise

The extreme growth of the cybersecurity industry has drawn many people from other segments of information technology. While a lot can be learned in a short amount of time, it takes many years of actual experience to develop the expertise and judgment needed to build a quality managed security services operation.

8. Two or more fully operational SOCs

Nothing new here. You surely want your provider to be able to sustain a major outage and continue to provide you with service. The two SOCs should be in different time zones. Better yet, two different continents. It is expensive and necessary.

9. Staffing to provide 24x7 eyes on glass

Again, nothing new here. Given the speed at which adversaries can progress through an organization, 24x7 “eyes on glass” is critical. Even more so when considering the customer's top priority is preventing a “catastrophic” incident. The staffing required for true 24x7 operations is expensive, and necessary.

10. Availability of additional incident response resources in the event of a breach

While automated and human analyst responses are standard capabilities of a modern security service provider (see #2 above), the provider must be prepared to quickly activate additional resources in response to a major incident. Since speed is critical in order to minimize losses, there is a major benefit in having a team this is already familiar with your environment and can quickly leverage already collected event data.

Connect with Bill on LinkedIn

Bill Frank is Vice President of Security Services at INNO4, a leading nationwide technology integrator. INNO4's team of professionals work closely with customers to design, implement and maintain solutions from four primary technology platforms or Centers of Excellence; Data Infrastructure, Cybersecurity, Enterprise Mobility, and Audio Visual.