There is a lot of confusion around the term MSSP (Managed Services Security Provider). What are they? What do they do? What is their value? Can’t I just do that myself?
The term MSSP had its genesis in the internet service providers (ISPs) in the 1990s the ISP provided a firewall with the internet service, would manage that firewall for you for an additional fee. Over time MSSPs began to evolve, where in addition to managing your firewall they would start monitoring it. “Monitoring” meant they would collect firewall system messages then, utilizing their Security Operation Center, analyze any events that triggered based on Indicators of Compromise (IOC). This could include services such as up/down statistics and bandwidth monitoring however all monitoring was isolated at the customers perimeter firewall.
The MSSP evolved into what was mainly referred to as a Managed Security Information and Event Management (SIEM). SIEM continued to evolve as did the threats. Today most MSSPs are include threat hunting where instead of just monitoring logs, they are using threat intelligence to determine the adversary’s objective, then detect and potentially disrupt the adverse action. At a high level the threat hunters are correlating events, actively investigating abnormal network activity through packet captures, and analyzing data collected from endpoints. Advanced MSSPs such as Foresite utilize business rules to sift down the large amounts of data and weed out the false positives programmatically, so that the humans can refine their tactics, techniques, and procedures (TTPs) to be solely focused on disrupting the adversaries ‘action on objectives’. With MSSPs evolved to this level they have a new term – Managed Detection and Response (MDRs).
It makes complete sense that these services would evolve in this way. Log management and analysis naturally leads to uncovering incidents (threat hunting), and thereby incident response. One large part of the incident response is finding artifacts and evidence often contained in the logs. All these things fold together like different teeth of the same gear.
Can’t we do that ourselves?
If you have the resources and budget for the necessary tools and personnel it is possible to deploy a solution in house. This would require a dedicated team and a SOC providing the expertise to evaluate threats and expensive tools, such as a SIEM, to help correlate and triage events There are some common pitfalls that make the effort to deploy a SIEM difficult:
- Lack of properly planning the deployment.
- Failing to define scope or scope creep.
- Unrealistic expectations as many times this is going to be a high price tag. There are also constant and continuous tuning of the tools used which requires numerous man hours which lengthens the initial deployment time.
- Failure to monitor the right devices or lack of additional monitoring aspects (i.e. packet captures, netflows, etc.), which goes along with lack of context.
- Inadequate staffing; how many 24/7 analysts do you need, how many solutions architects, do you need developers? Any of these can lead to failure of the project.
- Staff retention. Threat Hunters are highly sought after and therefore have plenty of opportunities outside of your organization.
The benefit of outsourcing these controls to an MSSP such as Foresite is that we can help with each of these issues. Our Solutions Architects will help you plan and scope. Our experience helps us to know what we need to monitor to get context. During onboarding we will be asking the right questions to learn where the crown jewels are, what your drivers are (i.e. compliance, alerts, threat management, etc.). Our SOC and Solutions Architects are trained and certified. They have numerous opportunities within a pure play security and compliance company to keep them engaged and interested.
An additional value of this type of service is the storage of logs. These logs are often mandated by regulation to be stored, securely, for a time period, usually measured in years. Most MSSPs have certified storage and encryption and are adjustable based on your needs, for how long they can store the logs.
So is that it? I just sign up with Foresite or another MSSP and I am good to go? As with any type of software or service there are steps you can take to make the relationship a success.
- First make sure that someone in your organization is the communication lead. One of the hardest things for an MSSP is when it is difficult to know who to talk to or who to engage. This is not just for onboarding but for the entire time of the relationship. Your MSSP does not want to see an incident, have the customer say ‘why didn’t you alert us’ and have to say ‘we did’. The more the MSSP is part of your team, the more value you will see from your investment.
- Work with the Solution Architect during onboarding so that knowledge transfer is accurate. It’s difficult to make sure the business rules are appropriate when devices show up that have no context or aren’t specified. The SOC personnel reach out to the Solution Architect and ask what that is, and the Solution Architect has no idea. All of this can frustrate the project and relationship.
- Finally make sure that you don’t use price as the ultimate arbitrator here. Many times the MSSP model is charge by device or by bandwidth (which really sort of is the same because each device is going to use a certain amount of bandwidth). But look at it this way, if you want to be effective and bring the most value the more visibility the better. The goal is to paint a picture of an event and determine if it is an incident. Imagine the Mona Lisa if it was just a sketch with no color, just a grayscale outline. How much of it might the viewer miss? The more detail we can give our MSSPs SOC the clearer the picture. The better they can determine what is really going on the picture, the sooner they can alert or disrupt, which is really the goal of all of this.
It is an incredibly exciting time to be in Information Security. On the one hand, we see the threats and the breaches increasing day over day, month over month, year over year. However, we also have innovative and intelligent tools to prevent and detect the bad event. An MSSP could be another tool in your belt to assist your organization not to be the next victim of a security breach.