Cybersecurity Monitoring

Defining the Next-Gen MSSP with Robotic Decision Automation

Dan Lamorena
by Dan Lamorena
category Cybersecurity Monitoring

A recent study by the Ponemon Institute showed that 58% of security leaders rated their MSSP ineffective. Respondents complained that their MSSP:

  • Failed to find security incidents
  • Generated too many false positives
  • Did not respond in a timely manner
  • Suffered from constant turnover, i.e., a revolving door of analysts and customer success managers that needed to be reeducated on their security program and business
  • Locked them into lengthy contracts or tools/infrastructure that made the switching costs too high

Given these failings, there is a new generation of MSSPs that are thinking about things differently. A next-gen MSSP is based on three key principles:

Reliant on software and technology rather than people

The current challenge of people keeping up with a deluge of security data and alerts is not tenable. There is a shortage of staff and it makes no sense to hire an army of people to stare at screens.

Founder and CEO of CyberPeak Solutions, Travis Abrams, started the company on the basis of a strong belief in the power of automation and what it can accomplish in cybersecurity operations.

Stated Abrams, “We utilize automated solutions and the best available software products to weed out the noise and find what we need to know to better protect our clients. Our staff is talented, of course, but we rely on tools and technologies to help us parse the tremendous amount of log data that we monitor so that we can identify what’s most relevant.”

“The techniques for detecting attacks that the software relies upon are just like those employed by expert humans,” notes Managing Director of Cybersecurity Operations at Agio, Peter Schawacker. “The difference is that a human can remember five items, plus or minus two, at a time. When analysts rely on working memory supplemented with notetaking, threat intelligence feeds, and ever-improving tooling, their performance is limited by two things: how much individual analysts can see over the course of their shifts and how much of it they can remember. By contrast, the Respond Analyst’s intelligent automated decision engine has a virtually limitless recall capacity.”

Another benefit of cybersecurity monitoring with machines over people is the time to respond. Machines can analyze data at scale and speed. The Respond Analyst can triage incidents for a first responder to follow up on in seconds, and isn’t subject to shifts, meaning it works 24x7. The Agio team hopes to reduce the amount of time that elapses between the detection of the initial indicators of an attack and that incident’s full triage and postmortem analysis. Right now, it can take a few hours—still much faster than the industry average. But working with the Respond Analyst alongside a newly implemented SOAR solution, Schawacker plans to bring that down to minutes and, eventually, even seconds.

Customize offerings for customers

The exceptional technical proficiency of the CyberPeak team has long enabled them to offer services in a more efficient manner than many of their competitors. “We’ve always focused on structuring our service agreements so that we’re providing exactly the right level of support to meet the client’s needs,” says Abrams. This meant no packages or bundles where clients were paying for more labor hours or other services than they’d actually use.

In some cases, MSSPs will require their customers to deploy expensive infrastructure to implement services, or the MSSP will limit their offering to a single sensor. The initial setup can take months to put in place and relying on a single sensor risks missing an incident that originates elsewhere in the environment. The Respond Analyst deploys in days, and in some cases even hours, providing a quick time to value. It works seamlessly with multiple sensors and data that are already in place and does not require expensive infrastructure investment. Using the Respond Analyst expands coverage and reduces risk.

Enable organizations to make better use of the tools they have

Before they engaged with CyberPeak, many of the next-gen MSSP’s clients weren’t making optimal use of tools like system information and event management (SIEM) software solutions—and in some cases, weren’t deriving much value from them at all. “They’d say things like, ‘We haven’t even logged into our SIEM in four months…’

The biggest problem is SIEMs aren’t being managed efficiently. Is anyone writing rules? Is anyone logging in? Has the SIEM been optimized to meet their requirements? Next-gen MSSPs optimize the environment and then use the Respond Analyst to look at the events. Malware, ransomware, and data exfiltration are now being found by CyberPeak because of it.

While most customers are focused on their endpoints, it is critical to monitor IDS/IPS sensors and web filters as well. These devices can provide critical context to endpoint events and often lead to the root cause of the attack being identified. CyberPeak focuses on integrating both the endpoint and the network to ensure full visibility.

The Respond Analyst includes Integrated Reasoning, the capability to look at multiple data sources including Network Intrusion Detection Systems (NIDS), Endpoint Protection Platforms (EPP), Endpoint Detection and Response (EDR), web filters, company context, and threat intelligence to identify real, actionable malicious behavior in the environment. Identifying these threats faster means reduced detection and attacker dwell times while eliminating the need to chase false positives.

What does this mean for customers?

Going with a next-gen MSSP means cybersecurity monitoring that’s truly comprehensive and reduces real risks

For the customers CyberPeak is managing with the Respond Analyst, they are able to monitor the full volume of logs and events that clients’ systems are generating. It’s not so much that human Tier 1 analysts have been replaced, as it is that the company now has near-infinite Tier 1 capabilities. “When someone asks us how many Tier 1 analysts we have, I can say that I have as many as you need,” says Abrams.

The numbers speak for themselves. “Looking at just one client’s environment, in the last five to six hours, the web gateway has sent over 104,000 events to the Respond Analyst,” says Abrams. “There is simply no way we could have looked at all that manually. I feel much more confident that we are now doing what we need to do for our clients and providing them with the security expertise they need.”

“The Respond Analyst is the kind of cutting-edge technology that will allow us to leapfrog over the competition,” says Schawacker. “We’ve been in production for several weeks, and we’ve already achieved things we couldn’t do with a SIEM.” From the time the Respond Analyst was first implemented in a proof-of-concept pilot program until now, it has already detected about a half dozen attackers and the presence of malware,” explains Schawacker.

Greater client satisfaction across the board

CyberPeak’s team has new confidence in their ability to provide value to clients, and the feedback they’re receiving is overwhelmingly positive. “One managed service client that we onboarded late last year told us that we have opened up more tickets and fixed more issues in three months than their previous security people were able to handle in a year,” says Abrams. “We’ve also heard that we do more testing and are better able to optimize a client’s environment than the previous MSSP ever could,” he adds.

As studies have shown, the current path of most Security Operations Centers, whether managed completely in-house or fully outsourced, is ineffective and not sustainable. Organizations that are serious about SecOps must consider the benefits that technology has to offer to help keep pace with the constantly changing and complex security threat landscape. The partnership of CyberPeak and Respond Software is a strong example of how next-gen MSSPs, leveraging the best of both human capital and technology, will operate now and in the future. This partnership is reducing risk by enabling customers to procure the solution that is the best fit for their organization while increasing the benefits of past investments.