We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy.
By continuing to use this site, or closing this box, you consent to our use of cookies.

Blog home
Blog post

Get the Foundational Elements Right When Selecting a Detection and Response Service Provider

By Pete Shoard | April 20, 2020 | 0 Comments

I recently completed the third update on my Foundational Managed Security Services (MSS) note: Get the Foundational Elements Right When Selecting a Detection and Response Service Provider. This was the first piece of research i published when i joined Gartner back in 2018 and provides a guidance framework for organisations looking to outsource security operations. At the time i recognised that part of the reason that organisations change MSS providers so frequently was because they didn’t have a good idea around how they were going to consume the outputs of the service.

The core of the advice hasn’t really changed:

  • Establish and document requirements and use cases before engaging providers.
  • Align the offered service performance metrics with internal key performance indicators (KPIs).
  • Integrate internal processes so they can effectively consume the service.

But… consumption models have changed, as has the market.

With the evolution of the MSS Market and the emphasis most organisations have on detection and responding to threats there have been some key updates.

Typical Incident Flows MSS
Typical Flow for a Managed Threat Detection and Response Service

A couple of key quotes from the document:

Services that include a response element, such as managed detection and response (MDR) regularly include the identification and, most importantly, the containment and disruption of issues. These services commonly provide a mitigative response, rather than forensic or fix, and are designed to reduce the burden and create breathing space for internal teams, but not to replace them altogether.

Service outputs are usually provided in the form of security incidents and disseminated via a provider’s portal, with email, mobile and human-driven notifications to alert occurrences of serious issues. These security incidents should be verbose and action-oriented, detailing the activity detected and the assets involved.

I hope you enjoy the updates, don’t hesitate to set up a Gartner inquiry if you are thinking about outsourcing for the first time, or even re-contracting. We can help with a wide range of price benchmarking, requirement setting and SLA evaluation etc…

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Leave a Comment