MSSPs, MDRs and all kinds of managed services providers who focus on security have a different kind of DNA. They’re risk-takers—literally. And taking on the liability of your clients’ security risk is just not for the faint-hearted.
With rigorous SLAs, managed service providers are under extreme pressure to keep their clients safe—sometimes more so than organizations themselves. Think of it…with many service providers to choose from, would you do business with one whose clients got hacked? The pressure is on.
As if that weren’t enough, staffing 24/7 operations adds a whole greater level of complexity. Service providers can’t afford to entrust their clients’ security posture to entry-level security analysts with little to no expertise. But with a shortage in available cybersecurity expertise—the Global Information Security Workforce Study (GISWS) anticipates a worldwide workforce shortage of around 1.5 million by 2020—and heavy competition for senior, seasoned talent, finding enough personnel to keep the lights on every hour of every day comes at high payroll cost.
Now granted, those costs are why managed security services aren’t considered a bargain. They come at a price, and rightfully so. But even if the costs of maintaining a well-oiled machine and absorbing risk are passed on to their clients, a major breach can force a mid-sized MSSP or a specialized MDR to close its doors.
So what’s an MSSP to do?
At Secdo, we focus on the software and the IR process side, but we’ve taken the time to understand the MSSPs’ needs, pain points, and best practices, and we get your pain. (You can call us the “MSSP Whisperers”.) So we’ve put together a list of tips for managed service providers of all kinds and acronyms—MSPs, MSSPs, MDRs, Advisories, etc.—that we recommend taking into account when evaluating a tool to add to your service stack.
Visibility is key to reducing risk
The saying goes “what you see is what you get,” and we couldn’t agree more. The deeper and broader you can see into activity on your clients’ enterprise, the more you can trust your assessment of the possible risks and vulnerabilities that are lurking around—especially when you are relying on a tool to make the assessment for you. Visibility is typically something you see managed service providers leaving it up to their SIEMs or their endpoint-based solutions. But not all solutions of this type are created equal, and their depth and breadth of visibility vary greatly.
Service providers that rely on solutions that monitor data at user level risk compromising the integrity of their assessment because of their solution’s limited view into endpoint activity. What’s worse, if the operating system of any endpoint is compromised, so will the data that’s collected at the user level. That’s why various endpoint visibility and security vendors have opted for kernel-level visibility. But even this depth of visibility isn’t enough to detect file-less or in-memory attacks that are invisible to the [endpoint] eye, unless it can break apart what it sees down to its threads.
Our recommendation? Thread-level visibility. It is the most granular view into activity on endpoints, and the one you can rely on most to ensure nothing is left unnoticed, reducing your risk of being surprised by an attack you didn’t have a clue about. Extra points if you’re using this visibility to do threat hunting, beyond your standard threat detection workflow. Visibility is at the core of your security operations, and without it, you can kiss meeting your clients’ SLAs goodbye.
Automation is your payroll saver
Security automation is a numbers game. There are still a few skeptics out there who think an automated security workflow means an automated disaster waiting to happen. But that’s far from the truth. In fact, as we usually say, if the manufacturing industry would’ve felt the same way about automation during the industrial revolution, the supply of many of today’s goods wouldn’t be enough to meet the needs of a growing population.
Automating key steps of the security workflow—like the investigation, validation, and response of security alerts from SIEM and threat detection tools—can be critical in helping you scale your security staff and multiply their effectiveness in order to maintain 24/7 operations. When combined with a deep view into endpoint activity, you can rely on your automated workflow’s assessment of alerts that are investigated and validated, along with the response technique that’s applied onto it. And because the process reduces the need for manual analysis, triage, etc. you’re accelerating your time to respond to alerts—from weeks and event months, to minutes and even seconds—which drastically reduces your risk.
At the end of the day, your existing team would’ve been able to respond and, if needed, remediate more security alerts without the need for additional staff to scale. And because automation takes away the more complex tasks that would’ve otherwise required seasoned expertise, you won’t have to spend your entire budget on that one guy with 17 years of experience who claims his first gig as a threat hunter kept his network safe from the ILOVEYOU worm back in 2000.
Point solutions aren’t doing you a favor
Point solutions that focus on only one capability are forcing your team to a broken, swivel-chair approach to security. Security is more of a workflow than an isolated tactic, and point solutions will keep you from streamlining the insight you gain from using one tool with the insight you gain from using another. Solutions that pack more than a single capability can be wrongly seen as jacks of all trades, but with the speed of innovation in the security space, emerging technologies have been able to master complex capabilities and optimize the security workflow that once frustrated them when having to use disparate point solutions.
In addition, as we see an upsurge in agent-based solutions, those that are employing their agents to address only one use case—for example, insider threat detection—can present a challenge for MSSPs looking to offer more than one service, but whose clients’ “no more agents!” policy keeps them from doing so. MSSPs evaluating agent-based products owe it to themselves to look for tools that make utmost use of the agent and provide a greater number of capabilities without compromising quality or effectiveness. This is how MSSPs can not only extend their service catalog, but also reduce their operational costs by eliminating the unnecessary expense of multiple products, training, maintenance, support, etc.
Be wary of security software ‘frenemies’.
You’ve finally found it—the perfect security product to add to your service catalog … only to find out the vendor has a services arm that competes with yours. And while their service model isn’t 24/7 like that of managed service providers, every time an opportunity comes in for products and services, the vendor will think twice about referring the business to you, making them more of a frenemy than a partner.
When vendors focus solely on developing and optimizing great software, both MSSPs and vendors win. It turns into a scratch-my-back-I’ll-scratch-yours exercise where vendors are incentivized to point their customers into the direction of MSSPs, and MSSPs are incentivized to service the vendor’s software. Zero competition and 100% win-win.