Managed Security Service Provider (MSSP)
A Managed Security Service Provider or MSSP collects and monitors an organization’s security log data, detects threats, and provides actionable alerts to minimize the risk of a security compromise. MSSPs can provide access to a cloud-based SIEM or co-manage a client-owned SIEM. MSSPs usually staff a 24/7 team of security analysts responsible for investigating threats and advising their clients’ IT teams. An MSSP can provide other complementary services, including incident response, managed firewall services, and vulnerability management.
A SOC-as-a-Service provider offers similar capabilities to an MSSP with a focus on the functions that would normally be handled by an in-house Security Operations Center or SOC. SOC-as-a-Service providers deliver a combination of people, process, and technology required to detect and respond to threats. SOC-as-a-Service providers address the gap cybersecurity skills gap faced by many enterprises and the challenges of operating a 24/7 security operation.
Managed Detection and Response (MDR) Service Provider
A Managed Detection and Response (MDR) service provider uses the most advanced technology to detect threats. For example, an MDR service provider often uses threat intelligence, AI-based threat models, the MITRE ATT&CK framework, and threat discovery use cases to identify indicators of attack at the perimeter, endpoint, and the cloud. MDR service providers assign security experts to investigate and triage security events and suspicious behavior. Automated response is also a key component of an MDR’s service offerings. High-threats trigger response actions like blocking traffic from an attacker or containing an endpoint.
Difference between MSSP and MDR
MDR service providers are more proactive than traditional MSSPs. They use more advanced techniques to detect threats and do not overly rely on perimeter security. MDR service providers offer managed detection and response services and often manage next-generation endpoint software.
SOAR is an acronym for Security Orchestration Automation and Response. SOAR refers to programmatic responses where there is the risk an exploit or compromise. For example, a threat intelligence database identifies internet traffic coming from a likely command and control server. The payload is analyzed to include an exploit which is targeted at a host with an unpatched vulnerability for the same exploit. In this situation, just providing a high priority alert is insufficient. An automated response that blocks the IP address on the firewall allows time for the IT team to examine and remediate the threat by patching the host and or tuning the intrusion detection device.
Risk-Based Vulnerability Management
Regular scanning for vulnerabilities as long been a pillar of cybersecurity programs. Sometimes the number of vulnerabilities requiring patching can be overwhelming and the patching process can be significantly delayed. Risk-Based Vulnerability Management addresses this issue by more effective prioritization of vulnerabilities that are real and exploitable, ensuring patching reduces real business risk.
Managed Splunk Security
Splunk Enterprise is frequently used by IT teams to collect and search security log data. Splunk Enterprise Security extends this capability with SIEM analytics, threat detection, and incident response features. Splunk software tools are powerful and complex. Many organizations elect to partner with a managed security service provider that combines Splunk expertise with threat detection content and 24/7 security monitoring services.
SOC 2 Type 2
SOC 2 Type 2 addresses internal controls defined by the American Institute of Certified Public Accountants (AICPA) for Service Organizations. SOC 2 Type 2 requires companies to establish and follow strict information security policies and procedures, encompassing the security, availability, and confidentiality of client data. Companies are audited annually to assess their compliance with SOC 2 Type 2.