<img alt="" src="https://secure.hiss3lark.com/173130.png" style="display:none;">

Datashield's Blog

Read all of our news, articles, reviews, and more in our company blog

All Posts

How to Pick an MDR Partner

mdr providerCybercrime, job openings, and vulnerable software are at an all-time high.

Everyone is knee-deep in planning or executing a digital transformation strategy. But resources and budgets are limited, the skill gap is increasing, and on-demand access is adding complexity. Outsourcing is becoming the norm, and standard MSSP’s are falling to the wayside.

Marketing terms can be confusing, and everyone “says,” they do the latest buzzword.

MDR is one of those items. MDR (Managed Detection & Response) is the evolution of an MSSP, whereas they move past the “alert” fatigue phase and do deeper level investigations. Forensic investigations require broader tools access, higher skill level, and deeper processes and knowledge, including threat hunting. 

Threat hunting is a term for a skilled security analyst to manually look through (hunt) logs and packets to find out of the norm activities that otherwise got passed all other security tools.

How often does this happen, you might ask? Well, that depends but generally, often. Attackers are continually coming up with new evasion techniques or exploiting tools that have little or no logging.

Finding an MDR provider is easy, but how do you find a good one? When looking for an MDR provider, there are many things to consider, and we hope the below points help you identify one.


Ensure Full Packet Capture

Make sure you understand what technology the provider is deploying and if it is proprietary or off the shelf. Ensure the technology accepts multiple sources of data, including logs, packets, endpoints, and cloud data. Packet capture is often a differentiator in an MDR provider as it allows them to see actual data in transit. Not all tools do “full” packet capture, but instead, do a signature capture where you get packet capture from known threats.


Have a Holistic Threat Intelligence Approach

Not all threat intelligence is the same; it’s easy to pull in a ton of feeds. Instead, find a provider that uses standard threat intelligence gathers its own and uses your company’s information to build profiles of your network and data.


Determine Access and Ownership

Are the tools in the providers’ network or yours? Do you have full access to the data, and does the data belong to you?


Team Compatibility

Make sure you have a central point of contact and can you contact an engineer or an analyst anytime you need 24x7x365. It’s essential to be able to look to your outsourced provider as an extension of your team and not a typical vendor. 

Ensure your MDR company can handle incidents and goes out of their way to ensure incident management with care and urgency. 


Information Access

Pick a provider who gives quick access to tickets, information, dashboards, and metrics and follows common frameworks such as MITRE ATT&CK.


Accreditations Matter

Do they hold any accreditations? Pick a provider who has the knowledge needed to support you if an incident occurs. Make sure they understand cloud, networks, and applications. Often providers cannot develop custom content that allows searching for new threats quickly. Do they do anything to understand your infrastructure, applications, and data? Lastly, a provider should be open to knowledge share and training of your staff.



Outsourcing your security operations is a critical business decision, and not all companies are the same. When evaluating us or any other MDR vendor, please do your due diligence and ensure the MDR provider indeed does what they say they do.

Topics from this Article

Managed Detection and Response, MDR, Full Packet Capture, Managed Security Service Providers, MITRE ATT&CK

Jeff Marshall
Jeff Marshall
Jeff Marshall is the Chief Information Security Officer at Datashield and contributes technical content to the Datashield resource library. While not overseeing all of security operations, engineering, R&D and program management; Jeff carves out time to provide thought leadership and educational content for the Datashield resource library. His extensive background and knowledge serves as the anchor for Datashield's article base.

Related Posts

What is a VPN?

What is a VPN and how does it work?

Threat Hunting Mental Games

Mental Games: Threat Hunting Mental Models, Strategies, and Normal Behavior In the cyber security market today, there is a lot of buzzwords, one of them is threat hunting. Many tools and services claim they have threat hunting capabilities, but in most cases, this isn’t 100% true.

How to Deploy: Carbon Black (CB) Defense Sensor

Carbon Black (CB) Defense is a distributed process monitoring tool for threat detection across enterprise networks. The Carbon Black sensor executes data capturing activities to discover suspicious activities that occur within a network. Once deployed, the CB Defense sensor stays on and always collects data that can be categorized and analyzed for suspicious activities.