Evaluating vendors against one another can be tricky as often times marketing collateral and customer case studies can seem identical. With Managed Detection and Response, customers take extra care to evaluate their vendors before agreeing to a contract. This year at the CETPA Conference in California we were voted by the crowd 21 out of 22 votes as the best MDR solution competing against TrustWave, Dell SecureWorks and ForeSite.
In this article we'll take a look at why customers voted for us and what makes us more compelling when comparing us to our competitors.
People Want to hear about Results not Brands
The 10-Minute presentations from each brand would start very similar: "X has been in business for Y with Z employees we are the leader in MDR". Followed swiftly by statistics about breaches and costs of attacks then immediately following that the message that they were the answer. Usually from there the presentations would lose the audience around the technical product names. What was lost completely is that none of this information demonstrated to the audience what could be done for them or how it worked to stop attacks.
Overwhelmingly the customers in the audience were focused on how the service worked or what it did and how much it cost. Questions each vendor found hard to answer. When it was my turn I skipped the slides because it was obvious that it was more important to show us stopping attacks right away instead of the information about our brand. They wanted to see results but why was it so hard for the other vendors to demo this?
Results are hard to show from different products.
After doing a bit of digging I realized that to show customers the security state of devices and how they could block at the endpoint or network was tougher for others. It was tough because in a 10 minute demo the idea of connecting to 5 different products and then showing how they coordinated a block was difficult and confusing.
As the table below shows either through acquisition, OEM or partnerships as a reseller the vendors did not have a single unified platform to demo:
| Feature | IntelliGO Platfrom | Trust Wave | Dell Secure Works | ForeSite |
| Endpoint Detection and Response (EDR) | IntelliGO Platform | TrustWave EPP or OEM | Reselling Carbon Black | Reselling Carbon Black |
| Log Management | IntelliGO Platform | TrustWave SIEM | SecureWorks Log Manager | ForeSite Logging |
| Vulnerability Scanning | IntelliGO Platform | TrustWave VA Scanner | Secureworks VA Scanner | - |
| Threat Intelligence | IntelliGO Platform | Trust Wave Threat Intelligence | SecureWorks Threat Feed | ForeSite Threat Intelligence |
| Security Hygiene | IntelliGO Platform | None | - | - |
| Firewall/UTM/NGFW | Your own NGFW | TrustWave UTM | Sonicwall | - (Manages Firewalls) |
This didn't just hurt when it came to demo but also when questions about pricing and scope came up. A lot of these services were dependent on the sizing/licensing, pricing and implementation of 3rd party solutions as well as use cases for the client. Typically what an Managed Security Services provider would offer which customizes prices for each client and contract. Which makes for a bit of a headache at an education conference where budgets are fixed, small and likely not to change.
Focus was on the features and not the outcome
I believe that the overwhelming majority of users need to see a technology or service in action to know whether or not they see value in it. By a demonstration only covering a feature or walk-through of the product the user very rarely gets an opportunity to see what results they will get out of it. Worse, if there is directors, managers or vice presidents attending they could care less about features they need to know how much time, money or risk they are saving.
So ultimately what did we show the audience?
So what did we show in our demonstration that got 21/22 votes (aside: I think that 22nd vote was one of the vendors by the way) in front of the live audience? The same thing we always show how when someone Requests a Demo how we find and stop threats and what we do when you're not under attack to keep you more secure
Let us know what you thought about this post.
Please comment below.