We strongly believe cybersecurity measures should be reasonable and prudent and that small businesses can do a lot in-house. However, there are areas where your cybersecurity program (again, focusing on small and medium businesses, or SMBs) should likely consider outsourcing. Managed detection and response (MDR) is one of these areas.
For months we’ve talked about the importance of defense—why it’s an absolute necessity that the individuals in your company understand good cyber hygiene; what steps a small business can take to prepare for the worst-case scenario; the list goes on. However, given the rate at which defenses prove inadequate (e.g., attackers gain access to networks and data) you need to consider an investment in resilience and threat hunting to improve chances of appropriately detecting nefarious actors in your systems.
The reality is that it takes only days for the malicious actor to exploit and weaponize a vulnerability in your system. For example, SAP and Onapsis found that SAP’s vulnerabilities could be weaponized “in less than 72 hours of a patch release” with “new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours.” If successful in penetrating your defenses (e.g., exploiting the vulnerability), cybercriminals linger and monitor your network for an average of nine months, collecting data and disseminating into your system thoroughly. While patching and good cyber hygiene are necessary to guard against these attacks, it will not be enough. At some point, there will be a malicious attack that gets through and to have cyber resiliency, you need to know when it does. Thus, the need for threat hunting as a service.
Even though this is not a function typically delegated to an SMB’s tight-knit (and overstretched) IT team, there are three specific things you can look for as a small business to ensure that a managed detection and response service provider is right for you.
First, can the potential provider give you measurable, clear, and defined areas that you can and will be protected? Have a conversation with prospective suppliers about the risks that can be mitigated, and what could transfer to an outside source. An example is when an insurance policy transfers (always a dubious choice) the risk to the insurance company. On the other hand, be cautious of services that claim absolute or perfect results—no one solution ‘always’ works, and there is no threat detection that can ‘never’ be wormed through. Look for business-focused outcomes in terms of risk mitigation to determine whether the scope of service is the right one for you.
Second, what experience does the service provider have in assisting a small business? A business with twenty employees won’t need the services required by a 2,000-employee corporation. Find out whether the service provider knows how to serve you specifically. Being a good fit for large companies isn’t enough if it doesn’t fit your needs, and it is often much more expensive.
Third, what do their commitment and capability look like long term? As you develop and grow, you want a service provider that can evolve just as quickly as you and can support what you will need as you move from a small business to a mid-sized business, and beyond. While you don’t want the cookie-cutter option made for a large company, you do want something that can offer services that relate to your growing (or decreasing) needs. Look for the low price point and flexible services offered to small businesses. At the same time, look at the higher cost services that you may need at a later point.
True partners desire and work towards your success. We hope that these three things will help you identify the partners that will come alongside and help your business flourish. Not everything has to (or should) be in-house; you don’t have to ‘go it alone’ in threat detection. Lean into networks that can support you, and through the use of their services, that you can support in return.