Managed security service providers (MSSPs) aim to solve the challenges created by today’s increasingly complex IT environment and volume of threat activity for organizations seeking to bolster their own security posture. However, a survey by 451 Research shows there’s a growing dissatisfaction with MSSPs, with 80% of surveyed enterprises expressing they have switched or plan to switch from their current MSSP due to issues with scalability, alert management, and added complexity. This stems from an industry-wide issue of MSSPs focused on tactical alarm triage without investing time and expertise into understanding each organization’s security model and how it applies to their specific security objectives.
The desire to regain visibility and control over their security models has driven many security leaders toward a new discipline, Security Model Management, which represents a more proactive approach to keeping their enterprises safe.
Have you been leveraging an MSSP? Below are the top 8 questions you should ask your MSSP to determine if you are receiving the value you require – or whether you’re among the 80% that’s ready for a change:
1. How do you determine which data sources to collect from?
This question identifies the risk in applying general rule sets without accounting for supporting data sources. Are the data sources captured by the MSSP aligned to trigger these rules, or simply the least costly from a collection/implementation perspective or aligned to other managed services (e.g. managed firewall, IDS)?
2. How do you determine which rules to apply in your environment?
This question identifies issues with many MSSPs that provide generic rulesets to capture known threats without taking into account the industry, geography, or other individual traits of an organization that may make it prone to other classes of threats that are less common.
3. What data was reviewed to determine if an alert was a qualified threat?
This question speaks to the methodology the managed security service provider uses to recognize qualified threats.
Are their security analysts relying on a limited set of data sources to make this determination? What are their criteria to determine the alert captured a qualified threat? If they will not share their investigative practices, how will your team ever understand what a threat looks like in your own data to help mature your own team members?
4. What happened to the alerts that were not forwarded?
Many of the complaints around managed security service providers stem around use of “black box” approaches, specifically the lack of transparency into alarm triage and investigations.
Most customers only interact with their MSSPs when alerts are forwarded or escalated, but what happens to the alerts that are not forwarded? What criteria is used to identify an alert as a false positive? Does a false positive influence any additional actions e.g. rule tuning?
5. Can you provide me with a threat coverage map?
While many MSSPs talk about the extent of their analytics or the number of their correlation rules, how does this apply to your environment? How well are you able to cover threats as described in common frameworks such as MITRE ATT&CK?
If the MSSP is not able to shed light on the threats they can detect specifically with your data sources aligned to your environment, how can you have confidence you are protected?
6. What threat intelligence is applied to your threat recognition and investigations?
All MSSPs incorporate threat intelligence to some degree, often their own. Since different threat intelligence sources use different methods for their data collection, relying on a single source introduces blind spots to threat recognition.
Is your MSSP only relying on their own threat research, or leveraging a broader set of threat intelligence sources? How do these sources align to your industry or geography? Can you add in your own sources? What visibility do you have to their sources and how they are used, to help your own team learn about threat indicators?
7. How can I verify your analytics content is operational?
Employing a managed security service provider should give you peace of mind that when a threat does emerge in your environment, it’s recognized quickly and mitigated thoroughly.
How can the MSSP demonstrate it’s well positioned to do just that? If penetration testing and red teaming are optional pay-for services, how will you know their analytics are truly designed and tuned to capture threat activity? Or if their response processes are designed to take the right actions?
8. Can you conduct your own threat hunts?
Searching retroactively into log and activity data can present recently discovered Indicators of Compromise (IOCs) previously active in your environment or behaviors representative of emerging threats. However, threat hunting also requires persisting long periods of data, which many MSSPs are reluctant to do due to storage and management costs.
Does your managed security service provider include threat hunts – or is it an optional service? Are you constrained to their specific threat hunts or are you able to query across your multiple data sources with your own investigations? These limitations reduce your own visibility to potential threat activity missed by real-time analytics and inhibit your ability to evolve your senior security analysts.
Rethinking the Approach
With many organizations concerned about the value they receive from MSSPs’ “black box” approaches that mask investigative techniques and their cookie-cutter methodologies that inhibit security program evolution, ReliaQuest has taken a different approach.
ReliaQuest’s platform, GreyMatter, optimizes your existing security investments to enable both consistency and evolution for the business. By unifying your disparate security tools, then aggregating and normalizing their data, ReliaQuest GreyMatter demonstrably increases enterprise visibility as well as automates fast, effective responses. A unique combination of technology, ongoing enablement, and analytics provides transparency and shared metrics that enable proactive management and improvement of your security model. ReliaQuest GreyMatter customers see an average 400% improvement in their threat detection capabilities in the first 90 days of production.