First TorchTime Webinar Addresses Trusting MDR Provider for Incident Response

In the first of a series of TorchTime panel webinars, TorchLight experts discussed managed detection and response (MDR) and the importance of trusting your MDR vendor to provide response when a threat is detected.

Blog

In the first of a series of TorchTime panel webinars, TorchLight’s Stephen Heath, CTO; Gary Blosser, Manager of Incident Response (IR) and Forensics; and Client Advisor Harry Regan discussed managed detection and response (MDR) and the importance of trusting your MDR vendor to provide response when a threat is detected. The panel was moderated by Director of Marketing Jim Kreutel.

According to Forrester Research, 50% of organizations are set to use MDR services by 2025. Nevertheless, trust remains a key issue when it comes to letting an MDR partner respond to threats efficiently and effectively. Many companies depend on their own staff for IR out of a desire for control. But MDR firms have round-the-clock security operations centers (SOCs) and are already watching customer networks for cyber threats. These threats are escalated until such a time that the in-house IR team can review and act. However, in many cases time is of the essence, and acting quickly on an incident pays benefits.

The webinar focused on this issue of trust and offered a variety of insights into the reasons why many companies have their own response teams and the benefits of outsourcing IR to an MDR provider. Here are four key points from the conversation:

While many companies trust their providers to manage the incident detection aspect of MDR, the panelists saw a need to build trust MDR vendors and IT security teams as the key hurdle to receptiveness of offloading IR. Harry Regan observed that “these purchasers often perceive their staff as more trustworthy in terms of responding to threats, despite evidence to the contrary.”  Control can also be an element of resistance to third-party response strategies.

Stephen Heath commented that “an agreed-upon process for implementing and assessing MDR strategies is key to mitigating this trust issue.”  The other panelists agreed, further elaborating on the benefits that can arise from the contractual nature of MDR services and the balance that a collaborative process can build between trust, security, utility, and financial needs.

They also agreed that quick containment is one of the most important reasons for trusting the MDR provider with IR and is key to addressing potential and ongoing security issues promptly. IR remains a necessity, but the early response that MDR offers can help prevent or avoid bad situations entirely. “The first hour is crucial,” Gary Blosser said, “and rapid response, starting with containment, is key.”

Companies may be concerned about the risk of MDR overstep, but the panelists argued that the benefits far outweigh this risk. As an example, they describe the fallout from a contained threat – one computer that might need reconfiguration or replacement – and an uncontained one that can imperil an entire data center.

This TorchTime webinar had a lot more discussion and advice. Catch the whole conversation and all the wisdom shared in this webinar here.