Medium to large organisations increasingly rely on managed security service providers (MSSPs) to deliver security monitoring, threat detection and incident response functions. This trend is driven by the shortage of cyber-security professionals, the complexity of the threat landscape, and the acceptance of managed and co-managed models by IT leadership.
Alert accuracy, relevance and context
At its core an MSSP’s job is to notify its customers of threats, attacks, and compromises. Dissatisfaction with the quality of an MSSP’s alerts is a common reason for buyer’s remorse. Complaints can include too many or too few alerts, high false-positive rates, and alerts that lack context and cogent recommendations. Ask your prospective MSSP the following:
- What percentage of alerts are investigated, validated, and triaged by an SOC analyst before they are sent to the user? The answer should be more than 50 per cent, and the MSSP should track how this percentage changes over time.
- What SIEM technology does the MSSP use to filter events and detect indicators of attack? If the MSSP developed the software itself, is it realistic that it can sustain a team of developers to maintain a state-of-the-art SIEM tool?
- What content has the MSSP built to enhance the accuracy of its SIEM tool? Ask for details of use cases, correlation rules, and integrated threat intelligence.
- View actual examples of alerts and ensure the full context of the event is described and understandable. Look for recommended next steps with each alert. Alert notifications should be relevant and actionable.
- Understand the SLAs associated with priority alerts. Do they start from when the event occurred or from when an SOC analyst was assigned the event? Are SLAs measured and reported on?
Insight into your security posture
The best MSSPs do more than identify, notify and report on threatening events. To be effective, IT leaders need to understand their risk profile, identify where gaps exist in their existing security controls and understand the priorities to improve their defenses. While security assessments help organisations understand their security posture, many IT leaders prefer to continuously understand their strengths and weaknesses and be able to articulate their risk profile to management. Ask your prospective MSSP the following:
- Does your MSSP provide you with executive-level information on the strength of your security defences?
- Are you able to understand how risks apply to different parts of your network, endpoints and the cloud?
- Is it easy to understand how gaps in your security controls map to different stages of the cyber kill chain?
- Does your MSSP provide you with a risk score and compare it to your industry peers?
Managed detection and response (MDR)
Leading MSSPs have transitioned their services from security monitoring to managed detection and response. Organisations need to automate the response to suspicious attacks and contain the threat before data is exfiltrated or malware propagates through the network. Ask your prospective MSSP the following:
- Does your MSSP provide you automated and semi-automated endpoint detection and response services?
- Does your MSSP automate blocking of suspicious inbound and outbound traffic at the perimeter?
- Can your MSSP work with a range of industry-leading security tools to orchestrate containment actions?
- Can your MSSP provide customised MDR services based on unique use cases and correlations rules?
At Proficio, our mission is to deliver a level of security defence equivalent in value to the in-house security operations of a Fortune 100 company, but at an affordable subscription fee. Find out more about our SOC-as-a-service at www.proficio.com.
by Brad Taylor, CEO, Proficio