To MSSP or not to MSSP…. Is that a question?
Organisations, large and small, can’t ignore cyber security these days. The news is full of the latest breaches. Gone are the days when a few breached records or the occasional petty fraud hit the headlines. Even the loss of details of EVERYONE in Bulgaria didn’t get much attention and (allegedly) Russia testing their cyber armoury against the Ukraine didn’t chill the spine like it should have. We all had a secret snigger at the poor chaps caught with their trousers down in the Ashley Madison breach and felt sanctimonious schadenfreude over the information leaked in the Panama Papers.
The uncomfortable truth is, however, that even the most unlikely organisations are the targets of some or other group of cyber malcreants. 3rd party suppliers of larger organisations are seen as an easy touch, and Nation-states are busily working out how to destabilise the West by sabotaging infrastructure, disrupting finance and undermining democracy. And, of course, we in the West are busily preparing to do the same to them……..
All is not lost, however. A pretty big percentage of breaches take advantage of relatively simple misconfigurations, poor cyber practices and a lack of user awareness of cyber threats. Most of these things can be addressed by implementing good basic cyber hygiene (sort of like cleaning your teeth in the morning but in a cyber way). User-awareness training, good patching regimes, effective user account management, vulnerability management, endpoint protection solutions, good network architecture etc will fix many of the easy routes in.
But where to go next? A lot of organisations are now managing Cyber Security as a BAU activity in the same way any critical business process is managed. And the team that oversees all this is Security Operations.
Spoiler alert: a long time ago, the Director of Service Delivery at a financial services organisation for whom I worked, told me:
‘No-one can care more about my stuff than my own people’
This has stuck with me and stood me in good stead. The truth is, if you really care about something, a team of internal people are hard to beat.
There are, however, occasions when organisations can’t or won’t build internal security operations. The alternative to this is to contract with a Managed Security Service Provider (MSSP) for some or all security services. There are advantages and disadvantages of going down this route.
Outsourcing Pros
There are potential cost savings to be had from using an MSSP. Building a SOC is expensive, but an MSSP takes on the pain of recruiting and retaining staff. You should, then, get access to fully trained and qualified staff, 24/7, who are experienced in handling a variety of security incidents and are practiced at working under pressure. A well constructed service should be more cost effective than building a team from scratch, but if you already have some capability in-house, make sure to look carefully at the total MSSP costs and the fully loaded costs for running an internal team, bearing in mind that the MSSP must be making a profit somewhere…..
The MSSP analysts may fully fill your SOC roles, or you may choose to augment particular functions of your SOC (Detect and Respond services, for example), while keeping others (Threat Hunting, perhaps) within your own organisation.
A good MSSP service will keep you up-to-date on emerging threats via solid Threat Intelligence and industry information sharing. The MSSP will create and maintain comprehensive run-books, will work to tight SLAs and will provide good reporting on all aspects of the service.
Outsourcing Cons
One of the biggest disadvantages of using an MSSP is that the provider will never be as familiar with your organisation’s business as your own people will be. The MSSP will be delivering services to a large customer-base and will lack intimate knowledge of your environment. It is unlikely, also, that the MSSP will provide dedicated resources to support your organisation unless you are prepared to pay a premium.
An MSSP is focused primarily on maximising profits (uncomfortable, but true), which is achieved by delivering repeatable, standard services of limited depth or sophistication. MSSP systems are optimised for scale, not specialisation.
On a technical level, there are challenges about data — will you log-ship to the MSSP’s systems? Is your data held separately from other customers (multi-tenancy solutions are not all equally good)? Can your data residency requirements be met? Will you be hit with a ‘data ingestion tax’ if you send all relevant security data to the MSSP? What is the minimum data you need to provide to an MSSP for their use-cases to work? Can the MSSP get network captures or access key systems during an investigation? What access should you give the MSSP to your infrastructure and systems? Whose governance model (ITIL etc) will the MSSP follow? And, in my experience very importantly, whose IT Service Management (ITSM) toolset will the MSSP use? If not yours, how will you integrate security incidents into the broader Incident Management framework of your organisation? And on that last point, my experience is that, while it is simple to make MSSP and customer ITSM tools talk to each other, unless the provider and customer policies and processes are very, very well aligned, this is a minefield.
So what should you look for in an MSSP, if you have chosen to go down that route?
It is important, primarily, to contract with an MSSP that can deliver the services you need, rather than convinces you that you need the services the MSSP sells. This is a persistent issue in the Cyber Security industry at the moment and results in money wasted on services that don’t address the most important risks in an organisation.
When, however, you have found an MSSP whose services align with your needs, look for organisational fit and the ability to deliver a good service above ‘technical superiority’. Check how long the MSSP has been in business, make sure they are financially stable (it’s easy to do, but often overlooked), make sure that both you and the MSSP properly understand ownership of security — hint: you own it… — and there is a good cultural fit, with a commitment to build a business partnership. The MSSP should make money because they focus on helping you to make money, not the other way round! Also make sure there is an acceptable exit strategy if things don’t go to plan.
Look into how the MSSP hires and retains staff. What sort of background checks do they do on their staff? Credit checks? Security clearance? Does the MSSP meet all your requirements for hiring staff?
It is very important to make sure you are comfortable with the MSSP’s staffing ratios. Who will be looking at your alerts, especially out of hours, and how many other customer’s alerts will that person be working on? What are the ‘out of hours’ escalation procedures? Could the MSSP provide you with on-going support during an extended Security incident that runs across shifts and over night for days?
Also, check on the MSSP’s third-party suppliers. MSSP’s are a target for mal-actors, as an MSSP has access to many customer organisations’ infrastructure. the third-parties of an MSSP are targeted as an easy way in to the MSSP….. How does the MSSP manage 3rd party risk for its self?
Finally, make sure you are happy with the mechanics of the service. Check that the case management system integrates into your ITSM toolset. Check there is a secure information sharing portal and some method of secure chat. Do the metrics and dashboards provided by the MSSP meet your requirements and can the MSSP meet your targets for Mean Time to Detection and Mean Time to Recovery?
In my experience, an MSSP can provide real benefits to organisations at the top and bottom of the Cyber Maturity scale. The most mature organisations can comfortably outsource specific parts of Cyber Security, such as Detection and Response services or Incident Response services, while choosing to focus on other aspects of Cyber Security. At the other end of the scale, organisations that are just starting out with Security Operations can get a lot benefit from the standard services offered by most MSSPs, as they have little or no internal capability. It is more challenging, however, for organisations that have some level of Cyber maturity already. Their requirements for tailored solutions often do not match well with the delivery capabilities of an MSSP.
Hopefully this has given you something to think about. Be clear about your requirements, be clear about the outcomes you want and make a well-informed, risk-assessed decision before you outsource. Or you don’t…
