Posts

The Cybersecurity Acronym Overload

What is the difference between an MSSP and an MDR service provider (and everything in between)?

As any industry evolves, it is common for new categories of products and services to proliferate. In the case of cybersecurity services, many of the new services have been introduced to respond to the evolving threat landscape or to support new technologies – but in some respects, it’s also become a way for vendors to differentiate themselves.

So, it is not surprising that questions like, “what is the difference between an MSSP and an MDR service provider,” and “what is a SOC-as-a-Service provider” are some of the top managed security services Google searches.

As a co-founder of Proficio I have a unique perspective on how this proliferation of labels came about and what the future holds.

People, Process and Technology

These three pillars are the building blocks of a security operations. People, process, and technology are the threads that run through MSSP, MSS, SOC-as-a-Service (SOCaaS), MDR, and XDR services. However, many organizations are constrained by a limited budget to achieve desirable cybersecurity outcomes which is why the managed security services industry exists.

Let’s quickly put some context around each:

People: Cybersecurity-Skills-Gap

The difficulty of hiring and retaining cybersecurity experts is one of the primary motivations behind outsourcing security operations to service providers. People challenges are due in part to the cyber skills gap and in part a function of scale. Large organizations are better able to staff a 24/7 SOC (requires a minimum team of 10 to 12 people) and train their teams on technologies like AI, next-generation endpoint software, and cloud infrastructures. Medium-sized organizations (and smaller) are often not be big enough to dedicate headcount to specialist roles like SIEM Administrator, Content Developer, Incident Responder, or Data Scientist.

Process:

Process is the glue that ensures consistent and effective action. Process encompasses the definition of roles and responsibilities, workflow, policies and procedures, and more. The time and effort needed to harden and document processes is frequently underestimated. Look back in time at some of the largest security breaches and you will find process issues in many cases. The 2013 data breach of the retail giant Target is a prime example. While multiple issues related to this breach, the fact that Target’s SOC did not respond to FireEye alerts resulted in the breach being undetected. How an indicator of compromise is investigated and remediated is fundamentally a process issue.

Technology:

Technology is the third building block supporting security operations. Building and managing a technology stack for cybersecurity is challenging and doubly difficult for organizations with limited resources. The complexity of Security Information and Event Management (SIEM) software is often sufficient reason for businesses to turn to managed service providers. SIEM systems collect event logs from an organization’s network, endpoints, cloud infrastructure and security tools. Log data is analyzed and alerts are generated for further investigation and remediation. However, the quality of security alerts is only as good as the data ingested by the system, alongside the rules and use cases used to filter and prioritize the alerts. While there are tips to maximizing the value of your SIEM, time erodes the efficacy of a SIEM; products and log formats will change, new threats make old rules irrelevant, and the experts that originally set up the SIEM often move on to greener pastures.

What is a Managed Security Services Provider (MSSP)?

The role of an MSSP starts with log management, as collecting and retaining logs is a requirement for compliance mandates like PCI and HIPAA. But before centralized log management, the event data collected from each security device was siloed. As a result, if a firewall engineer saw an alert for a port scan and a Windows administrator saw failed login attempts followed by a successful login, they may not realize that the same host is involved in both events. Minimally, an MSSP is responsible for alerting their clients to threats and suspicious events with the goal of reducing the risk of a security breach. MSSPs offer a wide range of capabilities including vulnerability management, incident response, and pen testing.

According to Wikipedia, “the roots of MSSPs are in the Internet Service Providers (ISPs) in the mid to late 1990s. Initially, ISP(s) would sell customers a firewall appliance, as customer premises equipment (CPE), and for an additional fee would manage the customer-owned firewall.” Today, MSSPs continue to manage security products such as firewalls, IDS/IPS, and WAFs on behalf of their clients. The management of security devices typically includes making configuration changes, patching, tuning, and health and performance monitoring. Managed Security Services (MSS) has been used to connote both device management and the security monitoring functions offered by MSSPs.

The terms fully managed and co-managed describe the service models used by MSSPs. Fully managed applies where security technologies, like SIEM software, are owned and operated by the MSSP and used for the benefit of their clients who are users of security information. A co-managed approach provides the client more control, for example a SIEM owned by the client where the MSSP and the client share administrative responsibilities.

What is SOC-as-a-Service? Difference-between-MSSP-and-MDR

The term SOC-as-a-Service was created “to describe how clients benefit from 24/7 monitoring and the same advanced threat detection technology that is used in sophisticated SOCs serving large enterprises and governments.” In 2010, Software-as-a-Service (SaaS) was already a significant industry with adoption being driven by the advantages of an on-demand, subscription model with no dependency on the existing IT infrastructure.

SOC-as-a-Service or SOCaaS is a logical extension of the SaaS where SIEM software is delivered as a service, and instead of staffing up an in-house SOC, multiple clients share the capabilities of a 24/7 SOC responsible for threat detection, altering, and response.

The goal for many SOC-as-a-Service providers, like Proficio, is to provide businesses the same quality of service that a large enterprise receives in-house, at an affordable price. This requires a true partnership with clients and the flexibility to act as an extension of their IT security team.

So how does SOC-as-a-Service differ from the offerings of an MSSP and what sort of business should use it? SOC-as-a-Service focuses on fully managed cloud-based services which are ideal for small to medium-sized organizations. Vendors providing SOC-as-a-Service are less likely to work with client-owned SIEMs and manage security devices, but this is not an absolute rule.

While SOCaaS providers offer many of the same capabilities as MSSPs, they are less likely to manage security devices and may not support as broad a set of log sources.

What is the difference between an MSSP and an MDR service provider?

MDR service providers offer more advanced threat detection and response capabilities than MSSPs. Key capabilities to expect from MDRs include:

When Gartner issued their first Market Guide for Managed Detection and Response Services, they categorized MSSPs as being more focused on monitoring perimeter security and lacking threat detection capabilities for the cloud and endpoints. Gartner also posited that MSSPs are more focused on meeting compliance requirements than MDRs. Fewer MDRs manage security devices – a service offered by many MSSPs.

MDRs must continue to adapt to new challenges to meet the demands of a Next-Generation MDR Service Provider.

What is an XDR Service

XDR is a new evolution of MDR, that includes threat detection and response capabilities. The X stands for eXtended capabilities, that go beyond EDR. XDR integrates multiple security control points (endpoint, network, cloud, email, authentication) to automate threat detection and response. The concept of XDR has been promoted by leading industry analysts (notably Gartner) and is starting to be adopted, and perhaps hyped, by vendors.

You might ask, how is XDR different from SOAR? Both approaches apply use cases to log data to trigger automation and orchestrations. However, XDR will have broader integration among security controls using native APIs. For example, where an event might result in SOAR triggering containment of an endpoint and even orchestrating a remediation workflow, XDR could also automate responses from other layers of security such as blacklisting the source of malware at the perimeter.

One challenge for prospective users of XDR is they risk being locked into a single vendor solution. Most enterprises have multiple existing security vendors and unless they are already budgeted for a broad refresh, adopting this approach may be a protracted and expensive process.

Proficio and others are addressing the shortfall of XDR with Open XDR. Like XDR, Open XDR  integrates multiple layers of security while also supporting more than one vendor for each control point to provide customers with more flexibility and security.

What Does it All Mean? MSSP and MDR business person question marks

When you think to yourself, “what is the difference between an MSSP and an MDR service provider?”, it’s obvious there is no clear-cut answer. There continues to be some fluidity around the labels used to describe the providers of managed security services or security tools. Buyers of these services need to assess if the core capabilities of a prospective partner complement their existing capabilities and align with their goals.

 

Here are 5 areas to explore:

  1. Compliance

If your organization must adhere to one or more compliance mandates, validate the service achieves that goal. Can your MSSP or MDR retain logs for the required period? Does your MSSP or MDR support industry specific requirements such as file integrity monitoring in the case of PCI? These are important criteria to discuss before selecting a partner.

  1. Threat Discovery

Effective threat detection is a precondition to protecting your organization from damaging cyberattacks. Understand how the provider uses threat intelligence, security analytics, and automation for cost effective threat discovery and what expert human resources are applied to event investigations and threat hunting. Determine what is important for you and realistic within your budget.

  1. Response Automation

The ability to rapidly contain a threat is a good reason to select a specific MDR service provider. Some MDR providers support third party SOAR products and others offer automated response using native capabilities in their threat management platform. But don’t assume anything – you should always validate that the MDR provider supports your preferred endpoint and firewall vendors. Before implementing, it is also important to check that you have organizational buy in to automating changes to endpoints or network configurations.

  1. Technology Stack

Whichever label your vendor uses to describe their services, they will come to you with a predefined technology stack. This will affect how well your existing and planned technologies integrate with your provider. For example, your provider may support one or several SIEM vendors or they may have developed their own threat management platform. Ask if your vendor requires you to install a hardware sensor or add endpoint agents; these requirements can create network clutter and negatively impact performance and compactivity. Not all vendors are able to parse data from critical points of telemetry in your environment or support automation and orchestration for your existing security products.

  1. Control

Ask yourself how much control you need of the infrastructure and data involved in security operations. Do you want to use your own SIEM or do you prefer a platform hosted by your managed security service provider? Will this change in the future? Do you need to own the log data that has been collected? How important is it to have the ability to do granular searching and run reports with the providers system? Conventional wisdom is organizations are willing to devolve control to reduce cost and complexity, but this should be a conscious decision.

Final Thoughts

Choosing a cybersecurity partner is a major decision. Proficio has been acting an extension of our clients’ team to help them achieve their cybersecurity goals for over 10 years. If you’re currently using, or considering using, an MDR Service Provider, download our MDR Checklist to ensure you’re getting an effective service. Tune into our video podcast series called Cyber Chats to hear industry experts discuss cybersecurity issues and best practices. If there’s anything more we can do to help, please let us know.

 

Not All Partnerships are Equal

As Henry Ford once said, “Coming together is the beginning. Keeping together is progress. Working together is success.” While many people have an understanding of how partnerships work in their day-to-day lives, defining a true partnership in a business relationship can be more challenging. In the field of cybersecurity, finding a “true partner” means you share the risk and both strive to improve your security posture.

A True Partner

A true partnership works best when both groups share the risk, agree on the end goals, have open lines of communication and build their relationship on mutual trust and respect. Companies that embrace such partnering behaviors believe in creating mutually beneficial relationships that bring value to both parties.

Partnerships come in many shapes and sizes. There can be partnerships between vendors, where they provide complementary products or services that are further enhanced by working together. There can also be strategic relationships developed between provider and client, where they view the relationship as more than just a business transaction.

Your partners should also be building strong relationships within the technology sector. Knowing that they not only use best-in-class technologies but that they have good working relationships with those vendors means that you can maximize your technology investments. A good partner should not only be able to help you to optimize the technologies you already have in place, but also make recommendations for policy and infrastructure to ensure you reduce your risk and meet any compliance requirements.

Finding Your Partner

When you are on a team, you have certain expectations of your teammates and hope you can rely on them in critical situations. However, a lot of organizations do not have the in-house resources to staff an effective cybersecurity operation. Understanding the economics and potential cost savings of using a managed service provider is an important part of any decision to outsource security operations.

In cybersecurity, you should look for partners who act as an extension of your team. They do not just care about selling you their latest tool or services – they sincerely care about the security and safety of your company. They should have a programmatic view on cybersecurity and take your concerns seriously. Equally important is the culture of the organization with whom you choose to partner. Do they share similar values, and can you trust that they will view your security as important as you do?

Throughout the relationship, a partner should have the skills and resources to respond to security incidents and help guide your overall cybersecurity journey. And while relationships in cybersecurity may not last forever, the need for true cybersecurity partners will never change. The current environment of COVID-19 only reminds us how businesses can be disrupted when they least expected it. And with the shortage of skilled cybersecurity professionals, choosing your partners has never been more critical.

Narrowing The Search

Once you decide what you’re looking for, how do you find someone who checks all the boxes? Many may sell you on ideals but it’s crucial they also follow through with what they sell. When looking for the right partner for your cybersecurity needs, you should ask critical questions to make sure you’re making an educated choice.

Things to look for include:

  • How do their SLAs compare to other vendors?
  • Do they provide transparency and trackable metrics?
  • Do you receive insight into your cyber risk and recommendations for improvement?
  • Will they create custom content?
  • What is their long-term focus?
  • Are they industry recognized?
  • How available is their team?
  • Do you have similar preferred methods of communication?
  • Can you visualize the value they would bring to your team?

Selecting a partner who shares the risk will give you confidence that you are building a more secure organization. As your partner helps you mature your cybersecurity program, you should see a measurable change throughout the partnership and be able to track metrics over time.

Once you’ve found the right partner, you will be enabled for success not only tomorrow but for the long-term future.

So – what do your current partnerships look like?

When is it Time to Break Up with your #CyberSecurity Services Provider?

A cybersecurity services provider should be a trusted business partner and act as true extension of an enterprise’s in-house security team. However, sometimes organizations are left feeling dissatisfied with the relationship they’ve forged with the services provider they’ve selected. There are several reasons the relationship may not be working out, and therefore it may be time to look for a new partner to better support the organization’s cybersecurity efforts.

When is it time to move on?

There are several tell-tale signs that a business relationship is not working out with a selected services provider, including: 

  • There’s a lack of communication. A direct line of communication with your cybersecurity services provider is key. Knowing that you can pick up the phone and get in touch with a security operations center (SOC) analyst or security engineer, regardless of time of day, is critical and should reassure you that the organization’s environment is being protected 24/7. Having a services provider that has world-class, around-the-clock security monitoring and alerting, incident response and remediation capabilities is crucial. Communication goes both ways, and a provider who is a true partner should be reaching out on a regular basis to make sure that their services are meeting your needs. They should be providing you with important high-level alerts in a fast and efficient manner, keeping you up-to-date with the happenings of your network, and discussing any potential areas of risk that you should be aware of.
  • They don’t see your business as unique. While some enterprises have similar needs, it does not mean the same security solutions will help them all. Your services provider needs to design custom cybersecurity solutions for your business that fall within your budget, timeline, and – most importantly – address your unique needs (not the needs of most). With tailored cybersecurity solutions, your organization will be able to keep data secure and compliance mandates met. The correct provider will understand what’s needed to maintain your cybersecurity posture and keep hackers off your networks. If you’re working with a services provider that doesn’t offer this, it may be time to part ways.
  • They can’t provide full visibility and search capabilities into your logs. Even if you’re outsourcing security operations, the IT security team should still have full visibility into logs and the company’s security information and event management (SIEM) software. This way, they will have access to all alerts and investigations in order to manage them and run detailed reporting. If your services provider doesn’t give you the ability to view and search logs, run reports, and drill down into each alert, that may be an issue. Without visibility, your team can’t properly do their job to keep the organization protected.
  • The alerts and recommendations they provide lack insight. Some services providers don’t leverage the knowledge they’ve gained from having clients in a variety of industries. A skilled services provider uses this information to build out unique use cases and correlation rules that a company’s in-house security team (with their siloed single-industry viewpoint) would not be able to do on their own. Fine-tuning the SIEM to identify threats unknown to the organization is something a qualified services provider needs bring to the table. Without use cases and correlation rules rooted in industry knowledge, IT security teams are flooded with a sea of irrelevant alerts. Organizations also need to understand that no matter how many enhancements you add onto a SIEM, the tool will always need qualified people to verify incidents and automatically respond to them while continually perform active monitoring. That said, an MSSP should verify high-level alerts (also called notables) to provide recommendations and next steps on how to remediate network threats.
  • They are focused on their needs, not yours. Many service providers view their customers as opportunities to grow their bottom lines by upselling one of their inflexible service offerings. They’re too focused on their own financial needs for cost control and ROI that they forget about the needs of their customers. A true partner should only suggest ancillary services that can improve your company’s cybersecurity posture and lessen any network risks that you may have, not just suggest services that have little to no value. By providing your organization with core monitoring functions, as well as staff to manage it, a quality services provider focuses on your needs to keep costs down and free up your own employees to work on other projects. If your MSSP’s tools can successfully discern between notables and false threats, this can reduce the amount of time spent chasing down imaginary offenses – saving your team time and lessening the lean on your budget.
  • They’re not an extension of your team. Your services provider should act as an extension of your team and should increase your security team’s effectiveness and abilities in monitoring, detecting, and responding to potential cyber threats. Security service providers should work to identify the unique needs of each organization to continually improve its cybersecurity posture. Alerts should be relevant and actionable, and recommendations and reports should provide helpful insight into where the organization needs to improve its approach. If your selected partner lacks a team player mentality, it’s time to move on.
  • They don’t share their motives with you. Without transparency, one half of the vendor/client relationship is left in the dark. A reliable MSSP will provide you with information on what they’re doing (what they see as threats and what recommendations they make to address them), as well as what they are doing with your information. By being transparent, trust can build between you and your services provider, strengthening your relationship.

If your cybersecurity services provider isn’t meeting the requirements outlined above, it’s time to consider parting ways. At the end of the day, you need a partner who maintains an open line of communication, who does everything they can to keep your organization secure, and who provides the insight and visibility your team needs to do jobs their effectively and efficiently.

SIEM for the Rest of Us

SIEM systems were first created for large enterprises and government agencies that were frequent targets of advanced cyber attacks. Back then, smaller and lower-profile organizations were able to get by with basic security tools as they were seldom the target of hackers. The world has changed and today cyber attacks have become so widespread and complex that small and medium-sized organizations need the same next-generation SIEM tools as large enterprises.

Next-generation SIEM technology uses advanced correlation techniques encompassing applications, transactions, pattern and behavior discovery, statistical and moving average anomalies, business process management, risk management, and global threat intelligence feeds.

Many organizations are caught between a rock and a hard place. They need industrial strength security, but do not have the people or the budget to run a security operations center (SOC) and administer a SIEM system. SIEM systems are typically complex to administer and require teams of people for monitoring events, experts for authoring use case content, and a lot of care and feeding.

We recommend resource-strapped organizations look at cloud-based offerings from new companies providing a SOC-as-a-Service. This new breed of Managed Security Service Providers (MSSPs) uses a cloud-based shared services model. There is no upfront investment in hardware and software and no requirement to hire a team of security and SIEM experts – instead customers pay subscription fees for a turnkey service.

Next-generation MSSPs also leverage advancements in SIEM technology to enable operational effectiveness and customize security use cases to address the requirements of each customer. Plus they have real-world end user experience and can discern which events require action and which need to be watched for further suspicious behavior, thereby avoiding flooding their customers with false positive alerts.

What should you look for in a Next-Generation MSSP?

  • Support for large diversity of log collection sources with a large variable selection of device types, vendors, applications, and users
  • Support for non-log data Intelligence and ability to actually correlate information
  • Support for user monitoring, identity and actor profiling or behavior analysis
  • Asset and business process modeling
  • Advanced methods of correlation from multiple devices and vectors
  • Advanced Use Case applicable to your business
  • Active Lists for correlation with items like former employees, contractors, trusted partners, or suspicious addresses
  • Escalation of threats to higher level alert priorities as suspicious activity persists
  • Prioritization of threats based on Asset Criticality, Model Confidence, Relevance, and Event Severity
  • Automated remediation response to specific Very High Level Alerts
  • Compliance content packages and simple reports for compliance including HIPAA, PCI, SOX, FFIEC, etc.
  • Threat Intelligence and Reputation Active List correlation with globally known abusive attackers, command and control servers, and malicious IP addresses
  • Correlation of vulnerability scan data and specific vendor IDS threat definitions to determine if an exploit is targeting an existing vulnerability, indicating a high probability of success
  • Easy-to-Use Web Portals with graphical dashboards
  • Case management and Workflow
  • 24×7 Expert support

Directory Of Managed Security Service Providers (MSSPs) To Watch In 2019

The global shortage of cybersecurity professionals is expected to reach 3.5 million unfilled positions by 2021, up from 1 million in 2014. MSSPs are responding to the labor crunch by providing organizations of all types and sizes with a growing portfolio of services to choose from…

The MSSPs we follow, and you should too…

The List