Do a Risk Assessment before buying MDR

October 4, 2021
Ken Ballard

Why You Need a Risk Assessment Before You Buy MDR Services


An effective risk assessment looks at your unique assets and business processes, identifies threats against them, and allows you to make rational decisions on how best to protect them. In this way, a risk assessment is unique to every organization, even those in identical industries.  For example, two nearly identical organizations might have a slightly different tolerances for risk, they may choose to mitigate a risk differently, or they have different technology that gives them different risk profiles.  

This is why conducting a risk assessment is so important to do periodically, and anytime you invest in new technologies.  If you don’t, you may over-invest in some areas and under-invest in others.

One of the latest trends in cybersecurity is Managed Detection and Response or MDR. While MDR uses new technologies and improves security exponentially, a risk assessment will give you the confidence to take advantage of this latest technology in a way that truly suits your organization's unique needs.

The Need for Advanced Endpoint Protection

MDR begins with Endpoint Protection. Endpoint Protection is vital today for three reasons:  

  1. The traditional network perimeter is disappearing, and security defenses, such as firewalls, no longer offer adequate protection across a hybrid IT environment.
  2. The changing workforce dynamics instigated by Covid-19 are such that 86 percent of employees want to work from home.It’s clear remote work is here to stay to some degree.
  3. The crux of the matter is that endpoint devices, from employee laptops to personal devices, are becoming the new perimeter. This makes endpoint security a must-have for protecting your data, applications, and network.

As described in our recent blog post on security acronyms, XDR is the leading toolset for Endpoint Protection, and there are many vendors. Unlike passive signature-based scanning, XDR does this plus looks at system behaviors. XDR then uses AI to respond to threats automatically.  

Why Businesses Opt for MDR

XDR may be the latest advancement in detection and response, but it is not without its flaws. The all-encompassing scope of XDR is such that it monitors and generates alerts for threats across all endpoints, email, cloud infrastructure, and more. While Artificial intelligence handles many of these alerts, XDR still creates a lot of manual work in tuning and responding to indicators of compromise (IOCs).

The additional work is creating an increased demand for Managed Detection and Response (MDR), which outsources XDR capabilities to a managed service provider. That is, an MDR service provider monitors XDR data feeds and handles further investigation and response.The demand for MDR is big, and the market is expected to grow from $335.5 million back in 2016 to $1.6 billion by 2022.

The Importance of Risk Assessments for MDR

While MDR services provide a cost-effective means of obtaining advanced detection and response capabilities, it’s important not to treat MDR as a plug-and-play cybersecurity solution. In practice, all systems are not equal, and it’s prudent to align detection and response with critical business operations.

Do you need XDR on every system? Can IOCs on one network segment prompt a need to tighten security on another? How fast do you need to move in your purchase and deployment of a solution?

You really don’t want your MDR vendor answering these questions for you.  You need to answer these questions first with a risk assessment tuned to XDR/MDR. Without a risk assessment that indicates whether to tune the XDR on the device up or down depending on the system and circumstance, you can end up with alerts and responses that unnecessarily disrupt important business operations. Consider the following example of a medium-sized wealth management company:

  1. The company buys an MDR solution with the intention of protecting the large volume of sensitive financial data it stores and transacts.
  2. The company lets the MDR do a generic configuration. Because of this, a simple security alert on a marketing manager’s laptop temporarily shuts down the trading desk system while the alert is investigated.
  3. Rapid price movements in a dynamic financial market result in severe losses to the fund’s value and missed trading opportunities.

In this example, a lack of risk assessment results in poor alignment between detection and response and critical business operations. Before buying any type of endpoint security solution, you need to conduct a risk assessment that identifies:

  1. Your most sensitive data and business processes
  2. Who can access different resources for what business purposes
  3. What your business-critical applications are
  4. What security scenarios should trigger a halt to business-critical activities
  5. What impact, if any, a lateral compromise on an unrelated endpoint device has on a business-critical process

Conducting and documenting this risk assessment before entering into a contract with an MDR vendor is vital for getting detection and response capabilities suited to your unique business.

Generic MDR Issues and Conflict of Interest 

The lack of a risk assessment is often compounded by some issues with generic MDR services. Most MDR services treat all systems equally. For example, a desktop workstation used by a senior accountant is treated no differently in terms of detection and response than an infrequently used tablet belonging to a junior salesperson.

In the real world, different systems and users have more varying levels of access to critical business data and processes. It makes sense that the closer proximity a system has to important resources, the more sensitive the detection and response should be. The opposite is also true—you probably don’t need to shut down a production application for a minor event.

Furthermore, MDR vendors have an incentive to tune down the XDR system so that fewer alerts are generated. Fewer alerts mean lower costs for the MDR vendor in terms of hiring SOC analysts to triage and respond to those alerts. Businesses can get more value from an MDR service by providing them with the guidance and insights gleaned from a risk assessment.

The Security Pursuit MDR Difference

At Security Pursuit, we encourage a risk assessment for MDR to ensure they are getting the most for their security budget. Using the results of the risk assessment, your XDR system will be aligned to your organization's unique risk profile. This results in response strategies are appropriate for given alerts, IOCs, and threats. Your system is tuned up for high-risk situations and tuned down where low-risk alerts could affect normal business operations.

Ultimately, we work with you and your knowledge of your business to make your XDR/MDR system respond to threats swiftly and appropriately, no matter where they happen.

Contact Us to Learn More 

Partner with us at Security Pursuit to get the most out of your security investments. Fill out this form to contact us.

join our email list