Managed Security Services Providers (MSSP) have been a very common route for organizations to fill critical gaps in managing and monitoring their security program. An interested shopper can chose from a wide range of providers and capabilities. A common misconception is that an MSSP can be on-boarded with a “just add water” approach. On the contrary, an MSSP relationship is sometimes more complex than if the organization were to develop the capability in-house. In this article, I will suggest an approach aimed at improving the odds of success.
The modern form of the MSSP can trace its lineage back almost two decades. It has evolved from its early days as simple manager of firewalls, through the heyday of IDS, then IPS, to today’s multi-mission capable SOC. The modern MSSP manages firewalls, WAF and endpoint protection. It runs vulnerability scanners and tracks remediation. It acts as a cyber threat fusion center and supports incident response.
"Measured. Deliberate. Methodical. Operative words that characterize the path to long term success with an MSSP"
The best SOC operators can never fully appreciate the culture, business drivers, and op-tempo of the organization that it serves. Engaging with an MSSP means that you are handing off the operation of the aforementioned components to other hands. Managing how the MSSP interfaces with your organization is a full time responsibility of the customer.
Imagine if your management asks you to develop a SOC, collect threat intel, and deploy a 24/7 management scheme for your firewalls—and do it in a month. The complexity of that request is no less than if you expect an MSSP to do the same for you. The root cause of every failed MSSP relationship stems from unrealistic expectations. Avoiding failure requires a methodical approach that sets clear expectations and focus on reachable objectives.
The operative word is focus. It is so tempting to jump towards the “pew-pew” functions of the SOC such as advanced hunting and threat intel-backed machine learning. Do your applications, systems and tools speak a common event-log language? Are those events collecting into a central repository? The MSSP cannot perform its magic unless it can reliably collect events from your environment. An MSSP integration manager will assume that you have full control over your event streams. Depending on the size of your organization, meeting this fundamental requirement can take significant time and resources from across IT.
Your first win comes from avoiding complexity while helping the SOC understand how to process simple end-point alerts, IPS hits and fundamental SIEM cases like multiple failed logins. Those types of events usually comprise 80 percent of your alert traffic and are full of important details that help illuminate the network and its applications for the SOC. Patience in this first phase will pay long term dividends and lay the groundwork for more advanced engagement.
With a steady flow of event data streaming into the MSSP and the escalation process for these events tuned, the engagement can move to the next phase. Many MSSPs will offer to manage vulnerability scans of the perimeter as part of the “base” package because scans help identify assets and provide a clear picture of perimeter exposure. This data is fed back into the SOC as another point of reference for analysts, especially when they are interpreting IPS hits.
It is tempting to let the SOC open a steady stream of remediation tickets with IT to close vulnerabilities. However, just like with your own endeavors, flooding IT with tickets will get you nowhere. Use your knowledge of the environment to help the SOC focus on the most important assets with the highest risk. Turn noise into value.
At this point, the engagement should be starting to show appreciable value. The SOC is an expensive extension of your team. Before moving on to integrating more advanced features, you should focus on developing a set of regular reports that satisfy a number of consumers. The security team may be interested in the raw numbers of alerts, actions and investigations. Security management will want to see operating statistics and trending information. Finally, senior management will be interested in the “big picture”—how effective is the program and how is the SOC providing value. Every organization is different, so there is a low likelihood of a canned report satisfying your needs. Time spent collating and curating reports will ensure that the engagement follows the expected direction.
Measured. Deliberate. Methodical. Operative words that characterize the path to long term success with an MSSP. An MSSP is an extension of your team, not an arms-length “fire and forget” solution. Give the relationship the time and energy it needs and the relationship will pay you back.