The following is a guest blog, composed by Elliott Franklin.
Increasingly, the key question about engaging with a security services provider is not when you should take that step, but how you take it. That’s because security has become complex, and few companies can do everything they need to do themselves. I think every security program no matter how large or small should leverage an MSSP.
Of course the things you contract to an MSSP depend a lot on the talent and systems you have in house, and the capabilities of the service provider. As a situational leader, I ask each team member what they enjoy doing every day and then outsource the rest! This may include vulnerability scanning, patching, and firewall maintenance. At a minimum, 24x7 log reviews and threat hunting are good choices for outsourcing.
Some companies make outsourcing decisions based on perceived technology advantages of the service provider. Technical capability is an important consideration, but it is not the only consideration. Many security programs stumble over this question of what technical capabilities they should implement themselves or access through an MSSP, and it’s difficult because there are simply too many technologies and security vendors. The essential question every company needs to ask itself is, ‘what are the biggest gaps on our risk register or security maturity program and how can we address them?’ It may end up being a new security technology, but there is a good possibility the gap can be addressed through a change in processes or procedures. This is the painful part of security – change management, identity and access management, audit reviews, third party vendor management. Many of these must be performed by team members with the help of technology, but if you put the technology first, it often sets up failing expectations.
Threat hunting is a good candidate for outsourcing to an MSSP because it’s necessary, and it is difficult to do without dedicated resources. To be effective at threat hunting, you must know what to look for. You should know what normal is and isn’t. There are two primary reasons why I believe threat hunting is difficult. First, most teams are too small to have time to train or actively hunt. Secondly, while it is a very valuable capability, it is something that comes after the basics of security, and few companies large or small have remediated all the basic requirements of their security program. These include an annual risk assessment, risk register, security framework and roadmap, policies, procedures, patching, vulnerability management, admin rights and multi-factor authentication. Once the organization has mastered these, then they can devote time to threat hunting. Many organization never get there, which is why I recommend outsourcing this to an MSSP.
As you think about working with an MSSP, you need to keep in mind a key goal of your security practice, which is preventing breaches, and ending breaches that happen. When it comes to breach response, practice makes perfect. Even with annual response training and drills, it is challenging to prepare for all types of disasters. I believe the key is to have those important relationships with the executive team and external partners established ahead of time. A solid plan won’t include all types of attacks and disasters, but it should include the basics, including having a clear incident commander who can act with authority, alternative communication channels, and service providers who can assist with meals, lodging and concierge services for team members, their family and pets. Being transparent is key, and part of that is sharing accurate information as soon as you have it.
One important step in deciding how to engage with an MSSP is clearly knowing where your organization stands from a security perspective. To know that, you need a comprehensive assessment. This should be performed at least annually. As rapidly as organizations change key systems and processes, waiting any longer could be a liability.
It makes sense to outsource those functions that you can’t afford or don’t have staff for internally. However, it is key that you have at least one internal employee that is a true subject matter expert on the capabilities that you are outsourcing, someone who can hold the MSSP accountable. I have seen organizations who had MSSPs managing multiple different technologies, and they were not doing a good job of it. The platforms had not been upgraded in years, they were not performing monthly or quarterly business reviews, and the systems had not been implemented according to best practices. Even if you can’t afford a full-time team member to oversee the MSSP, I would strongly encourage you to contract with a security auditing firm to annually evaluate your security vendor and the services they are providing. If you don’t hold them accountable, you may not receive much value in return.
Every security program, large or small, should consider an MSSP relationship. However they need to think carefully about what they outsource and how doing that enhances their security. And once the make the decision, they need to manage the relationship just like they would manage other aspects of their own security practice.
Elliott Franklin has served the technology and security industry for the past 21 years. While risk and security have been his primary roles, he has helped architect and migrate data centers to the cloud and build multi-year technology roadmaps. Franklin enjoys giving back to the community with local security organizations and teaching families how to stay safe online and avoid cyber-bullies.