In-house security teams can face some difficult challenges keeping up with current events. The array of potential risks involving phishing, social engineering, malware, user error, malicious insiders, and more can become so overwhelming that it’s good to know outside resources are available. Namely, Managed Security Service Providers (MSSP), which can assist or entirely shoulder the burden of handling security risks.

I spoke to Tony Velleca, CEO of CyberProof, Managed Security Service Provider, to find out more about the benefits offered by organizations such as his.

SEE: Information security policy template download (Tech Pro Research)

Benefits of MSSPs

Scott Matteson: What advantages do MSSPs offer over traditional in-house security staff?

Tony Velleca: Many enterprises indicate that they spend too much time on firefighting and dealing with false positives. Enterprises are often crippled by a significant shortfall of security experts across cyber operations from assessment, containment, and post-breach remediation.

Advanced MSSPs have solved this problem by using a fresh approach. We use a product called SeeMo, which is central to the security automation and orchestration platform. It’s an artificial intelligence (AI) and machine learning (ML) powered chatbot, which manages orchestration, collaboration, and machine learning, and provides a natural language interface.

SeeMo augments security team tasks and creates smart insights by correlating and enriching log alerts and then turning them into contextual Smart Alerts. This means that detection and remediation can happen much more quickly (reducing weeks to hours).

Many enterprises can’t cope with an increasingly hostile threat environment. Advanced MSSPs integrate all the key elements–people, methodology, technology, and AI/ML–for the best combination of defenses.

Services fully managed by a team of nation-state experts located in multiple locations are the most effective at protecting the organization. Such services include monitoring, detection, vulnerability intelligence, event correlation, noise filtering, incident response, forensics, and continuous learning and tuning.

SEE: Phishing attacks: A guide for IT pros (TechRepublic download)

Advanced MSSPs also implement playbooks, which represent the workflow and tasks to be initiated for detection, response, recovery, and tuning. These playbooks are not intended to be used merely as a reaction to a crisis, but rather as a proactive workflow, which guides the security operations through the appropriate steps based on previous resolutions and machine learning. The playbooks are also customized per client/environment.

Advanced MSSPs are also very flexible. They can be used in a full MSSP model or in an augmented model for more mature enterprises that already have some of these capabilities. For example, an enterprise might seek help to reduce its incident response time through AI/ML automation, which can run on the major clouds (AWS, Azure, GCP, IBM Bluemix) or on-premises.

Challenges involved with MSSPs

Scott Matteson: What challenges are involved (e.g. need to build trust) with MSSPs?

Tony Velleca: Working out an effective way to collaborate with existing security teams is a significant challenge. Collaboration between in-house and outside teams is critical. Using tools like Slack allows teams to work effectively together in real time on incident response and remediation.

There are also challenges with hosted and on-premise elements.

Scott Matteson: How can MSSPs take on a more advanced role from an organization?

Tony Velleca: This is a key area where an MSSP can make the difference. Advanced methodologies and technologies are often not known in organizations, and staff rarely have the expertise to operate the products.

This is the value an MSSP brings–broad expertise and best-in-breed tech that is leveraged as part of the service. For many organizations, outsourcing makes more sense financially because MSSPs have the efficiencies of scale that cannot be achieved with large sized organizations.

SEE: Information security policy (Tech Pro Research)

For advanced MSSPs, the following advanced services should be available:

  1. The continuous ability to find and mitigate vulnerabilities in critical systems.
  2. The ability to proactively predict threats, especially targeted attacks.
  3. The ability to detect key attack tactics and methods in critical systems.
  4. The ability to respond effectively–reducing the possibility of an attack turning into an event or successfully managing a high profile event.

Furthermore, MSSPs need to take on the role of the CISO rather than the role of a security advisor. It needs to have a deeper understanding of company processes and procedures and an inherent knowledge of how operations work. MSSPs also need to shift from focusing entirely on regulatory compliance to understanding the threats targeting each of their individual customers and managing security to suit their needs, rather than applying a one-size-fits-all approach.

Five strategies

Scott Matteson: What methods do MSSPs use to understand their customer’s environment/needs to provide a tailored approach?

Tony Velleca: Here are the top five strategies:

  1. Identify – Appropriate external threat intelligence is necessary for risk management efforts to understand the complete business context, the actual attack surface, and new or lately emerging threats.
  2. Protect – Significant investments in prevention are not catching up with unmanaged devices and services, applications bugs, and misconfigurations. Before investing in new and advanced security tools improve ROI in existing under-utilized security solutions.
  3. Investment Balancing – Complete prevention is impossible, but to minimize damage, it must be accompanied by agile and effective detection and response.
  4. Detect – Globally reported data breaches due to simple, yet rapid, attacks are a clear sign that–as prevention seems to be failing–investment in improving detection capabilities should be a priority.
  5. Respond & Recover – Improvisation when containing and remediating incidents usually significantly increases inflicted damages, especially in reputation and customer trust.