Transparency (Or Lack Thereof): What Your MDR Company Isn’t Telling You

By Alex Humphrey

I recently discovered that one of my favorite memes comes from South Park of all places. It’s the three-phase “get rich quick” meme involving gnomes and underpants. Maybe you’ve seen the episode. Regardless, here’s the brilliant plan in all its glory:

Phase 1: Collect underpants

Phase 2: ?

Phase 3: Profit

There’s something painfully familiar about this plan when compared to partnering with most MDR providers. The plan often looks something like this:

Phase 1: Send alerts/logs to a third party

Phase 2: ???

Phase 3: Security!

In between your team sending alerts to a third-party and the alerts you get back as escalations, sits a veritable black box that leaves a lot of questions. What tools is the Managed Detection and Response (MDR) provider using on the back end to investigate my alerts? How are investigations prioritized? Where is the audit trail proving the many, many promises? What isn’t being looked at? The most common response seems to be, “Trust us, we’ve got smart people handling all of that.” But that’s not the kind of answer you can report up to executives.

The black box won’t do

So why do these black boxes exist? With most MDR offerings, it’s to hide activity that’s hard to explain. Many MDR providers drop alerts before they hit the security operations center (SOC). It’s not because the alerts are worthless, but because the backend uses a security information and event management (SIEM) system and ingesting more alerts means spending more on addressing them. They call it prioritizing (as discussed in this white paper on the topic). But it really means for every 100 alerts you send, as many as 95 may be dropped without your knowledge. The simple fact is hackers are breaching organizations by focusing their efforts on these seemingly “unimportant” alerts.  

The worst part is you have no way of knowing what’s been dropped by the provider.

I once learned of an MDR provider that chose to ignore alerts for database exfiltration —exactly the kind of thing an attacker is most likely to do. The MDR provider had decided, without notifying the client, that such exfiltration was too noisy, because database admins would sometimes trigger the alert. So every customer was subject to this major risk without discussion or input.

Luckily, a penetration test caught the issue; the pen tester exfiltrated a database without a single alert from the MDR. But this sort of discovery is rare. I’ve seen businesses fully breached who never knew it because the alerts were all low priority or dropped by their MDR partner.  

This problem is foundational to many in the industry. Where there is no transparency there is no way to prove the MDR’s effectiveness and mitigate risk. You’re put in a position where you must assume that whatever your vendor tells you is true. You have no way of knowing what benefit you’re getting from the MDR service, if any.

Without full transparency into attacks, alerts and countermeasures, your team cannot know what risks exist in your environment. CIOs, CTOs, and CISOs are responsible for providing accurate data when making business executives aware of the real risks the business faces, so they can make informed risk decisions. How is this possible if you don’t know what risks your SOC is dealing with?

Doing transparency right

It’s not. That’s why at Critical Start we take a different approach. Our SOC looks at every alert, at every priority level, within one hour. Two levels of analysts investigate each alert and false positives are recorded in the Trusted Behavior Registry (TBR). Once an alert is in the TBR, any future occurrence of identical behavior can be confidently dismissed as a false positive. false positive.

Note the word “identical”; if a behavior is similar but not identical, we send it to the SOC to investigate further and determine whether it’s a false positive or a new attack. And we can share the TBR with your team, so there’s never any doubt about what we’re doing to secure your business.

The best part is our customers have full access to the entire backend – every tool, procedure, and rule. If you send us 1,000 alerts and we escalate two, you can ask, “What happened with the other 998?” We will tell you, with pleasure. Better yet, you don’t need to take our word for it, you can look for yourself. Everything is audited and tracked within our dashboard and 100% of our analysts’ tools, including the TBR, are at your disposal.

If the industry’s lack of transparency seems like a hobby horse of Critical Start, well, it is. As we see it, a managed service partner is an extension of your team. It’s your tools, your SOC, and your business. You have to report to business leaders (and often to regulatory agencies), so you should have the right to see what’s going on at any given time.

Only with this information in hand can security teams understand their security posture and the value of their MDR investment – how many attacks are occurring, how many are being stopped, and what risks still need to be considered. This is the Critical Start difference.

If you’d like to learn more how Critical Start can extend your team and security tools, and resolve every alert, contact us for a free demo. Or if you have questions, get in touch with one of our experts.