Due to the growth in sophisticated cyberattacks, regulatory compliance, and lack of skilled cybersecurity talent, managed detection and response services are projected to grow annually at a rate of 25%. Proactive MDR services bring expert analysis and advanced technologies to help organizations enhance their overall security posture.
While security leaders indicate a shift from security as prevention to cyber resilience, managed MDR services bring a blend of both to fortify security operations. As organizations build out their security infrastructure and tooling, there’s a growing need for managed MDR services that bring advanced technology but integrate with your owned systems.
Integrating managed MDR services with your SIEM accelerates time to proficiency and acts as a force multiplier for your security posture. At least it should in theory because…
This said, we wanted to learn about what the lived experience was really like for large mid-size and enterprise companies outsourcing MDR services. To find out, we talked to CISOs and senior security leaders across a variety of industries who have evaluated or switched MSSPs in the last 12 to 18 months.
First, we wanted to know where managed MDR services left security leaders short. Below are the frustrations some security leaders we talked to expressed about MSSPs they’ve worked with recently.
Lack of transparency.
“They were inflexible and opaque in terms of the rules that they have, the way they ingest and interact. We’d send stuff to them, and it was almost like a black box. So, our internal team couldn't really collaborate with them in a meaningful way.” Senior Security Engineering Manager, Energy
Excessive False Positives.
“Many of the alerts they send us are false positives. Sometimes I get hundreds of emails in a row from them about the exact same behavior. We tell them to tune this out and then next week we'll get the same 100 emails in a row of the exact same behavior. It's like they don't learn our environment.” VP of Security and IT, Technology
Lack of meaningful data.
“It was impossible to get any meaningful data around true positives versus false positives, meantime to detect and remediate, basically any meaningful data out of the service. They were also doing technology maintenance, but we couldn’t get data on what they were doing to maintain the technology or what kind of improvements they were delivering.” Director of Security Engineering, Financial Services
Lack of performance.
“I started doing an audit of events and logs and discovered our main IDP had stopped sending events to our SIEM five months ago. They didn't notice, and our security team didn't notice, but the fact that our partner in logging and analytics didn't notice their main security source had just stopped producing logs…” VP of Security and IT, Technology
Loss of intellectual property.
“Our SIEM platform was owned by the MSSP, so when they left, they took all the rules and content with them. We’re not doing that again. Now we must recreate all of that. From now on, we’ll own the platform and the contents. The MSSP we choose will operate on it.” Senior Security Engineering Manager, Energy
Now that we know what frustrates leaders about managed MDR services, we analyzed the conversations to extract the key points with the most agreement across our conversations with them.
Below are the six components security leaders agreed they wanted from MSSPs from their managed MDR services.
Security leaders agreed that among the key components for a solid managed MDR service are 24/7 monitoring of security events, incident response and root cause analysis, device and account containment. Additional services they value highly include threat hunting and intelligence, and vulnerability management.
Security leaders wanted an MSSP with the ability to update SIEM rules and tune the tooling. This includes the creation of content and runbooks based on threats relevant to their specific environments. Active help with business-level threat models was also of interest.
Security leaders appreciated a vendor that’s honest and transparent about their capabilities with the organization’s specific SIEM and technology stack. This includes admitting when the MSSP cannot perform a service or their expertise in recommending an alternative solution or a partner for a specific task.
A recurring theme from security leaders is the desire to maintain control over the security platform, data, and their intellectual property. They want access and transparency with the rules and configurations. There is a strong desire for them to oversee or co-design their security operations. And there is a strong dislike of “black box” processes. They also want to make sure the log data actively monitored supports their use cases versus residing in the data sent to cold storage.
Security leaders want full visibility and transparency when the MSSP accesses their environment and what actions they’re taking and processes they’re using. This includes access auditing and strong security controls for the staff gaining access to their environment.
Security leaders agreed that key performance indicators (KPIs) including mean time to detect (MTTD) and mean time to respond (MTTR) are fundamental. They also included a metric for reduced noise in the environment and documented follow-through on alerts requiring action. While price is important, many of the leaders we talked to said perceived value through breadth and depth of services, advanced capabilities, and building out their SIEM customized to their environment outweighed a lower price point.
In a market characterized by rapid innovation, choosing an MSSP with the expertise to help you realize more value from the investment you’ve made in your SIEM provides continuous evolution toward stronger security operations. A partnership with true collaboration and expertise honed over years of experience across industries and tech environments means you’ll be prepared, but also proactively strengthening cyber resilience to protect the business.
Rather than “renting” a platform that puts you back at square one should the relationship not work out, building your security practice on tooling you own means you’ll never lose momentum should you need to make a change.
We invite you to check out our Co-owned MDR offering if you’re interested in working with a different kind of MSSP focused on what you want and need to ensure MDR serves as a force multiplier for your security operations.