We all agree that a threat can come at you from anywhere and at any time in Cyber. Every time we come up with a strategy to detect or stop it we find an almost endless list of potential opportunities for the attack to succeed. With security vendors offering little integration and individual products for each use case it's hard to imagine a simple, elegant design for your security operations center. That's typically when a company turns to an Managed Security Service Provider (MSSP) to try and coordinate the people, processes and technology to find and stop these threats 24/7. In this article we walk through how these organizations miss threats and make common mistakes a larger problem for their customers.
3) If an alert falls in a SOC and nobody's there to hear it does it make sound?
Let's get the big one out of the way first. Depending on your experience with 7-eleven or 9-11 you may have a different view of what 24/7 actually means. Is it hours of operation and if so what operation: alerting, doors open or response?
Many MSSPs will showcase a group of analysts with red eyes in front of large screens in an attempt to describe continuous monitoring. What exactly happens in the middle of the night, weekends, super-bowl Sunday? For many customers the idea is that the vendor can "deal" with a security issue at any time of the day but most of them simply provide emails or phone calls to customers who do not run 24/7 themselves making it less effective. In this world the idea of a 24/7 alarm system you can only hear if you are awake yourself doesn't make much sense.
Worse than that is the fact that the automation in the security monitoring systems used by the MSSP provides alerts or emails typically to the analyst. With these alerts what's the routine for picking up the alert, what's the time between the event and the email relay to even see it as an analyst?
As a result, many night shifts miss the opportunity to protect their customer either because their customer isn't awake or they are not in front of the console at that time.
"Hey, Mister Customer you have Ransomware but I'm sure you'll notice tomorrow morning yourself, just give me a call when you get this - your MSSP"
2) Out-Tasking your own hardware to an MSSP
An MSSP will likely outsource your existing firewall, anti-virus, SIEM and other tools in the state they are in. Most have no program to audit if it can actually find and stop threats. As a result, the MSSP focuses more on up-time and billing you for changes you have to ask them to do in the first place instead of monitoring and assuring they are stopping threats. This might be fine if you're just looking for some extra hands to help out in a short staffed large enterprise but let's call this what it is: out-tasking. The overwhelming majority of MSSPs are measured by the number of changes or up-time of the systems and mean-time-to-respond (MTTR) as part of their contract.
This might be something to mention in a contract but focusing on availability and change management of your own stack gives too much variability for the provider and not actual accountability to detect threats.
1) The tools MSSPs use don't stop threats, you have to.
As a result of actually needing to work your systems typically don't kill processes or quarantine themselves on the network. Also due to inaccurate information in alerts and no ability to take action on endpoints your MSSP can't either. This leaves a big gap between a threat setting off an alert and the customer team responding to it. A gap we at ActZero affectionately call the "detection and response gap".
For many they are willing to accept this gap because they believe the alternative is operational issues they cannot afford. The truth is that the trust between MSSP and client isn't there to actually allow them to make a decision on what is an attack and let them deal with it. Let's not rush to just though as the tools at their disposal don't give them the chance to know for sure or to act.
How Managed Detection and Response Helps
Thanks for reading. If you are interested in finding out how we're different and how we can detect and respond to threats Request a Demo today!