Considerations when selecting your managed security services provider (MSSP)

An MSSP enables you to outsource much of the heavy lifting of security operations. Henrik Davidsson, Director Business Development, Vectra, tells us that many businesses are outsourcing specific security capabilities to MSSPs in order to cope with challenges in the cybersecurity sector.

The rationale behind choosing to outsource elements of your cybersecurity operations to a managed security services provider (MSSP) can be numerous. For one, organisations are increasingly transforming into ‘digital businesses’, where almost all of their operations are conducted online — documents created, stored and edited in the cloud, communications via email, meetings held over Skype or Zoom. This creates a greater attack surface for cybercriminals, yet businesses have limited time, money, people and skills with which to secure their operations. In fact, overcoming the cybersecurity skills shortage is arguably the number one reason that organisations look to MSSPs — finding the right talent in cybersecurity and retaining skilled professionals once they’ve been trained is very difficult.

There are other challenges worth highlighting when considering outsourcing to an MSSP. One is that service descriptions are very complex and difficult to understand. For example, service level agreements (SLAs) can be a challenge to compare, such as what is included and what’s not. Then there is the fact that the threat landscape is continuously changing, and data privacy regulations are getting tighter.

To cope with these challenges, many businesses are outsourcing specific security capabilities to MSSPs, but they need to look at whether these are the right ones to outsource — customers often have limitations in terms of what they need, what they ask and what they look for in an MSSP relationship. They must have a clear understanding about what the MSSP will deliver versus what resources the organisation needs to deliver.

To that end, before even considering an MSSP, it is important to clearly define:

• What do you want to protect? Do you know where your critical assets are located?
• Who is responsible for responding appropriately to an incident from an MSSP? Are your internal processes aligned and staffed to successfully interact with an MSSP?
• If you are buying an incident response service, have you agreed which rights or limitations this service includes? For example, can the MSSP quarantine your CEO’s laptop or block a port on your firewall? What are the business consequences? Early detection and mitigation of attacks are critical, especially with ransomware.
• In many areas, there are discussions about use cases, which serves many good purposes, particularly when procuring a managed service.
• What are the agreed-upon key performance indicators (KPIs) and how are they measured? Do you fully understand what the KPIs mean?

What does a managed detection and response (MDR) service from an MSSP normally look like?

No defences are perfect. MDR services seek to reduce the time that a cyberattacker can operate undiscovered inside your organisation.

An ideal MSSP service should be built around the SOC Visibility Triad model, which was introduced by Gartner. The triad combines network detection and response (NDR), endpoint detection and response (EDR) and event logs, which are commonly handled via a SIEM. Using this model, MSSPs can correlate and provide incident notifications in a reporting portal. A good starting point is to begin with the network and cloud using a service based upon Network Detection and Response (NDR). NDR is device-agnostic and so can monitor every single device and workload without the hassle or coverage gaps that client-based EDR tools have. That’s not to say EDR tools don’t have value — they absolutely do because of their unique ability to inspect local processes. But in terms of time to value and coverage, NDR is the clear choice.

There are other MSSP services that can be procured, but the surge in threat detection services is estimated to receive a majority of investments according to several research firms, such as Gartner, IDC and Forrester.

To anticipate the dynamics and responsibilities between you and your MSSP, it is advisable to consider a few scenarios, each with its own set of considerations, challenges and advantages:

1) Build and operate your own SIEM solution

• Takes a long time to realise value for the organisation; normally 12 months or longer
• Difficult to find, attract and retain cybersecurity talent in the organisation
• Difficult to know which log sources to start with and which are most critical to robust security
• Very difficult to establish 24/7 coverage

2) Good or poorly-managed MSSP relationship with SIEM as-a-Service

• Faster to realise value than building your own; can be up and running in at least six to 12 months
• Value reduces over time when the relationship is not properly managed
• MSSP has some idea about which log sources are good for threat detection. But log analysis for threat detection is only as good as the logs you analyse
• Can have 24/7 coverage in the service

3) Good managed MSSP relationship with a vendor

• Provides value to the customer within a month instead of six to 12 months with SIEM as-a-Service
• Value increases over time when there is a mutually agreed-upon plan and cadence for operations
• Can have 24/7 coverage in the service
• Build out service with EDR and SIEM as-a-Service over time to augment threat detection
• Integrates with existing investments such as SIEMs, EDR, firewalls and SOAR systems. Accelerates and augments overall value

Finally, once you have made a decision on which MSSP to work with, always consider dedicating a project manager to oversee the implementation, no matter which area you start in. Also ensure to have monthly operations meetings with your MSSP and quarterly business reviews. This will enable you to think strategically about how to build out a productive working relationship and identify new areas of improvement in the service as well as its overall value.

Before I wrap up, a couple of notes of caution. There is no doubt that selecting an MSSP might be compelling, particularly in the current climate where businesses are under immense pressure to reduce overheads and slash budgets, but working with an MSSP does not absolve the organisation of all responsibility.

For one, while leveraging an MSSP enables you to outsource much of the heavy lifting of security operations, what you cannot outsource is the organisational learning and contextual knowledge. These are two critical components to an effective cybersecurity defence. Many organisations, even large enterprises, are hybrid in their security operations, blending in-house specialists with outsourced operations. For example, a service provider can deliver continuous monitoring of endpoints and networks quarantining of infected hosts and remediation, while the organisation maintains and operates its defensive and access controls.

Second, you still need to do the basics first and do them well. This includes perimeter security (firewalls), access controls (MFA) and endpoint controls (AV/malware defences). Don’t forget about users — they’re your biggest attack surface and first line of defence. So, ensure you do regular security training with them and embed security into the business culture, rather than just seeing it as an IT or ‘technology’ issue.