Managed Security Services Providers (MSSPs) work with their clients to keep an eye out for potential security issues. Why is it important to work with an MSSP? And why should you consider a MSSP instead of building your own Security Operations Centre (SOC)? Check out the following top 10 reasons you should consider partnering with an MSSP.
There is a common belief that working with an MSSP is expensive and only for the ‘big guys’. Many smaller organisations will not consider an MSSP, especially one onshore with 24x7 monitoring, as they think it will be out of their budget. But since MSSPs look after many clients, they’re able to spread the cost of resources across a number of clients. In addition, most MSSPs have either worked with their technology providers to gain favourable pricing based on volume licensing, or have built a solution based on Open Source technologies, thus lowering the price.
Ultimately, if you are considering an MSSP but the fear of what it will cost is preventing you from having further discussions, you should reach out to one to ask questions. You’ll probably find it will be less expensive than you think. There is never any harm in asking.
Most MSSPs structure their SOC into three distinct teams. Level 1 monitors around the clock and conducts initial triage. Level 2 provides for escalation of issues where Level 1 needs help and Level 3 conducts Advanced Escalations, Incident Response and Threat Hunting. As a bare minimum, to run a 24x7x365 SOC operation this needs five Level 1's, 1 Level 2 and 1 Level 3, let alone the nice–to-haves of a SOC Manager and Threat Intelligence.
With an MSSP, there is a team of at least seven experts monitoring your network. You get the experience and knowledge of a whole team who are all highly trained and have gained extensive experience in their careers.
An MSSP does not just work with the one client. They work with many across a variety of industries. This benefits all customers, as the MSSP sees attacks against a wide range of clients and utilises the details to protect everyone. For instance, if a Financial Institution is attacked, the details of the attack will be added to the MSSPs Threat Intelligence database and the Tactics, Techniques and Procedures (TTPs) are monitored for everyone, whether the client is in retail, software development, mining, not-for-profit or other verticals.
As we all know, cyber criminals do not work Monday to Friday business hours. In fact, many Threat Actors will target companies out of hours, as they know nobody is there and it is possible that systems are not being monitored. As such, it is imperative your systems are being monitored around the clock. Most MSSPs (and if you’re looking for an MSSP, you should ask this) provide 24x7x365 eyes onscreen and, more importantly, take action on identified threats. If needed, your MSSP can escalate to your internal team out of hours.
Security technology is changing at an astounding rate. It feels like every time we look, there is another acronym (we are looking at you XDR) or another promising technology coming to market. Even Security Information Event Management (SIEM) solutions change, improve and even go backwards.
Your MSSP will have worked through the best solutions (again, worth asking if you’re looking) for their customers, saving you the need to research the underlying technology. What's more, when technology changes and matures, your MSSP should change with the times and replace technology that has lost its place as a leader. As the end customer, if you have bought a piece of technology, you may not be as invested in changing, or don't want to sink the time, effort and cost you have invested, which potentially puts you at risk.
It is all well and good to find the issues and tell you about them, but you want a team that can take immediate action if it identifies a confirmed security event. Your team are probably not up and working at 2am on a Tuesday morning and able to take immediate action.
Crowdstrike research shows that a targeted Threat Actor out of Russia can gain unauthorised access, lateral movement, privileged escalation and data exfiltration in less than 19 minutes (https://www.crowdstrike.com/blog/first-ever-adversary-ranking-in-2019-global-threat-report-highlights-the-importance-of-speed/)
Since your MSSP is (or should be) monitoring 24x7x365, they can (or should be) taking preventative action, aligned with agreed procedures. This reduces the need for your team to get up at all hours of the night, and protects you around the clock.
If you work with an MSSP that has Offensive and Advisory teams, you also gain their knowledge, further strengthening your defences. This combination of a ‘red team’ and ‘blue team’ means you’re getting both the defender and attacker mentality to ensure you have the best defences possible. You may have a security team internally, but they are typically experts only in their own area.
Imagine seeing the alerts and Threat Intelligence for 50+ companies. This treasure trove is exactly what an MSSP has. Where an internal SOC only sees the details on their networks, the MSSP has all of the TTPs they have seen and build custom detections based on what they see across all of their customers. This shared knowledge increases the likelihood of identifying a breach (and hopefully preventing it) early.
In addition, the Australian Cyber Security Centre (ACSC) and Joint Cyber Security Centre (JCSC) publish notifications and detection rules to selected organisations across Australia. These are typically only shared with MSSPs and large organisations. So, if you do not fall into one of these categories, you are not going to get early detections. But an MSSP will receive these detections and build these into the SIEM for all clients.
Most cyber insurers are now requiring questionnaires that you need to complete to get a quote for a premium. These will focus on the controls you have deployed within your network. We are seeing more and more instances when the insurance company will ask if you have 24x7x365 monitoring through an MSSP. Where the answer is yes, you will often see a reduction in the premium, as the insurer will prefer you have proactive controls.
As MSSPs work with many customers, they can see what works and what doesn’t in various environments and configurations. They can leverage this knowledge to assist their entire client base in lifting their Cyber Security maturity around processes, environmental configuration and controls.
By employing an MSSP instead of trying to build your own SOC, you gain access to some of the most qualified and experienced people in digital security who will likely be monitoring your networks at all hours. You also get the latest tech, attacker and defender mentalities that boost overall defence, threat intelligence you wouldn’t normally have access to, lower premiums with many insurance companies and people that can leverage their experience to provide a system that works for your business, and it’s likely cheaper than what you think.