Gartner Blog Network

Get the Foundational Elements Right When Selecting a Detection and Response Service Provider

by Pete Shoard  |  April 20, 2020  |  Submit a Comment

I recently completed the third update on my Foundational Managed Security Services (MSS) note: Get the Foundational Elements Right When Selecting a Detection and Response Service Provider. This was the first piece of research i published when i joined Gartner back in 2018 and provides a guidance framework for organisations looking to outsource security operations. At the time i recognised that part of the reason that organisations change MSS providers so frequently was because they didn’t have a good idea around how they were going to consume the outputs of the service.

The core of the advice hasn’t really changed:

  • Establish and document requirements and use cases before engaging providers.
  • Align the offered service performance metrics with internal key performance indicators (KPIs).
  • Integrate internal processes so they can effectively consume the service.

But… consumption models have changed, as has the market.

With the evolution of the MSS Market and the emphasis most organisations have on detection and responding to threats there have been some key updates.

Typical Incident Flows MSS
Typical Flow for a Managed Threat Detection and Response Service

A couple of key quotes from the document:

Services that include a response element, such as managed detection and response (MDR) regularly include the identification and, most importantly, the containment and disruption of issues. These services commonly provide a mitigative response, rather than forensic or fix, and are designed to reduce the burden and create breathing space for internal teams, but not to replace them altogether.

Service outputs are usually provided in the form of security incidents and disseminated via a provider’s portal, with email, mobile and human-driven notifications to alert occurrences of serious issues. These security incidents should be verbose and action-oriented, detailing the activity detected and the assets involved.

I hope you enjoy the updates, don’t hesitate to set up a Gartner inquiry if you are thinking about outsourcing for the first time, or even re-contracting. We can help with a wide range of price benchmarking, requirement setting and SLA evaluation etc…

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


Tags: detection-response  mdr  mss  threat-detection  

Pete Shoard
Sr Director Analyst I
3 years at Gartner
17 years IT Industry

Pete Shoard is part of the Security Operations team. Covering analysis of and selection criteria for threat detection and response Managed Security Services (MSS) such as Managed Detection and Response (MDR) and Vulnerability Management (VM) services. Also security detection and response technologies such as Security Information and Event Management (SIEM), User Entity Behavioral Analytics (UEBA) and Deception. Supporting Gartner's ITL research in wider areas such as Security Operation Centre (SOC) best practice and security metrics and measurement.Read Full Bio

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.