Whether you are just evolving an information security program, or are redesigning from the ground up, one pivotal question you should be asking is: “Should I be incorporating a Managed Security Services Provider (MSSP)?” There are a great many strengths to this approach, and it can enhance your team in many ways, including:
- More efficient allocation of security resources
- Superior threat intelligence
- Orders of magnitude improvement in the time the criminal adversary is left, unfettered in your system
- Improved incident response
- Increased organizational stability while enhancing effectiveness.
- Elastic adjustment to the organization’s changes and strategic directions
With a 100% internal team, it is often hard to come to an acceptable compromise across all these categories.
Imagine a healthcare system where there was a one-to-one doctor to patient ratio, and yet you only got sick 2-3 times a year. Not only is this an inefficient use of resources, but that doctor wouldn’t be able to hone their expertise on hundreds of other patients. Their skills would quickly become stale, while at the same time they would be costing you entirely too much.
An MSSP is like having a small team of doctors allocated to hundreds of clients. Serious security incidents are reasonably rare in any single company, but when you look over several hundred patients/companies, someone is always having a catastrophe. This makes them more experienced in dealing with them and more sensitive to the warning signs.
Many MSSPs have run machine learning algorithms on petabytes of security data that individual companies just don’t have, using computing resources that few companies can justify. This reduces false positive and can prioritize those 2am calls so that only the really dangerous ones wake you up at night. Threat research encompasses not only the latest CVE, but newly identified vulnerabilities in databases that have not yet been cataloged. Unless you have a person researching these full-time and turning them into actionable detection software, it is difficult to match what a good MSSP can afford to do.
“Dwell time,” is the length of time the average (criminal, competitor, or APT) adversary is inside your network before they are detected. While it generally takes about a week of recon for a criminal to start moving laterally in your network so they can exfiltrate data, the average company has a dwell time of 100-200 days. Often, they are told of the breach by external agencies or law enforcement. A good MSSP that monitors traffic for suspicious patterns has a dwell time of about a day or two. Long before the bulk of the damage is done. This 100x improvement vastly decreases your vulnerability and is quite powerful - having a real impact on your information security posture.
In an individual company, you likely only have very few truly serious security incidents a year. Since a MSSP has hundreds of clients, the MSSP’s incident response is practiced and sure compared to an internal team which, as good as they may be, daily drills and a global perspective. Because it has a 24/7 SOC, you have the option of getting a call at 2am (an Eastern European hacker doesn’t work 9-5 PST) telling you “this actor is doing that in this system. Here are 5 options for dealing with it.” You can pass this off to your team which can immediately isolate the attacker and get the fix for the system started with less complication. If you do this in house, you will not have the security personnel working at 2am when the breach occurs and you will be getting the ball rolling much later (or, as pointed out in the dwell time discussion, 150 days later). In addition, you won’t start with the benefit of the research the MSSP has done into exploit mitigation. An MSSP gives you the chance to change the focus of your security team from wading through questionable security incidents to implementing fixes. This new emphasis has the added benefit of improving the hygiene of the code base that supports your business.
continued in part 2