XDR for Managed Security Service Providers – Now’s the Time to Add XDR to the Cybersecurity Arsenal
According to Edward Amoroso, TAG Cyber, MSPs agree that there is increasing pressure to support the day-to-day cybersecurity needs of their customers. If this new challenge is just absorbed into existing service agreements, then it can produce serious hits to both productivity and profitability. But if improved security can be used as the basis for new business opportunities, then true win-win outcomes can be achieved for both the MSP and its business customers.
So, are you an MSP in transition? Already an established MSSP? Read on.
In the past few years, many enterprises have deployed tools and strategies for endpoint detection and response (EDR). But today’s security teams are now also discovering that they need tools and strategies for network detection and response in their networks, cloud services, and managed services. So how can you create a strategy to automate cybersecurity investigations and provide monitoring detection and response across a wide variety of technologies and services?
Extended Detection and Response - XDR.
Sound familiar? Well, in the past few years, many enterprises have deployed tools and strategies for endpoint detection and response (EDR). But today’s security teams are now also discovering that they need tools and strategies that go beyond vendor, perimeter or even cloud service. XDR is the lynchpin for service providers to conduct detection and response across a wide variety of technologies and services.
True XDR solutions are an integrated set of cybersecurity products that unifies control points, security data, analytics, and operations in to a single enterprise solution. XDR implies supporting multiple types of security telemetries which could include endpoint, network, and cloud sensors. XDR promises to provide better technology integration between data sources and security operations to accelerate detection and response, all while reducing integration and security engineering headaches that plague SecOps teams today.
Most MSSPs who do security monitoring for their customers have to support a wide variety of their customer's chosen technologies. That means they need to support a broad list of vendors and telemetries. Most utilize brand name SIEMs and also rely on their engineering to do data parsing, build custom integrations, management tools, and basic automation. This often means time, dollars and headcount to maintain their systems and launching services with new customers.
Here are some key elements that MSSPs should think about when considering an XDR.
- Vendor agnostic. The problem for most MSSPs looking to simplify their security operations with an XDR is that most XDRs requires organizations to purchase the security controls/sensors (network, endpoint, cloud, mail, etc.) from that single vendor often requiring a rip and replace of the existing technologies. Most MSSPs can't ask that of their customers, particularly if they have a preference for other tools in the space. A vendor-agnostic XDR enables security organizations to choose best-of-breed technologies while retaining improved detection and response. This gives the MSSP greater flexibility in helping customers achieve their end goals.
- Machine-based correlation and detection capabilities. Machines can comb through large data sets and see patterns faster and more accurately than humans. And it would be nearly impossible for humans to do correlation across EDR alerts, network events, account services, vulnerability scan data, etc., to "triangulate" amongst sensors and more accurately distinguish between true signal and the noise of false positives. If machines can more accurately and consistently find real and actionable incidents, it means less time for analysts doing tier-one monitoring, i.e., staring at screens, and more time focusing on their customers and incident response. Which should result in happier analysts and improved job satisfaction. Machine-based detection could also mean 24x7 coverage with the added staffing. Overall for an MSSP business, this may enable them to hire less tier 1 staff and adding additional clients without having to add headcount.
- Pre-built data models. MSSP vendors do not want to have to write custom rules/content/code in their SIEM and SOAR platforms for each new customer. It would be a huge advantage to have these complex models work out-of-the-box. This would mean reduced security engineering time and costs, or even better, freeing them to work on more value-added projects.
- Integration with different SIEMs, SOARs and Case Management tools. Many MSSPs have customized their SOC platforms and case management tools. Their XDR should play nicely with those investments. Key features would be built-in integrations including automated case creation, scoping new and additional events into a case over time, and feedback being provided from the SOAR to the XDR for model improvement.
A technology-agnostic XDR gives security teams the best of both worlds - analytics that works across a broad range of security technologies and vendors - to provide the true outcome - finding incidents in real-time without noisy false positives. And for an MSSP trying to scale to numerous customers a huge advantage in meeting their customers' security objectives at a more manageable cost structure.
Let's talk about XDR.
Register today and join us, along with representatives from leading MSP and systems integrator, IIS, for a discussion on how XDR will impact security operations.
Contact our team to learn more about adding the Respond Analyst XDR Engine to your portfolio.