Over the course of the last few years we have experienced the cybersecurity reality changing dynamically in front of our eyes: multi-vector attacks are increasingly common, file-less attacks are presenting new detection challenges, and ransomware can now not only lock a workstation, but propagate across the organization and disrupt the entire operation.
These, and other emerging threats, have changed the way we think and practice cybersecurity. As a result, the role of cybersecurity organizations has become significantly more complex and challenging.
However, more than anything else we are experiencing a dramatic increase in the shortage of skilled cybersecurity professionals. This shortfall has become the number one obstacle for CISOs in establishing an effective cyber security operation. To solve the problem, many organizations are outsourcing their entire Security Operation Center (SOC).
This trend is driving explosive growth of the managed security service provider (MSSP) market. Driven by fierce competition, MSSPs are seeking new and innovative ways to expand their offering and solve more pieces of the cybersecurity puzzle for their customers. Many of them expanding from perimeter security and managing devices, to managing threats and providing hunting, incident response (IR) and managed detection and response (MDR) services.
As MSSPs strive to remain competitive during this shifting landscape, they are faced with many challenges. For example, MSSPs are challenged with having to deal with multiple security vendors and integrate them into their technology stack.
Today, most traditional MSSP IT customers manage some level of OT assets, ICS networks, and IoT assets. Attackers have more ways to penetrate the organization and they traverse across these environments to locate critical assets, resulting in an expanded and converged attack surface. MSSPs also work with anywhere between dozens of customers for the smaller providers, to thousands for the large MSSPs. They are managing tens of thousands of events per day, even more in some cases!
These challenges pose several business risks for MSSPs, including a reduced quality of service. Small MSSPs also find it difficult to scale up their operation and add new customers beyond several dozens, and can ingest no more than tens of thousands of incidents per day. What’s more, the fierce competition pushes MSSPs to reduce prices thus impacting their overall profitability.
To remain competitive and profitable while maintaining quality of service, MSSPs must change their mindsets, and first, recognize that hiring new talent is no longer an option. Talent is limited and margins are low. Instead, the new mindset should be about doing more with less: increasing the impact of the managed SOC, making staff more efficient, simplifying operations, reducing skill level barriers, and freeing higher tier analysts to focus on critical incidents. Here are three ways MSSPs can achieve this:
Automate and Orchestrate the Incident Response Operation
Forward thinking MSSPs are preparing for this challenging landscape by setting up their IR operation for complete, end-to-end automation and orchestration of their entire “production floor”, including:
- SOC management – implement a single platform to orchestrate and manage all aspects of a multi-tenant SOC
- Incident prioritization – with huge volumes of alerts, critical incidents can easily fly under the radar and cause a breach before they are addressed. By automatically prioritizing incidents according to their business priority and their SLA requirements, MSSPs can maintain quality of service and ensure that critical incidents are never left unattended.
- Playbook automation – Identify which manual tasks in the IR playbook can be automated. For example, alerting stakeholders, isolating workstations and collecting data for enrichment are all manual tasks that can be automated. Automating IR can shorten time to response by up to 90 percent, positioning the analyst ahead of the attacker, and it multiplies the impact of the IR team.
- Documentation and authentication – Automatically recording and authenticating activities. For MSSPs, this will allow them to help organizations comply with industry regulations like GDPR, without increasing their efforts.
- Increasing transparency and reducing client support calls – by automatically generating situational awareness dashboards and reports for end-customers, MSSPs can increase transparency and quality of service. This in turn reduces support calls and free customer support reps to focus on priority tasks.
Integrate the technology stack
To avoid a fragmented, loosely integrated technology stack, MSSPs have a few options. They can build solutions in-house or aim to work with a single vendor who can provide as many of the technologies in an integrated way.
MSSPs should aim to integrate their stack in two dimensions. First, the technology stack should aim to cover the entire National Institute of Standards and Technology (NIST) IR life cycle, from preparation to post-incident. In addition, it is ideal if this entire process is managed in a single screen.
Second, the solution should be integrated across IT and OT (ICS/SCADA) networks, and IoT devices. Segmented approaches will result in lack of visibility across the entire attack surface, reduced detection of IT to OT attacks, reduced visibility across the attack surface, and inability to respond to incidents at scale
Train Your Team
Just like their enterprise customers, MSSPs must ramp up their training plan and seek more effective ways to do it. A well trained incident responder can do the work of two, reduce time to respond dramatically and will perform much more effectively to prevent a breach.
MSSPs should look at hands-on training that enables their incident responders to experience the actual tools they will use. This approach has proven to have more impact than tabletop or classroom training.
As the landscape continues to shift, MSSPs should shift mindset to doing more with less – increasing the impact of their current team so they can scale their operation, support more customers, and grow business, while maintaining quality of service and increasing margins. This starts with automating and orchestrating security detection and response playbooks.
In the coming years, these best practices will likely become the de facto industry standard for MSSPs. Those who are quick to jump on the automation bandwagon will be the ones to grow their footprint, differentiate, and gain the market share in this competitive segment.