The managed detection and response provider (MDR) space, a subset of the vast managed security services industry, is booming as organizations accept the likelihood that they will experience attacks and compromises—but continue to lack the expertise and capabilities that forced them to explore third-party help in the first place.
The MDR market is forecast to be worth $5.6 billion by 2027, and Gartner expects roughly half of all organizations to be leveraging MDR services for “threat monitoring, detection and response functions that offer threat containment and mitigation capabilities” by 2025.
Such a thriving space has, and will continue to, result in intense competition for your budget dollars. What will separate the winners from losers? It may very well be their ability to detect and respond to cloud-based threats, as more organizations aggressively develop and migrate their applications and workloads to this new environment. The cloud has meant greater efficiency and upside for users, but also has increased the attack surface and risk profile.
When canvassing the growing pool of MDR contenders, here are some worthy questions you can ask, summarized from a recent episode of the Cloud Security Podcast from Google, in which hosts Anton Chuvakin and Tim Peacock interviewed the CEO and CIO of Expel, a Google Cloud customer.
1. Does the MDR understand the differences between cloud security and on premises security?
This seems basic enough, but you’d be surprised. The cloud will introduce several new concepts that security operations teams will need to be familiar with, as threats can manifest in new ways in the cloud compared to a perimeter-focused environment. Three areas are newly impacted in the cloud: the threat landscape, the IT environment (due to the cloud’s distributed, immutable and ephemeral nature), and detection methods. As such, your chosen MDR should be skilled in things like cloud audit logs across the three major cloud providers and how to enrich them, classes of alerts, API security, specific security features around cloud-specific services like encryption key storage and databases, configurable policies, authorization and authentication, identity management, how to manage a richer control plane, and more.
2. Does the MDR empower you to manage your internal cloud stakeholders?
The shared responsibility model of securing the cloud commonly includes the cloud services provider and the customer. When managed security vendors enter the picture, a third party joins the model, adding to the possible confusion of who handles what. But there is a fourth entity who must be taken into consideration–your organizational cloud stakeholders, which commonly include IT and developer teams but can extend all the way up to the C-suite. How your MDR provider thinks about them will tell you a lot about how vested they are in your success. The goal of your stakeholders is to enable your business with the cloud, and your MDR provider must arm you with shareable details, observations, and data so you can actively engage with them—and convey potential cloud risk that these stakeholders need to be aware of.
3. Is the MDR cloud native?
This seems like a fairly reliable indicator that your MDR provider is set up for success to navigate the uniqueness of cloud threats. But aside from them declaring they are native to the cloud, there are few clues you can sniff out, some more subtle than others, including: Do they have a status page showcasing their current and historical uptime? What cloud apps are they using to enable their service? Do they make publicly available documentation that features instructions on how to use and integrate their API? Does their engineering team prioritize extensibility and optionality, which are fundamental principles of the cloud? Some of these answers are a couple of clicks away; some will require some digging.
To listen to the full Cloud Security Podcast podcast interview, which features many additional insights, visit here.
If you're an MSSP looking to offer high-value, cloud-native security operations services, learn more about the Google Cloud Security Partner Program and discover how you can accelerate your customers’ security operations modernization journeys.