All is not what it SIEMS!

Observations from working with Managed Security Services Providers (MSSPs). By Piers Wilson, Head of Product Management at Huntsman Security

  • 1 year ago Posted in

Staying relevant with best practice and navigating the constantly evolving threat environment weighs heavily on MSSP operators and security teams more generally. The burden of demonstrating value to clients and protecting their environments is often not recognised as important, as long as risks continue to be averted. Attracting and retaining resources as part of a high-performance team, without the technology necessary to support their endeavours, can sometimes mean high levels of effort and organisational stress; particularly when much of this time could probably be better spent focussing on meeting the challenges of delivering effective cyber security services.

In speaking with the MSSPs we work with, these challenges are common. In response to addressing the market need, some offer bespoke services tailored to the specific requirements of the customer and others offer defined services often in increments of sophistication and cost.

Whatever their speciality, we hear service providers are striving to maintain a level of inbuilt flexibility in their operating model to meet the changing requirements of their customers, which is why Security Information & Event Management (SIEM) solutions are generally the foundation of security monitoring, and the provision of SOC and other MSSP services. SIEM is a mature technology sector, with most vendors offering similar functionality. Most, however, were designed to be deployed in a single enterprise and so are inherently not a good fit for a multi-customer managed security services business model – but there are newer next generation options that MSSPs are adopting.

When choosing a SIEM solution to support managed security services, we found that there are four considerations that have a significant impact on the cost effectiveness and profitability of an MSSP’s business offerings.

· Time to revenue – factors that influence the speed and overhead of onboarding new customers.

· Demonstrating value to customers – and improving customer retention.

· Scalability – primarily, the choice between Software and Appliances.

· Integration with future technologies – and the use of emerging security monitoring tools.

Time to revenue

One of the biggest considerations is the ease and ability to support multiple customers on a single platform, so-called multi-tenancy.

Managed service providers will inevitably need to support multiple customers and be adding new ones regularly. If they need a new instance of a technology each time they win a new customer, it can undermine the cost-effectiveness of the outsource model – leading to multiple platforms for their SOC analysts to administer and, ultimately, excessive “per customer” costs.

Analysts need a one-to-many console - so additional application windows or dashboards are not required for each customer. For new customers, onboarding onto a working system with existing configurations, also saves providers implementation and onboarding time. Multi-tenancy makes this operationally possible and massively streamlines the effort of bringing a new customer into service. While a number of technologies offer this capability, most achieve it through an access control by group mechanism (one group for each customer) rather than true multi-tenancy.

Another opportunity to accelerate new customer on-boarding is with platform flexibility. So that adding new data sources/types, whether standard or bespoke, can be done easily. For an MSSP with multiple customers, there could be dozens of system types, firewalls, business applications and cloud providers, so the ability for the SIEM to be flexible enough to cope with this diversity is a priority. Some technology solutions, less well suited to the MSSP market, rely on expensive professional services each time a new type of technology needs to be accommodated.

Demonstrating value to customers

Improving customer attraction and retention means being able to demonstrate value that is both visible and real. A service that operates in the background may suffer if there is little to show customers for their investment. Conversely, a constant stream of alerts that need technical interpretation, or involve further action, is likely to be seen to generate effort, rather value.

Getting the right balance between reports showing what the service has achieved and managing the throughput of alerts with supporting detail, is critical. Ideally, customers should be notified of incidents with findings and recommendations so they can respond appropriately. They need to see the service benefits, regular reports on volumes of events analysed, alerts triggered etc. and service performance levels based on operational KPIs.

Customised reports with commentary on investigations and alerts are highly valued by customers. They are paying for the expertise of the MSSP, so prioritised recommendations, rather than general information dumps, are a significant differentiator for many MSSPs.

Scalability

All IT systems need to scale. In the MSSP space, each new customer means additional systems to on-board and manage; and the SIEM needs to support this by design. Ideally the SIEM should scale horizontally - adding more storage, processing capacity, archive space and customers. And so minimising the constraints typically imposed by capacity expansion.

Scalability is particularly acute when considering whether to buy an appliance-based SIEM or software solution. Initially the ease of having a single appliance to support seems obvious, but the constraints can quickly become clear. No one wants to have to rip out a SIEM solution they bought two years ago and replace it with a larger one; or bear the initial cost of a larger box from the outset, in the hope of future growth. SIEM software solutions are infinitely better suited to progressive expansion than the alternative.

Integration with future technologies

The reality is that SIEM technologies continue to be the focal point for the provision of managed security services. Even when other technologies are being used, there is invariably an overarching SIEM in use to consolidate the log and security event data from across the enterprise.

This is important because of the vital role that SIEM plays, even as the demand for auxiliary services (like E/XDR and NDR) grows over time. Additional technology solutions, that add particular value will always need to be integrated into an overall SOC solution – and SIEM enables this expansion without adding numerous application consoles for operators. Automation and SOAR are also drivers, especially where workflows span multiple solutions.

Then, there is growing interest in MITRE ATT&CK®. This classifies the tactics and techniques attackers use, to enable the MSSP and its customer to understand the nature of particular incident, and the stage of the related attack. It also provides a set of mitigations that the MSSP and customer can work together to put in place. This sort of value-added capability, of course, can present further sales or consultancy opportunities for the provider. Security is technical in nature; and MITRE

allows the MSSP to work with and advise their customers on new and emerging threats or potential solutions, as they arise.

Again, implementations of MITRE ATT&CK® vary. Endpoint solutions, for example, are focussed on user behaviours and workstation signals. SIEMs, however, are well suited to providing information about what’s happening across the rest of the infrastructure; then aggregating that information for better visibility of your overall cyber security position.

Summary

From our work with MSSPs, we understand that the security technology market is highly diverse, with many suppliers offering varying capabilities at various price points. The desire by customers for MSSPs to demonstrate value through service, and not just routinely issue a report of an incident, is clear. Actually investigating, and providing an annotated interpretation and recommended resolution is emerging as a new requirement for many customers; and a revenue opportunity for MSSPs.

For enterprises, the technology choices are complicated enough; but for managed security service providers, the additional considerations of time to revenue, perceived and actual value, scalability and future-proofing your technical platform are added complexities.

The best traditional enterprise solutions may not work as well in a multi-customer environment – it was not their use case. They may not allow the accommodation of multiple customers or the economies of scale necessary to match the rapid business growth the provider expects; or they may lack the flexibility to cope with the range of technologies that will be encountered into the future. The good news is that there are now contemporary options that solve some of the traditional obstacles MSSPs face in better meeting the needs of end customers.

If you and your team are looking for a true multi-tenancy SIEM that is built for MSSPs, consider Huntsman Security’s SIEM solution: https://huntsmansecurity.com/products/mssp-siem/ or request a demonstration by emailing: ukinfo@huntsmansecurity.com.

Nadir Izrael, Co-Founder and CTO at Armis discusses the importance of critical infrastructure...
By Darren Thomson, Field CTO EMEAI at Commvault.
By Asher Benbenisty, Director of Product Marketing at AlgoSec.
By Steve Purser, former Head of Core Operations at the EU Agency for Cybersecurity, and Zivver’s...
By Graham Jarvis, Freelance Business and Technology Journalist, Lead Journalist, Business and...
By Graham Jarvis, Freelance Business and Technology Journalist, Lead Journalist, Business and...
By Graham Jarvis, Freelance Business and Technology Journalist, Lead Journalist – Business and...