Prep your Microsoft environment for an identity-based attack.
Book an identity exposure gap analysis today.

Considerations When Selecting Your Managed Security Services Provider

August 22, 2019
Henrik Davidsson
Sr. Director for Global Partner Strategy, Programs & Enablement, Vectra
Considerations When Selecting Your Managed Security Services Provider

The rationale behind choosing a managed security services provider (MSSP) can be numerous, but one of the primary reasons is to overcome the cybersecurity skills shortage. Finding the right talent in cybersecurity and retaining skilled professionals once they’ve been trained is very difficult.

There are other challenges worth highlighting when considering outsourcing to an MSSP. One is that service descriptions are very complex and difficult to understand. For example, service level agreements (SLAs) can be a challenge to compare, such as what is included and what’s not. Customers often have limitations in terms of what they need, what they ask and what they look for in an MSSP relationship. Customers must have a clear understanding about what the MSSP will deliver versus what resources you need to deliver.

It is therefore very important to understand:

  • What do you want to protect? Do you know where your critical assets are located?
  • Who is responsible for responding appropriately to an incident from an MSSP? Are your internal processes aligned and staffed to successfully interact with an MSSP?
  • If you are buying an incident response service, have you agreed which rights or limitations this service includes? For example, can the MSSP quarantine your CEOs laptop or block a port on your firewall? What are the business consequences? Early detection and mitigation of attacks are critical, especially with ransomware.
  • In many areas, there are discussions about use cases, which serves many good purposes particularly when procuring a managed service.
  • What are the agreed-upon key performance indicators and how are they measured? Do you fully understand what the KPIs mean?

What does a threat detection service from an MSSP normally look like? An ideal MSSP service should be built around the SOC Visibility Triad model, which was introduced by Gartner. The triad combines network detection and response (NDR), endpoint detection and response (EDR) and event logs, which are commonly handled via a security event information management (SIEM). Using this model, MSSPs can correlate and provide incident notifications in a reporting portal.

There are other MSSP services that can be procured, but the surge in threat detection services is estimated to receive a majority of investments according to several research firms, such as Gartner, IDC and Forrester.

Roadmap for successful managed detection and response

To anticipate the dynamics and responsibilities between you and your MSSP, it is advisable to consider a few scenarios:

1. Build your own SIEM solution

  • Long time to realize value for the organization, normally 12 months or longer.
  • Difficult to find, attract and retain cybersecurity talent in the organization.
  • Which log sources do you start with? What is good for security?
  • How do you establish 24/7 coverage?

2. Good or poorly-managed MSSP relationship with SIEM as a service

  • Faster to realize value than building my own, can be up and running in at least six to 12 months.
  • Value reduces over time when the relationship is not properly managed.
  • MSSP has some idea about which log sources are good for threat detection. But log analysis for threat detection is only as good as the logs you analyze.
  • Can have 24/7 coverage in the service.

3. Good managed MSSP relationship with Vectra as a service

  • Provides value to the customer within a month instead of six to 12 months with SIEM as a service.
  • Value increases over time when there is a mutually agreed-upon plan and cadence for operations.
  • Can have 24/7 coverage in the service.
  • Build out service with EDR and SIEM as a service over time to augment threat detection.
  • Integrates with existing investments such as SIEMs, EDR, firewalls and SOAR systems. Accelerates and augments overall value.

To wrap up, always consider dedicating a project manager to oversee the implementation, no matter which area you start in. Also ensure to have monthly operations meetings with your MSSP and quarterly business reviews. This will enable you to think strategically about how to build out a productive working relationship and identify new areas of improvement in the service as well as its overall value.