Challenges facing MSSP Clients:
Many organisations looking for a Managed Security Service Provider (MSSP) do so in order to save on staffing costs, solve the challenges of staff retention, and assume accuracy and effectiveness improvements. Do you know what you are getting when engaging with a managed security provider? Are they experts in “everything security” or specialist in specific aspects of cyber?
Many MSSP’s offer complex or vague descriptions of their service offerings in order to try and give the impression they “do it all” ever so well. The reality is just not the case. Many Security Operations Centre (SoC) -as-a-service employ folks with minimal experience or little experience in building, deploying and managing a system in a production environment. The reliance on tools alone is also a problem as a SoC is only as good as the tooling and staff combined. The majority of SoC operations staff are not equipped with the skills an experienced consultant or determined attacker has i their armory. Tools also produce vast amounts of white noise which in effect are false positives and even worse false negatives can occur.
The retention ratio for MSSP staff is also problematic as salary’s for SoC staff is on the lower end of the cyber security pay-scale. This gives rise to concerns given the SoC is the monitoring and threat detection center for an organisation who in effect face off with actors of malicious intent on a daily basis. Bottom line, your cyber security staff are your last line of defense against some pretty determined threat agents out in the wild.
Features to look out for in choosing a MSSP partner
Data Quality: Accuracy results in less effort and greater efficiency. Tooling is simply a conduit to view events. Promoting events to incidents takes time and skill. Tuning tools also takes time and skill. What is the False positive Rate for a given solution.
Ask what types of data will be the shared, what dashboards or API’s are available in order to consume such information. MSSP is an outcome-driven service after all.
I’ve seen vulnerabilities being classed as “False Negatives” due to the SoC team nut understanding the issue correctly and not being able to reproduce the issue.
Integration and output: Understand how clean actionable data can be integrated into your organisations systems. Be it SDL pipeline or ticketing system can the MSSP integrate with your systems with ease?
Measure Success: How can the MSSP provide metrics which you can use to measure success. Breach attempts thwarted? Malicious activity detected, Vulnerabilities discovered, Vulnerabilities mitigated.
Can the data provide insight into measuring what success looks like. We can improve what we can measure.
Clear communication to the business on the value of the service, investment in time and budget is key to garnering support for cyber security. MSSP’s should be able to help you with this challenge.