Technology Guide: What MSSPs should look for now and next

What should you implement now or soon? And what should you be keeping your eye on for the future to ensure ongoing resilience, relevance, and margins?

We’ve worked with a lot of MSSPs for years, and they’ve shared with us that their biggest problems today include:

1. Too many siloed tools. They juggle too many low-level tools that don’t talk to each other. Each tool may do what it does well, but there’s a cost to integrating technologies, managing vendors, and finding employees with the right expertise to run them. Each new tool introduces new benefits but also new risks.

2. Data ingestion and storage is expensive. Maintaining security requires data, and it’s expensive. You need a lot of data so you can determine when and if something could be going wrong that indicates an attack or breach. You want to collect all that data and sift through it, but ingestion and anything close to real-time analysis is expensive – often prohibitively so.

3. It’s hard to get and keep talent. Well-trained security analysts who understand the tools and environments you work with aren’t easy to find or to keep. The 2022 Cyberthreat Defense Report says, “The gating factor in providing better security is finding personnel with security skills, not budget.”^[2] (But isn’t budget nearly always a concern?)

4. Mapping threats against assets is hard. It’s harder to know where to focus when you don’t have asset information integrated with your security data. Maintaining asset data is extremely challenging in a world where assets come on and offline frequently.

5. Far too many alerts and false positives. You need to find signals in the noise, but when your tools are low level, you won’t see patterns above them. When you don’t have the data you need to find patterns – in real time and over time – you’ll miss trends.

Here’s what to look for in new technologies that can address each of these five issues.

Having siloed tools is not itself a problem until you have a lot of them. Having a lot of tools isn’t a problem unless they don’t work together without a lot of extra work. However, ripping out the tools you have and replacing them with a smaller number of other tools won’t solve the problem long term.

If you already have or anticipate this challenge of too many siloed tools, look for solutions that leverage your current investments and that integrate into a multi-tool world. As Gartner®, Inc. points out, “IT leaders must integrate security tools into a cooperative ecosystem using a composable and scalable cybersecurity mesh architecture approach.” ^[3]

“By 2024, organizations adopting a cybersecurity mesh architecture will reduce the financial impact of security incidents by an average of 90%.”

Advantages of a cybersecurity mesh architecture include flexibility, adaptability, and continuous improvement. There is no one product that provides it – it’s an architecture, after all. But some technologies are better suited to an open, agile architecture approach than others.

There’s another major issue: Too many siloed and low-level tools can inhibit your ability to perform behavioral detection analytics. Behavioral analytics identify potentially malicious activity within a system or network that may not rely on prior knowledge of adversary tools and indicators. It is a way of leveraging how an adversary interacts with a specific platform to identify and link together suspicious activity that is agnostic or independent of specific tools that may be used. You can use the MITRE ATT&CK framework to construct and test behavioral analytics to detect adversarial behavior.

Look for technologies that offer:

•  Secure APIs as well as prebuilt integrations.
• Scalability, ideally through native cloud platforms.
• Behavioral detection analytics.
• Mapping to a framework like MITRE ATT&CK.
• Support for Cybersecurity Mesh Architecture.

2. Data ingestion and storage is expensive.

Actually, data ingestion and storage no longer has to be expensive. There are new options out there well worth your consideration. Look for data ingestion and storage technologies that offer:

• Ability to scale to capture the amount of data you need for your customers now and in the near future – even if you “open the aperture” and filter less.
• Fast search speed for your current and near-term data volumes.
• Real-time (or close) data analytics.
• Ability to use your current security telemetry sources.
• Ability to ingest data from all sources: on premise, cloud, etc.

3. It’s hard to get and keep talent.

Getting and keeping talent is an ongoing and growing problem. Many employees are burned out from the grind. Automation can relieve your people of tedious L1 and L2 tasks. Technology products that use data analytics and machine learning can provide extensive context, identify trends and anomalies, add data enrichment, and other functions that speed resolution while reducing tedium.

Use technology to dramatically improve how you run security ops, not just to automate current processes to make them more efficient. For example, look beyond threat detection and response to proactive “peacetime” activities that shore up resiliency in advance of attacks. Consider effectiveness as opposed to “efficiency” against specific metrics that the new technology may make obsolete. For example, enabling your team to manage more customers is a better metric than the number of tickets that they can close. (After all, the technology may also cause more tickets to be generated).

If you have a good team, help them be happy and highly productive. Look for technologies that:

• Enable your current team to be more effective, not only through automation but also through data analytics, machine learning, etc.
• Support proactive “peacetime” activities that shore up resiliency in advance of attacks.
• Don’t require that you hire more experts.
• Reduce burnout and that your team is excited to use.

4. Mapping threats against assets is hard.

It’s harder to know where to focus when you don’t have asset information integrated with your security data. You can be dramatically more effective when you know whether an attack is targeting a high-value business resource (“the crown jewels”) or a more isolated, unimportant asset. Maintaining asset data is extremely challenging in a world where assets come on and offline frequently.

So, look for technologies that offer:

• Automatic asset discovery and the ability to tag assets depending on their business importance.
• Ability to map known threats against any customer’s assets to see where they may not have sufficient log coverage for early detection.