The Rise of the MSSP
Over the last few years I have been a keen observer of an interesting and unfolding trend: Thanks to the high-profile cyber attacks that constantly fill the news, businesses have become increasingly aware of their security needs. Some businesses have the funds and organizational focus to pour into the building and operation of a full-scale security operations center (SOC), complete with expert analysts and tools – and others…don’t. But these businesses, despite their decision not to establish and internal SOC, know that their data (and money!) is at stake. In such cases, the answer is, increasingly, to turn to security outsourcing.
And as companies continue to place their SecOps in the hands of outside partners, the result has been the explosion of the new managed security service provider (MSSP) market.
Since 2011, hundreds of MSSP organizations have started to pop up all over the globe, to address the new demand for security outsourcing. Global consultancy and IT firms structured new security services divisions alongside agile entrepreneurs who established small scale MSSP shops, focused on specific regions and market segments. The result is today there are plenty of MSSPS and they all aggressively compete for many of the same customers and contracts.
There are two problems common to all MSSPs – the growing shortage of skilled staff and the very limited tool portfolio enabling them to run such a complicated, dynamic, regulated and mission-critical service.
The MSSP’s Crowded Production Floor
If you are part of the MSSP industry, this probably isn’t huge surprise to you, but to make sure that we are all on the same page, let’s describe the “production floor” of an average MSSP shop:
- Dozens of customers each with their own SLA commitments, often in different time zones and ranging across diverse industries.
- Numerous security tools per customer – ranging from detection to response: endpoint detection systems, SIEM, firewall, and so on.
- An alert storm often reaching tens of thousands of security alerts per day.
- Dozens of SOC operators working in shifts, often across several globally distributed SOCs.
- Complex regulatory requirements that are always growing and include specific reporting requirements, privacy rules and more.
- Expanding attack surface resulting in more assets to protect and an increased potential for advanced, long lasting and tailored attacks, which MSSPs need to address for their customers.
- A barrage of threat intelligence that constantly flows into the SOC.
Decreasing Margins, Increased Competition
MSSPs are expected to operate effectively and at scale, detect and respond to attacks in near real-time with zero tolerance for errors, across a diverse pool of customers. Within this reality they struggle to stay profitable, while the market becomes more and more crowded and competitive and profit margins are decreasing.
We cannot expect MSSPs to deliver stellar performance in such a nuanced and complex environment. However, as we see in many IT industry segments, an effective IT infrastructure designed to address these challenges can dramatically increase profit margins by reducing costs and increasing the operation’s effectiveness. Such IT systems will become the core underlying platform behind the new generation of managed SOCs.
Orchestration – Addressing the ROI Challenge
A system which is rapidly emerging as the new MSSP command and control, and addresses MSSP profitability and ROI challenges is the security automation and orchestration platform.
This system is responsible for:
- SOC Management – a single platform to run all aspects of the multi-tenant SOC
- Triage/prioritization – ranking tasks and alerts according to their business priority and SLA requirements
- Automating processes – including routine incident response playbooks, data enrichment, and communication
- Executing workflows – running predefined workflows and generating the required reports and alerts
- Centralizing management – by enabling the MSSP to manage multiple security tools and intelligence feeds within a single system
- Documentation and authentication – recording and authenticating activities and events according to regulatory requirements
- Internal communication – sharing information and updating the organizational business entities and executives
Rather than focusing on hiring more talent, cyber security leaders, and MSSPs in specific, should find ways to do more with less: increase the impact of their managed SOC, reduce the skill level required for incident responders, and most importantly, automate investigation and incident response (IR) workflows while managing them within a single, multi-tenant pane of glass for managing cyber security events more effectively.
Adi Dar is CEO of Cyberbit