Managed Security Service Providers (MSSPs) need to ensure their portfolio of services remain current to keep them competitive. Chief among the technologies that promise to create opportunities to build new revenue streams are automated offerings such as Security Orchestration and Automation Response (SOAR) and User and Entity Behaviour Analytics (UEBA). But research suggests that while MSSPs may have these technologies on their books, they’re not always leveraging their full capabilities.
A survey of MSSPs in Europe and the US published in our report ‘What MSSPs Really Want’ reveals that while some are using SOAR, they are only doing so for data consolidation, enrichment and normalisation all of which happens behind the scenes and so is not customer-facing. The real benefit associated with SOAR is automated incident response which MSSPs can monetise by offering it as a chargeable service. However, they’re not doing that but why?
The answer lies in the fact that SOAR as it is presently marketed to MSSPs is simply too complex to engineer. SOAR isn’t an out-of-the-box offering for them because it needs to be adapted and tweaked for every customer. That then requires planning, additional resource and conversations with customers to explore their requirements because each one has a different set-up. The right rules will need to be configured and playbooks put in place. The MSSP then needs to deliberate whether such as service would be covered in their base fee or offered as a value add.
It's a similarly complex problem when we look at UEBA which monitors user behaviour associated with systems access in real-time but has specific parameters that allow exceptions to the rule to prevent false positives. UEBA analyses huge amounts of data which can push up costs which then have to be passed on to the customer.
MSSPs can’t solve all these issues on their own, so forego fully leveraging the technology but in doing so they also deprive the market of automated threat hunting capabilities. This then leads to stagnation and the danger is that unless MSSPs can find a way to make SOAR and UEBA solutions work for them, the market will come to a standstill.
Solving such issues will require better MSSP-vendor partnerships so that the solutions can be developed for their market. For example, if the MSSP could enable its security analysts to work on event data from all of their clients simultaneously, over a single SOAR platform, this would reduce complexity and the need to work on an individual siloed basis. This not only ensures there is a cohesive approach to threat intelligence with analysts able to share their collective expertise, but also allows a single set of unified rules and playbooks to be deployed across the MSSP’s entire customer base. Automation makes SOAR a repeatable process while orchestration simplifies the far more challenging tasks of emerging threat & threat hunting where more complex logic is involved.
Being able to manage these services and their customers over a centralised management platform is key. MSSPs want platforms that use open interfaces and standard protocols so that they can integrate with other vendor products. An example of this would be a Security Incident and Event Management (SIEM) that is then able to operate as the backend of the SOC and could support additional services such as SOAR and UEBA. DevSecOps can help here, by knitting together these solutions using APIs to create a security ecosystem but ideally vendors need to think more about how their solutions can integrate and scale.
The MSSP customer base is notoriously price sensitive and they’re only likely to go for a new service if they can see the additional value so MSSPs will need to give them sight of services such as automated incident response. Vendors can again help here by offering flexible licensing options and hands-on training. Teaching security analysts how to design playbooks and implement use cases for SOAR will then translate into speedier response times and shortened SLAs, making the service more cost effective and demonstrating results.
MSSPs will prioritise those vendors who are able to converge new technologies such as SOAR and UEBA over existing offerings such as SIEM as this makes it easier to rollout and manage these services. Unless vendors heed these needs, there’s a real danger such technologies will languish in the MSSP’s repertoire and the market stagnate. That’s an issue because not pursuing automation and orchestration sees emerging threat & threat hunting limited in scope meaning the usual can be missed. It can lead to a blinkered approach and static pattern-based services that can’t evolve, limiting the MSSPs vision and ability to push the envelope. For these reasons, vendors and MSSPs need to work more closely together to fully exploit the capabilities of these technologies.
By Nicholai Roguski, Senior Solution Architect MSSP, Logpoint
