MSSPs are given their job. Demand has increased. Infrastructures are increasingly complex and cyber attacks are increasing in frequency and sophistication. Like all service providers, MSSPs must keep an eye on their margins and make technology investments that provide quick ROI as well as ongoing value over the long term.
Many more enterprises – of all sizes – are outsourcing MSSPs, according to the CyberEdge Group’s 2022 Cyber Defense Report. The report hypothesizes that the growth “is partially attributable to the fact that operations involve very labor-intensive activities… MSSPs have achieved a high level of automation of these tasks, so they can provide these services very economically to their clients. theirs”.
To make the economics work, you must continually improve your levels of automation while continuing to provide high-value services to your customers. Otherwise, you’re caught in a vicious, margin-destroying cycle.
Given where you are today: What do you need to implement now or soon? And what should you focus on going forward to ensure continued sustainability, relevance and margins?
We have worked with many MSSPs over the years, and they have shared with us that their biggest problems today include:
- Many tools with a lamp. They trick a lot of low-level tools that don’t talk to each other. Each tool can do what it does well, but there is a cost to integrating technologies, managing vendors, and finding employees with the right expertise to run them. Every new tool brings new benefits, but also new risks.
- Ingesting and storing data is expensive. Maintaining security requires data and is expensive. You need a lot of data to be able to determine when and if something might go wrong that indicates an attack or breach. You want to collect all that data and analyze it, but ingesting and doing anything close to real-time analysis is expensive—often prohibitively so.
- It’s hard to get and keep talent. Well-trained security analysts who understand your tools and environments aren’t easy to find or retain—and they’re expensive.
- Mapping threats against assets is difficult. It’s harder to know where to focus when you don’t have asset information integrated with your security data. Maintaining asset records is extremely challenging in a world where assets appear frequently and offline.
- Lots of alerts and false positives. You should find signals in the noise, but when your tools are low-level, you won’t see patterns above them. When you don’t have the data you need to find patterns—in real time and over time—you’ll miss trends.
Here’s what to look for in new technologies that can address each of these five issues.
1. Many tools with a lamp
If you already have or anticipate this multi-tool challenge wrapped up, look for solutions that leverage your current investments and integrate into a multi-tool world.
As Gartner, Inc. points out, “leaders must integrate security tools into a collaborative ecosystem” in a way that is “composable and scalable.” They call this approach Internet Security Network Architecture (CSMA).
“By 2024, organizations that adopt a networked cybersecurity architecture will reduce the financial impact of security incidents by an average of 90%,” Gartner reported.
The advantages of a networked cybersecurity architecture include flexibility, adaptability, and continuous improvement. There is no product that provides that – it is an architecture after all. But some technologies are better suited to an open and agile architectural approach than others.
There’s another major issue: Too many isolated, low-level tools can hinder your ability to perform behavioral discovery analytics. Behavioral analytics identify potentially malicious activity within a system or network that may not rely on prior knowledge of adversary tools and indicators. It is a way of exploiting the way an adversary interacts with a specific platform to identify and correlate suspicious activity that is agnostic or independent of the specific tools that may be used. You can use the MITER ATT&CK framework to build and test behavioral analytics to detect adversarial behavior.
Look for technologies that offer:
- Cyber Security Network Architecture Support.
- Secure APIs and pre-built integrations.
- Scalability, ideally through native cloud platforms.
- Behavioral discovery analytics.
- Map to a frame like MITER ATT&CK.
2. Ingesting and storing data is expensive
In fact, ingesting and storing data shouldn’t be any more expensive. There are new options worth considering. Look for data ingestion and storage technologies that provide:
- The ability to scale to capture the amount of data you need about your customers now and in the near future – even if you “open the hatch” and filter less.
- Fast search speed for your current and short-term data volumes.
- Real-time (or shutdown) data analysis.
- Ability to use current security telemetry sources.
- Ability to ingest data from all sources: on premise, cloud, etc.
- Pricing that doesn’t penalize you for collecting more data.
3. It’s hard to get and keep talent
Talent acquisition and retention is an ongoing and growing problem. Many employees have been burned by the fall. Automation can relieve your people of tedious L1 and L2 tasks. Technology products that use data analytics and machine learning can provide deep context, identify trends and anomalies, add data enrichment, and other functions that speed resolution while reducing fatigue.
Use technology to dramatically improve the way you conduct security operations, not just to automate current processes to make them more efficient. For example, look beyond threat detection and response to proactive “peacetime” activities that support resilience before attacks.
Consider effectiveness versus “efficiency” versus specific metrics that new technology may render obsolete. For example, enabling your team to handle more customers is a better metric than the number of tickets they can close. (After all, technology can also cause more tickets to be generated.)
If you have a good team, help them be happy and very productive. Look for technology that:
- Enable your current team to be more effective, not only through automation, but also through data analytics, machine learning, and more.
- Support proactive “peacetime” activities that support resilience before attacks.
- Don’t look to hire more experts.
- Reduce burnout and that your team is excited to use.
4. Mapping threats against assets is difficult
When there are too many alerts, it’s impossible to know where to focus. Is it an attack targeting a high-value business resource or an isolated asset without critical data? This depends on the recognition of the assets. But keeping track of assets is extremely challenging when assets appear frequently and offline.
So look for technologies that offer:
- Automatic asset discovery and the ability to tag assets depending on their business importance.
- Ability to map known threats against each customer’s assets to see where they may not have sufficient log coverage for early detection.
5. Too many alerts and false positives
More tools provide more data, but also produce more noise, hiding important events in plain sight. It is an area ripe for data analytics, machine learning and enhanced automation.
The goal is to make your people more effective, not more efficient, at closing tickets for false positives.
Look for technology that offers realistic ways to reduce false positives while improving important signals – fast.
Think about the types of signals you need to detect:
- Across the infrastructure to find more complex attack patterns.
- Over time to find trends that go after months or longer.
Consider how signals should be improved:
- Correlating alerts from different sources with tickets, users and assets.
- Prioritization and scoring to assess which signals should be addressed first for maximum efficiency.
Conclusion – It’s all about safety – and limits: To maintain your business and your margins, you constantly evaluate the technologies that enable your teams to ensure the safety of your customers. At the same time, you cannot maintain boundaries with a more tools-more people approach. So choose your technology wisely.
Try Resolution Intelligence Cloud from Netenrich
If any of the challenges discussed in this guide resonate, we have a solution: Resolution Intelligence Cloud is purpose-built for MSSPs, MSPs, and enterprises using a service provider model.
Resolution Intelligence takes a comprehensive, operations-based approach to dramatically improve the way you run security so you can be more effective with the people and tools you have. Contact us to learn how Resolution Intelligence cloud improves threat detection and security operations by:
- Crossing silos between tools while leveraging your tool investment.
- Providing low-cost, penalty-free data ingestion and storage (hot data for 1+ year).
- Enabling your teams to be dramatically more effective with far less fatigue.
- Automatic discovery of assets, enabling you to identify which are critical to the business and using that information to identify where security analysts should focus.
- Identifying patterns and correlating events from different sources to reduce the noise of false positives while increasing the signals of real issues.
To learn more and get a demo, visit www.netenrich.com.
Guest blog courtesy of Netenrich. Check out more Netenrich guest blogs here. Regularly contributed friend blogs are part of the MSSP Alert sponsorship program.