Why do customers have a love-hate relationship with MDR providers?

The problem

The decision to engage an MDR provider is often a difficult one. Customers frequently look to MDR providers to offload security burdens that can’t be effectively satisfied in-house. Customers' frustrations arise when they are left with a false sense of security. This dynamic creates a love-hate relationship, where the stated benefits may be clear from those selling the service; however, the shortcomings may be significant and not readily apparent to the buyer.

What Customers Love

There are many standard features found in the majority of MDR service offerings that immediately draw potential customers. Here are some of the primary motivations for those seeking an MDR provider.

24/7 Security Monitoring: Most MDR providers offer round-the-clock threat detection and response, providing organizations with peace of mind and reducing the need for in-house, always-on security staff.

Access to Security Expertise: A key benefit of the outsourced service is access to skilled cybersecurity professionals and the opportunity to gain advanced threat intelligence on emerging threats for organizations lacking internal expertise.

Triage & Incident Response: MDR providers can rapidly detect, investigate, and remediate incidents, often much faster than internal teams could manage alone. Select provider offers a rapid response, a lite version of a full Incident response offering.

Alert Fatigue: A common complaint among smaller organizations seeking to engage an MDR provider is the reduction in the volume of alerts. Effective MDR providers are skilled at filtering out noise, minimizing false positives, and identifying genuine threats that require attention.

Cost:Ultimately, cost is one of, if not the leading, reason for engaging an MDR provider, as outsourcing detection and response is often more affordable than building and maintaining a complete Security Operations Center (SOC) in-house.

What Customers Hate

Most available articles on MDR illustrate the benefits of the service while ignoring the churn and buyer's regret that often occur. It is worthwhile to identify where this frequently goes south.

Misaligned Expectations: The primary disconnect lies in the area of expectations. Like other service offerings, a common complaint is that MDR providers overpromise and underdeliver in several places. The same shared responsibility model you adopt with your cloud provider would benefit your approach to your MDR provider.

Business Context: Lack of business context is a glaring deficiency found in many MDR providers. Often during onboarding, there is no effort to understand the customer’s unique environment, their tech stack, and their crown jewels; this results in generic alerts and missed context for critical incidents. If threat actors have more knowledge about your environment than your MDR provider, the results will not be favorable.

Onboarding Gaps A related complaint is that slow or inefficient onboarding, unresponsive support, and high staff turnover at the MDR provider can erode trust and satisfaction. MDR providers that miss telemetry in your tech stack during onboarding or don’t have integrations will result in gaps in detection

Poor analysis of incoming Alerts: MDR providers tend to aggregate and then escalate incoming alerts back to customers without proper analysis and investigation, thereby defeating the purpose of outsourcing.

Lacking knowledge of emerging Threats: While MDRs boast of excelling at detecting known threats, some struggle to identify and prevent new, sophisticated attacks for emerging threats. This is a common area of anxiety for buyers who often want the assurance that they are covered.

PenTest & Red Team Fails. Customers question their investment when an MDR provider fails to detect standard red team techniques or lateral movement during a penetration test. Such failures often prompt customers to reconsider the detection capabilities of their MDR provider.

Threat Intel & Threat Hunting: The maturity or lack thereof in areas such as threat intelligence and threat hunting is often a key differentiator in selecting your MDR provider. If your MDR provider solely relies on detections in your tech stack, it leaves you in a more reactive position when it comes to emerging threats.

Lack of transparency in Pricing & Hidden Costs: A final frustration often encountered is simply understanding what you're getting with the MDR provider. Customers are frequently frustrated by unclear pricing models, hidden fees, or discovering that premium features showcased in demos are not included in their service tier.

Summary Table: Love-Hate Factors in MDR Relationships

Summary

Customers' experience with MDR providers can be a mixed bag. If expectations of delivery and outcomes are aligned, it can lead to a long-standing, mutually beneficial relationship. However, customer dissatisfaction and churn result when expectations aren’t aligned, when the provider fails to deliver on promised outcomes. In the upcoming series, I plan to focus on the areas of differentiation among MDR providers to provide a more customer-sensitive evaluation guide, while highlighting some of the more noteworthy providers in the space.

Above article originally posted here - https://medium.com/@cyberfestivus/why-would-customers-have-a-love-hate-relationship-with-mdr-providers-de30c43c6325