14 questions to get the right Managed Detection and Response for you

(With a little help from Sherlock Holmes and the CIA)

Reading time: 10 min

Does every vendor seem to offer a compelling solution? This article will help you assess the quality of what you are being offered.

Sherlock Holmes is arguably the most famous of all fictional detectives. Arthur Conan Doyle, the character’s creator, was inspired by Dr. Joseph Bell, for whom Doyle had worked as a clerk at the Edinburgh Royal Infirmary. Bell emphasized the importance of observation, deductive reasoning, and forensic skills in making a diagnosis. Like Holmes, Bell was noted for drawing conclusions from the smallest observations. To illustrate this, he would often pick a stranger, and by observing him, deduce his occupation and recent activities.

The world back then was simpler: no electricity; no internet; no cyber threats. Had Sherlock Holmes been created a century later, could he have solved the predicament faced by cyber security buyers: determining whether the quality of a cyber security solution is sufficient?

Security testing is hard. It is complicated and expensive and the threat is fast-changing. Only national security organisations have the resources to do a thorough job. The rest of us rely on security testing performed by independent laboratories and standards organizations like MITRE Engenuity or on what vendors reveal to them.  How can buyers get to the truth?

If Sherlock Holmes wished to buy a Managed Detection and Response solution, he might have asked these questions:

  1. How will your product improve D&R outcomes for me?
  2. What are the most common threat use cases you cover?
  3. Can you give me examples of your product detecting something that you would not have otherwise detected?
  4. What are the most sophisticated attacks that you have detected and how did you respond to them? 
  5. Can you give me examples of efficiency gains that your product will bring me?
  6. Can I do away with SIEM or IDS/NDS technologies, or reduce the size of my security operations?
  7. What level of expertise do I need to get the most out of your product?
  8. Who is responsible for keeping the detection capability fresh? 
  9. What additional data costs must I budget for (eg storage, threat intelligence)? 
  10. What third-party integrations do you offer that enable better response use cases?
  11. What integrations with IT operations tooling like an ITSM tooling for ticketing workflow, does your product offer?
  12. What are the limitations of your product? 
  13. What other tools do I need?
  14. Who's driving your product capability roadmap and also, what is in it?

Holmes would have applied level of acute observation and deductive reasoning to arrive at the correct conclusion, but without such fictional powers how are we to determine the accuracy of what we are told? Here are some tips provided by three former CIA officers and authors of Get The Truth.

  • Go alone and bring food. It's a well-known fact that nobody confesses to a crowd. People are more likely to open up when they’re eating. They associate food with pleasure and makes them feel indebted to you.
  • Be empathetic. A gentle approach, that appears to come from a place of genuine care and concern, is far more effective than going in for the attack. ‘The thing is, some of what you’re saying isn’t adding up. I need you to help me understand what I’m missing’.
  • Ask lots of questions. By doing this, you imply that you already know what they’ve done. Reassure them that, if they can confess, then you can work together on fixing the problem. 
  • Cultivate short-term thinking. Don’t dwell on the potential consequences of an awkward truth, or use them to threaten them in any way.  Use statements like: ‘It’s a fixable problem’ and help them to save face
  • Stay in charge of the conversation. While you need to create a calm and empathetic environment where they feel safe to tell you the truth, don’t let them walk all over you or control the conversation.
  • Be presumptuous, not accusatory. This will signal to them that you already know the truth. For example, instead of saying: ‘Did you take the money?’, which gives your interviewee the message that you still don’t know if it’s true, assume it is true and ask: ‘Where is the money now?’

Our experience is that in cyber security, buyers get what they pay for. Using these CIA techniques when asking the 14 questions above will help MDR solution buyers to understand the quality of what is being sold.

WithSecure supports clients in building and improving their Security Operations. We also provide a proactive, research-driven MDR service delivered by threat hunters.