by Brad Taylor, CEO, Proficio
Medium to large-sized organizations increasingly relies on managed security service providers (MSSPs) to deliver security monitoring, threat detection, and incident response functions. This trend is driven by the shortage of cybersecurity professionals, the complexity of the threat landscape, and the acceptance of managed and co-managed models by IT leadership.
Proficio is an award-winning MSSP serving customers from its global Security Operations Centers or SOCs in San Diego, Singapore, and Barcelona. Proficio invented the concept and first coined the term – SOC-as-a-Service- whereby their customers benefit from the simplicity of a fully staffed SOC and a managed cloud or on-premise SIEM with the flexibility and responsiveness of an in-house operation. Proficio’s mission is to deliver a level of security defense equivalent in value to in-house security operations of an F100 company but at an affordable subscription fee.
Alert Accuracy, Relevance, and Context
At its core, an MSSP’s job is to notify their customers of threats, attacks, and compromises. Dissatisfaction with the quality of an MSSP’s alerts is a common reason for buyer’s remorse. Complaints can include too many or too few alerts, high false positive rates, and alerts that lack context and cogent recommendations. Ask your prospective MSSP the following:
- What percentage of alerts are investigated, validated, and triaged by a SOC Analyst before they are sent to the user? The answer should be over 50% and the MSSP should track how this percentage changes over
- What SIEM technology does the MSSP use to filter events and detect indicators of attack? If the MSSP developed the software themselves, is it realistic that they can sustain a team of developers to maintain a state-of-the-art SIEM tool?
- What content has the MSSP built to enhance the accuracy of their SIEM tool? Ask for details around use cases, correlation rules, and integrated threat
- View actual examples of alerts and ensure the full context of the event is described and understandable. Look for recommended next steps with each alert. Alert notifications should be relevant and actionable?
- Understand the SLAs associated with priority alerts. Do they start from when the event occurred or when a SOC Analyst was assigned the event? Are SLAs measured and reported on?
Insight into Your Security Posture
The best MSSPs do more than identify, notify, and report on threatening events. To be effective IT leaders need to understand their risk profile, identify where gaps exist in their existing security controls and understand the priorities to improve their defenses. While security assessments help organizations understand their security posture, many IT leaders prefer to continuously understand their strengths and weaknesses and be able to articulate their risk profile to management. Ask your prospective MSSP the following:
- Does your MSSP provide you with executive level information on the strength of your security defenses?
- Are you able to understand how risks apply to different parts of your network, endpoints and the cloud?
- Is it easy to understand how gaps in your security control map to different stages of the Cyber Kill Chain?
- Does your MSSP provide you with a risk
score and compare it to your industry peers? Managed Detection and Response (MDR) Leading MSSPs have transitioned their services from security monitoring to managed detection and response. Organizations need to automate the response to suspicious attacks and contain the threat before data is exfiltrated or malware propagates through the network. Ask your prospective MSSP the following:
- Do your MSSPprovideyouautomated and semi-automated endpoint detection and response services?
- Does your MSSP automate blocking of suspicious inbound and outbound traffic at the perimeter?
- Can your MSSP work with a range of industry leading security tools to orchestrate containment actions?
- Can your MSSP provide customized MDR services based on unique use cases and correlations rules?
About the Author
Brad Taylor is the CEO and CTO of Proficio. Brad has 30 years of experience in enterprise security, networking, and enterprise software. Brad is the co-founder of Profi- cio, leads the company’s security architects and strategic planning. He is a frequent speaker at industry events and expert commentator on all aspects of the security industry. Prior to Proficio, Brad led marketing, business development, acquisitions, operations, and venture capital functions. He has built and managed multiple sales teams as a VP of Sales and assisted in two highly successful IPO’s with RSA Security (RSAS, now EMC) and ArcSight (ARST). In addition, he has helped many early-stage companies become successful including eIQnetworks, SOA Software, and AirTight Networks. Brad can be reached online at www.proficio.com.