3 common problems with security services and what you should be getting

Just two years ago, enterprises were spending more on security products than on security services–today it’s the reverse. According to Forrester research, in 2018 services overtook products in every spending bracket. But if you have a managed security services provider (MSSP), there’s a good chance you may not be getting the service you want and need. Several common pain points are illustrative of limitations with some MSSPs and are hampering the security value you should be getting from an MSSP. Here are the frequently encountered issues today and what the right partner can and should be doing to help strengthen your security posture.

Three common problems with MSSPs

Alert Factories

All too often, MSSPs behave more like an alert factory, forwarding streams of alerts generated by security tools directly to the client, without doing adequate triage and assessment of the underlying security issue at hand. Client alert overload remains the problem, because MSSPs aren’t adequately addressing the incident response process. What’s really needed is for the MSSP take on more of the responsibility, addressing alert triage and incident resolution in order to free clients from this time consuming process. This way, clients can get back to tending to their core business.

MSSPs who are good at incident resolution:

• Have a solid understanding of the client’s key information assets and business processes, so they can focus on what matters most with the least amount of disruption during response
• Have mature, yet flexible, incident response playbooks that can be customized to a client’s particular requirements, risks and business processes
• Certified tenured security analysts that are highly engaged with clients because they enjoy what they are doing and have the best tools in the business to accomplish their mission

Security Improvement

The reality is that many mid-sized enterprises are struggling to get their security program maturity to the point where it can be effective at proactively managing cyber risks–instead of being in a continual reactive mode, only responding to the most obvious security issues of the day or week. Many of these enterprises are turning to MSSPs as a partner to provide expertise, process, and an outside perspective to help advance the maturity of their security programs.   This requires MSSPs to make the right investments in helping the client on an ongoing basis. After all, new value-add opportunities open up as initial security concerns are addressed–the security mission is never complete.

MSSPs focused on security improvement should be able to:

• Support periodic risk assessments to identify new risks and controls gaps, and help implement fixes with the client
• Map current security practices against best practices, such as the NIST Cybersecurity Framework, and help clients build action plans for short and longer term
• Periodically review current MSSP-client processes and make continual improvements with the above in mind

Support Experience

The third pain point is related to the disappointing caliber of security analysts clients encounter when they need support. Anecdotally, I’ve heard multiple clients describing security analysts at big name MSSPs reading from scripts and decision trees, not really understanding what they are trying to achieve. People are considered 50% of the success equation, and the quality of the MSSP is fundamentally determined by the caliber and engagement level of the security analyst answering the client’s phone call. This is when critical decisions need to be made, and the stakes are too high for mistakes or inaction.

Critical factors for judging security talent include:

• Tenure: On average Tier 1 analysts should have more than two years of experience. Tier 2 and 3 analysts should have 6+ years.
• Certifications: Analysts should have security certifications–often multiple certificates–to ensure a baseline of knowledge that compliments pragmatic on-the-job training.
• Accessibility: The time to reach an analyst by phone should be short–less than one minute–and the process escalation to Tier 2 and 3 should be rapid.

Tactical, strategic, financial: What you should be getting out of your partner

There are a number of MSSPs out there, and if you pick the right one, it will help you at the strategic level by helping you understand your own security maturity and to fix any security control gaps so you are actively managing cyber risk. A good MSSP has the right turn-key tools to provide the needed visibility, awareness, and controls to avoid any security “surprises” (saying it nicely) that nobody wants.

For network security monitoring, turn-key tools include:

• Fundamentals such as SIEM log monitoring and vulnerability scanning
• Network packet capture for network traffic analytics
• Network visibility tools for capturing and analyzing flow data

All of this must be integrated with global threat intelligence capabilities to optimize effectiveness against the latest threats.

For cloud infrastructure and applications, MSSPs should offer clients:

• Managed security services with cloud access security broker (CASB) technologies for SaaS
• Cloud workload protection tools for IaaS

Complementing the above, endpoint detection and response capabilities protect the weakest link — usually endpoints and users, stopping threats before they can progress to inflicting real harm. Tying it all together should be the latest Security Orchestration Automation and Response (SOAR) capabilities, which is fed by high quality alerts enabled by machine learning and behavioral analytics.

At the tactical level, the right MSSP acts as a trusted security extension to your own team, offloading the large majority of the incident response effort. This is enabled by ticket integration options and flexible processes that fit with your own corporate standard operating procedures. And all this should be done quickly with an easy to deploy solution – nobody wants more work to do.

Finally, the right MSSP will optimize your limited budget, often at a cost less than a full-time employee. And most importantly, the right MSSP will leverage your existing security investments to optimize what you already have–not force you to buy or re-buy technologies that are already a part of your existing security stack.

Masergy offers solutions that combine technology, analytics, and threat response services all-in-one, so it’s easier to increase awareness and accelerate response while still taking the load off your IT staff. Contact us today to expand your security coverage without overburdening your resources.