Managed security services providers (MSSPs) can teach a master class on today's threat landscape. With dozens of client environments to monitor, MSSPs get a broad view of what it takes to detect, manage and respond to cyberthreats of all kinds. And don't get us started about all the false positives to be addressed day in and day out.
MSSPs are also in the unique position of needing to understand how to fully leverage the vast landscape of security tools. Whereas an enterprise security operations team (SOC) would need the capabilities to manage one SIEM, for example, an MSSP needs to be prepared to manage a variety of client-selected technologies. From SIEMs and web application firewalls (WAF) to intrusion detection systems (IDS) and anti-malware solutions, MSSPs must be ready to manage them all.
Below is a quick look at what you should be looking for when exploring security orchestration solutions if you, or someone you love, is part of an MSSP.
Security orchestration table stakes Security orchestration should provide a centralized security operations platform as the nucleus of its security management. A single console provides MSSPs with a centralized, detailed view of multiple customers. Within the scope of security orchestration are core features and functionality that should be considered table stakes for any organization.
Streamline alert management and the triage process by eliminating noise, grouping related alerts, and integrating multiple data sources to provide and enrich insight across grouped alerts.
Manage the entire SOC through a complete view presented in a single pane of glass, which analysts can use as their primary workbench.
Accelerate time to value with an out-of-the-box playbook knowledge base that drives the full range of playbook requirements and provides a balance between automation and analyst interaction.
Visual representation of each case provides intuitive understanding of complex cases and threats in a fraction of the usual time required.
One-click reporting of activity and KPI measurements to customers. Automation of reporting and distribution process.
Case Reduction & Clustering
Reduces case load via graph contextualization, clustering of contextually relevant cases, and automated case prioritization.
Automate cumbersome manual processes with machine-speed response. Typical processes ripe for security automation include data normalization, alert filtration and consolidation and case enrichment.
Playbook and Workflow Authoring
Playbook design capability to create and implement analyst-customized workflows (without scripting).
Dashboards equipped with the intelligence to measure performance, capacity and efficacy of security operations across multiple clients. These should be flexible and customizable to deliver insight and demonstrate MSSP security operations value.
Additional MSSP requirements Be sure to look for solutions that go beyond core security orchestration functionality to include these capabilities, tailored to the needs of MSSPs:
- Adapt workflows for similar use-cases to specific customers
- Integrate SLA expectations with KPI performance measurement and reporting
- Provide customer visibility through automated reporting and distributed dashboards
- Collaboration between MSSP security professionals and customer resources
- Health monitoring across MSSP customer base
Make sure the foundation is solid When evaluating a security orchestration solution, MSSPs should also inquire about four key capabilities at the structural level.
Multi-tenancy (at the environmental level, and in terms of data, permissions, dashboard, reporting, and unique customer playbooks) is crucial for any MSSP who wishes to reap the full value of security orchestration across its customer base and to give teams the proverbial single pane of glass access and vision.
The platform must be able to grow with an MSSP’s customer base, requiring flexible and scalable design architecture.
Given the infinite possible configurations, a security orchestration solution must have the capability to integrate with any environment. Out-of-the-box integrations offer an important solution, as well as an architecture that supports easily expanded integrations with the endless data sets MSSPs will encounter. For example, multiple SIEMs and non-standard alert sources, including e-mails.
Flexibility to support various MSSP delivery models
Ability to be deployed locally (for a centralized SIEM environment), remotely (for distributed environments), or as a hybrid.
Let's go shopping For a deeper look and a full security orchestration shopping list, download our MSSP buyer's guide for security orchestration and automation.