This blog originally appeared on the site, Managed Sentinel - now a BlueVoyant Company.
During our engagements with customers we are always in a situation where we have to explain the differences between various flavors of MDR services and sometimes even the difference between an on-time deployment of security monitoring solution and the day-to-day maintenance that such solutions require. This is not because our customers don’t understand such services but mostly due to the perception that cloud-based security controls are maintained by the cloud vendor. To an extent that is true, the vendor does commit to keep the cloud-based service up and running and provide totally transparent upgrades, however, the full configuration and tuning of these solutions is still something that has to be done by the customer. In many cases, one can just go with the out-of-the-box policies and configurations but in 99% of the cases, these will lead to a poorly configured product that most likely will fail to deliver the expected value.
The “R” in MDR indicates that the service provider is willing (and capable) of reaching back into your environment to respond or remediate the detected event, all depending of the type of security controls in place as they have to provide specific capabilities. Some older technologies may require that the MDR provider have a virtual presence in your environment so they can act as if they are local security admin.
Main takeaway from this is to make sure that the type of service offered as MDR does indeed match your understanding. If the price seems low, then verify the service details, how many analysts are used, what is the coverage, etc. This is not the place to look for bargains and if it looks too good to be true, then most likely something is missing from the service.
High definition PDF version: MDR Services