Unless your goal with your Managed Security Service Provider to simply check your audit requirement box, you are likely not getting the dependable security monitoring you are looking for.
Reason #1 – One Size Doesn’t Fit All
The first reason is the general “one size fits all/most” model that MSSP's are forced to work in so they can make a profit. My introduction to the one size fits all/most model goes back to when I started in cybersecurity and worked for a large Tier-1 MSSP. We applied "recommended signature sets" to provide higher fidelity alerting as somewhat of a self-serving tale told by MSSPs to justify the event funnel where events are filtered out and never presented to an analyst for analysis. While this helps keep super noisy signatures from coming to the console (who would have the time to weed thru them to find the needle in that haystack?) it also creates a significant visibility gap. The event funnel also helped keep our SIEM from tipping over.
Filtering is something we as an industry have unfortunately come to accept as the solution to address the exponential problem of data growth and lack of skilled analysts. This is mainly due to technology and human limitations. This is where expert systems, AI and ML can be a big help.
Reason #2 – False Positive Headaches
How many times have you been woken up at 2:00 AM by your MSSP for an escalation that turned out to be a false positive? Consider how many hours you have spent chasing down an escalation that was nothing. When an escalation comes in from your MSSP do you jump right up knowing there is a very high probability this escalation is malicious and actionable, or do you finish your lunch believing it will likely be another waste of time? Chasing down false positives is not only a drain on time and resources, but they are also an emotional drain for the security Incident Responders. People want to do work that adds value; expending cycles and finding out it was a waste of time is disappointing. I have yet to come across any organization that is ok with the level of false escalations from their MSSP.
Reason #3 – Generic Analysis
The third reason your MSSP might not be providing the value you need is because the MSSP analysts are not focused solely on your business. With a typical MSSP, you get a general set of SIEM intrusion detection content (e.g. correlation rules, queries) that is built to address a very generalized set of use cases that can apply to most, if not all, customers. If you want custom detection content, your only option has generally been to pay for a managed SIEM dedicated to you. You may be sending logs from a set of data sources to your MSSP, but do they have the proper detection content to evaluate those logs? In my years of SOC consulting, I have had an insider view of some of the detection content being used MSSP's – my impression was that the content was generalized and basic. There was no cross-telemetry correlation to speak of, and very little content that could be considered advanced or line of business focused. Without this level of visibility, I question how dependable the analysis results will be.
Reason #4 – Tribal Knowledge
The challenge of knowing all the subtle nuances of your enterprise is something an MSSP will never achieve. Understanding account types and which assets are more critical than others is unique to each enterprise. And this information changes overtime. How is an outsider that may have dozens or even several hundred other customers supposed to know the nuances of your users, systems, or specific business practices, etc? There is a myriad of unwritten knowledge that is necessary to be able to effectively monitor and accurately decide which security events are worthy of escalating for response, and MSSPs often times do not have the company context to make good decisions for their customers.
If you are outsourcing your security monitoring or considering it to reduce cost or add capacity, take a look at Respond Analyst. You can manage your own Security Monitoring and Triage program with our pre-built expert decision system – no staffing required. Respond Analyst is like having your own team of Security Analysts working for you, 24x7 regardless of your company size or maturity.
For over the past 10 years Steven has built and matured security operations, and hunt teams for companies across the globe. Steven Wimmer has provided strategic and operational consulting to over 20 companies globally, including end to end SOC builds, hunt teams, and incident response. Prior to his role as Senior Technical Account Manager at Respond Software, Steven worked on developing hunt operations and cyber intelligence services at HP Enterprise. Steven is a seasoned cybersecurity veteran with a focus on developing and improving security operations in all verticals.View all posts by Steven Wimmer