Everything is symbiotic in technology, especially these days: outsourcing operations like Security Operation Center functions are only possible due to the number of Managed Security Services, which in turn is only possible due to technology like cloud services, which in turn is only possible due to virtualization technology. While one can argue that Moore’s Law is dead, the concept behind it is very much alive and has played a significant role in the maturation of Managed Security Services.
What hasn’t changed and will not in the foreseeable future (unless there are excessive jumps in Artificial Intelligence development) is the need to understand what you want, or in this context, you as a cybersecurity professional. Vendors that suggest or outright proclaim, “you can send us your data, and we’ll tell you what you should be focused on” is just hyperbole. Now, to be clear, they can tell you what to focus on but not necessarily what you should be focused on, at least not without a lot of intervention on your part.
Let’s use the example of managed SOC services, one of the most popular Managed Security Services on the market today. There is a minimal argument for those things that have a more direct one to one relationship, such as impossible logins. While there are technical explanations as to how someone could log into service from your corporate network and then one minute later do so from Africa, realistically there is a very high probability that this isn’t a legitimate business activity.
"AI has a role to play along these lines but hasn’t reached that point yet where accuracy is at an acceptable level, nor the cost of implementing these services are justifiable for many organizations"
However, what about events that have a lot more ambiguity in your environment, say the use of PowerShell scripting? Can a Managed Security Services vendor tell you someone is using PowerShell? Sure, assuming they are ingesting all the appropriate log files, but do they inherently know that your server admins use this regularly for their administrative tasks? Does your MSSP (Managed Security Services Provider) know that non-IT staff may be permitted the use of PowerShell based on validated business needs? This example assumes that your MSSP looks for this behavior and that you care about this sort of information. Of course, there is an onboarding process for migrating to an MSSP, but this is just one of many examples where understanding your business needs and translating them into security services isn’t a foregone conclusion.
One of the significant challenges of security services is reducing the amount of both false-positives and white noise. These problems exist when services are hosted on-premise and in some cases, can be an even more significant challenge when hosted by a third party. As mentioned previously, AI has a role to play along these lines but hasn’t reached that point yet where accuracy is at an acceptable level, nor the cost of implementing these services are justifiable for many organizations. With this being said, there is no replacement for understanding the context of why we do what we do as cybersecurity professionals in our respective enterprises.
For example, for those organizations that have seasonal employees, we see not only bodies come and go, but our log data is reflective of this. When seasonal staff are onboarded, we often see an increase in login failures or other behavior that is caused by their relatively new understanding of their technical environment. If our companies are leveraging MSSPs, it is incumbent upon us to either proactively communicate or retroactively explain why we’re seeing what we’re seeing. In fairness to MSSPs chances are good that they couldn’t even if they wanted to, consume the data in a way that made sense to explain this sort of behavior and automatically account for it when determining risky activities.
Another way of looking at the role of the MSSP is that of technology in the enterprise. Many seasoned IT and cybersecurity professionals know that often the biggest challenge of implementing new applications, like a CRM or ERP, isn’t the technology component but understanding the business processes and workflows of the enterprise. Why are approvals set up the way that they are in companies? Do these workflows still make sense? How should they be implemented with new technology? These questions typically asked of ourselves as we implement new solutions are not and should not be different for MSSPs. If the primary goal of an MSSP is to provide services needed by an organization because they can’t do it
a) with the resources available or
b) as efficiently then why shouldn’t these questions still be relevant to a Managed Security Services Provider?
Ultimately if the reason or one of the most compelling reasons to procure an MSS is due to lack of resources or funds, one could argue that truly understanding the business’ needs are imperative in reducing costs. While the logic behind an MSSP is that you receive similar benefits without the cost of hiring fulltime employees, these managed security services can still be quite expensive, so it only makes sense to be specific in articulating what the desired outcome is in contracting with an MSSP.Most of them will deliver on just about anything you ask, within the scope of their advertised services, as long as they have access to the data and they know what you are looking for, which in turn requires the same of you and your organization.