Some MDR services are a better fit for organizations in particular sectors, and decision-makers can avoid pitfalls by seeking references from others in the industry who can vouch for how a service deals with specific issues, such as the growing number of Internet of Medical Things endpoints, Robinson says.
Potential subscribers should also know whether a service works equally well with heterogenous security software stacks or only performs in homogenous environments, or those using the vendor’s own endpoint detection and response (EDR) software, he adds.
An MDR service can fortify defenses and take pressure off in-house IT staff, but only after some initial groundwork, Robinson says. Response times should be clearly defined, and the vendor and user of the service should work through potential IOC scenarios and agree on the criticality of alerts.
“It’s necessary to make a time investment up front to tune the service to your needs,” Robinson says. “An IOC related to a receptionist’s desktop should probably not warrant a 2 a.m. call to your CIO, but an IOC to a patient database might.”
The Right Partner Is Critical to MDR Success
Since UMMS was already using CrowdStrike’s EDR software, Lai says, it was an easy decision to contract for the vendor’s MDR Falcon Complete service to monitor the Baltimore-based health system’s far-flung endpoints in its 11 hospitals and a network of more than 150 other medical facilities in 13 Maryland counties.
“It doesn’t make sense to have someone else manage CrowdStrike technology, because they’re the experts,” Lai says. “The drawback is that they’re limited to that technology. Our MDR service is focused on the endpoint because that’s where we put the agent.”
The CrowdStrike MDR fits into a layered environment of complementary and supplementary security measures. UMMS uses a managed SOC from Accenture that monitors the network security appliances, Lai adds. A Medigate platform monitors biomedical devices, such as IV pumps, CT scanners and MRI machines that collect patient information and are connected to the internet but don’t support agents from the EDR software.
The MDR model is ideal for any organization with an under-resourced security staff, Lai says, but selecting the right partner is critical.
“You’ve got to do your research. Talk to your peers about their experiences with the technologies and services,” Lai says. “Evaluate the technology yourself in your environment, if possible.”