What best practices should organizations follow when selecting and implementing an external provider for managed security monitoring or MDR? Which aspects are key to ensuring you’ll get the most out of these services, and avoid surprises during an actual incident?

There's no one-size-fits-all solution. It's important to onboard providers slowly, starting with basic levels of service and gradually expanding. Your core team should remain involved, as they understand your business better than any vendor. This gradual approach helps ensure that the provider can meet your specific needs.

As a government entity, we benefit from subsidies that help us access high-end MDR solutions, but for others, I recommend being cautious with new vendors. The market is saturated with startups making big promises, so it's wise to wait and see how they perform before committing. Experience has taught me that it's better to be cautious and not rush into decisions.

A major challenge is the influx of companies and startups entering this space, many of whom lack experience in specific verticals. It's critical to conduct thorough research on providers and verify their claims by speaking with their existing clients. Don't rely solely on promises or frameworks. It's also important to maintain a hybrid model, as you can't completely shift your risk to a third party.

I use MDR (managed detection and response) in a limited capacity, focusing on specific, high-value environments. The key for us has been finding a provider that can adapt to our unique environment and work closely with our operations and incident response teams. They need to understand what is normal for us and adjust their detection rules accordingly, so flexibility and a willingness to partner with us have been crucial differentiators.