This is Part 2 of our series on developing a managed detection and response strategy. If you missed Part 1, catch up here.

In the first part of this blog, we discussed the growing trend of remote work, how organizations have adapted to new working styles, and how this shift has created new challenges for security operations. We introduced a security operations detection and response methodology created around use cases, examining the first two of six phases – identify and prioritize.

In Part 2, we’ll guide you through the remaining four lifecycle phases: develop, evaluate, deploy, and enhance.

MDR Diagram


As we discovered previously, establishing and documenting a procedure for identifying and prioritizing threat scenarios allows you to maintain rigor and discipline throughout the security operations lifecycle.

Here’s an example of steps SecOps teams could follow when developing a use case:

  • Step 1: Review and refine the description of the threat and the requirements for addressing it
  • Step 2: Ensure monitoring tool deployment and configuration
  • Step 3: Validate data sources
  • Step 4: Validate context sources
  • Step 5: Perform a gap analysis against security operations procedures


Once a use case is developed, you’ll need to determine what will trigger a review or reevaluation of its function.   This will help avoid the “set it and forget it” approach that often leads to security operations teams losing sight of the need for this critical part of the lifecycle.

The better approach is to define clear notification criteria, so SecOps teams can ensure each use case stays relevant. This way, when thresholds are met – or when there is a change or update to the available context data – use cases can be reevaluated.

For example, age/duration, changes in compliance, threats, and data security can require a reevaluation of threat definitions, monitoring tools, contexts, validation metrics, and performance – or they could make a use case redundant entirely. Having a clear set of metrics that trigger reviews ensures necessary evaluations are not overlooked.


The deployment phase involves the following practical tasks:

  • Training security operations teams to respond to new alerts with clear actions
  • Updating and publishing runbooks, ops guides, and process documents
  • Promoting code through testing, staging, and production environments
  • Reporting threat validation metrics

Once deployed, use cases must be continuously incorporated into the evaluation and enhancement workflows.


Unlike the evaluation phase, fine-tuning a use case is not driven by network or business changes. Rather, it is driven by the evolution of threat tactics, techniques, and procedures, as well as changes in data and context. The purpose of this phase is to provide clear actions and remove any uncertainty.

Like other phases in this lifecycle, a defined process will allow teams to successfully address the rapidly expanding threat landscape.

Elements that could justify a reevaluation include:

  • Event generation settings, thresholds and metrics
  • Outputs, such as impact and urgency
  • Environments leveraging automation
  • Additional response options

Similar to the previous phase, you need to address operational processes, update runbooks, and provide training to Security Operations Center analysts.

Overlooking these activities or handing them over to operations analysts is a recipe for losing ground in the fast-paced threat landscape. It can lead to analysts being unable to effectively manage the overwhelming number of alerts, and increase the risk of human error, which in turn prolong investigations and increase workloads.

Taking a disciplined approach to structuring responsibilities and expectations for your teams will ensure continuity, while supporting the continued growth and maturity of your security operations program.

Learn from the experts

If you don’t have the resources to keep pace with the evolving threat landscape and manage security operations comprehensively, consider a solution like Cisco’s Managed Detection and Response (MDR). Our team of security investigators and responders utilize the unmatched threat research of Talos, and proven playbooks to guard your organization’s IT around the clock.

Learn how Cisco MDR can enhance your security operations and give you the freedom to focus on what matters most. Get in touch today.