This is the third in a five-part blog series on managed detection and response as it drives strategic security outcomes for businesses.

In this multipart blog series, we’re exploring how effective managed detection and response (MDR) services help organizations achieve their goals. MDR services can lead to four key strategic security outcomes:

  • Align your security strategy to your business
  • Protect your digital users, assets and data
  • Manage your defenses against growing threats
  • Modernize your security with an open, multicloud platform

In part 1, we discussed alignment. In part 2, we discussed protection. Here, we take a look at the management side.

MDR Services Help Face Growing Threats

Like any military leader will tell you, your defenses are only as good as your visibility. A good MDR services provider should do more than just threat detection, prevention and response; they must help you manage your environment better.

Asset Inventory

For threat management to be effective, it’s essential to know and understand your assets, as well as their relative importance to your line of business. The Center for Internet Security recommends a baseline hardware and software inventory as one of the most basic controls. As noted in the first installment of this series, prioritizing which assets are most important is key. This directly impacts which alerts should get attention first and which hosts should get the most aggressive protection policies. MDR services can help with this.

Prioritizing your most important assets also helps you figure out how you should orchestrate your response playbooks. An alert on a server is more important than an alert on a workstation, for instance. However, you need to balance the risk of containing a server-based threat with the impact of stalling key business functions if that server was isolated. You may be OK with removing one workstation from the network, but what if it’s the CEO’s laptop?

Outside of prioritization and response, a solid asset inventory benchmark is important to spot any visibility or control gaps. Are there assets in which you can’t install endpoint detection and response (EDR) tools, such as for legacy reasons? Or maybe you can install it, but don’t have control over that asset or part of the network in order to respond to a threat located on it. Often, when dealing with clients that have a global presence, you may be working with more than one team or resolver group depending on their location. Is your MDR services provider flexible in cases like this?

Asset management and prioritization may seem complex, but it is the foundation for improved threat management.

Data Management

Once you’ve achieved visibility into all of your assets, it’s time to decide how to manage the telemetry obtained from them. Most EDR products store data in the cloud, but some offer on-premise solutions. Often, they also generate highly sensitive, personal data, such as usernames and passwords. For compliance, data residency or other reasons, it’s imperative to understand what data is collected, where the data is stored, who has access and how it’s deleted.

Agent Optimization

Another facet to consider is agent optimization. Many MDR services providers focus only on threat management. Don’t forget about basic care and feeding. Making sure your sensors are healthy, available and running the correct version contributes to giving you the best possible threat management experience. If a sensor stops reporting in, then you have a blind spot. Do you have a plan to identify and fix these problems before they become a bigger issue? In terms of upgrades, what is your plan to deploy to a test group and verify it before completing a full-scale rollout?

When considering agent management, think about the partnership with the product vendor, as well as how that ties in to future threat defense. What is the plan for testing and enabling new product features and functions? What about in the case of features and functions that may require more work before using them safely and swiftly across the entire landscape?

Preventing Downstream Problems

While the practices described above may seem like basic hygiene measures, not doing them will cause a bigger headache down the road. We have seen clients who suffered a breach because the endpoints affected stopped reporting in and introduced a visibility gap. This allowed an attacker to expand their footprint unnoticed. We’ve seen others who failed to complete essential product upgrades, which caused performance and stability issues on the endpoints and resulted in disabling key functions. A good MDR services provider should be able to assist you with overall best practices in managing assets and agents to give you the best possible threat protection.

Developing Your MDR Services Management Plan

Proper management requires a partnership between MDR services providers who manage the agents and clients who own the endpoints. Some questions to ask your MDR services provider could include:

  • How can I pinpoint and document my key assets, users and data?
  • What customization options do you offer for response playbooks and incident routing?
  • Do you offer a solution to meet data localization requirements?
  • How are you ensuring the health and availability of my agents?
  • What is your process for upgrades, testing and verification and enabling of new features?

Stay tuned for Part 4 of this series to explore how to modernize your security with a hybrid multicloud environment, and learn more about IBM Security Managed Detection and Response Services.

More from Risk Management

Is the water safe? The state of critical infrastructure cybersecurity

4 min read - On September 25, CISA issued a stark reminder that critical infrastructure remains a primary target for cyberattacks. Vulnerable systems in industrial sectors, including water utilities, continue to be exploited due to poor cyber hygiene practices. Using unsophisticated methods like brute-force attacks and leveraging default passwords, threat actors have repeatedly managed to compromise operational technology (OT) and industrial control systems (ICS).Attacks on the industrial sector have been particularly costly. The 2024 IBM Cost of a Data Breach report found the average total…

Cybersecurity trends: IBM’s predictions for 2025

4 min read - Cybersecurity concerns in 2024 can be summed up in two letters: AI (or five letters if you narrow it down to gen AI). Organizations are still in the early stages of understanding the risks and rewards of this technology. For all the good it can do to improve data protection, keep up with compliance regulations and enable faster threat detection, threat actors are also using AI to accelerate their social engineering attacks and sabotage AI models with malware.AI might have…

The 5 most impactful cybersecurity guidelines (and 3 that fell flat)

4 min read - The best cybersecurity guidelines have made a huge difference in protecting data from theft and compromise, both in the United States and around the world.These guidelines are comprehensive sets of recommended practices, procedures and principles designed to help organizations and individual people safeguard their digital assets, systems and data from malicious attacks. They can cover a wide range of practices and exist in part to collect and share best practices and strategies based on industry standards and expert knowledge. Crucially,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today