We all know the security industry is exploding with new products and services that are being marketed as “the only way to secure your environment.” Similarly, we are seeing all sorts of providers that claim to provide SOC (Security Operations Center) services. With all of the terminology and acronyms being thrown around, i.e., MSSP, MDR, SOCaaS, etc., I’ve had a hard time deciphering who to trust as it relates to these services. I assume you are seeing similar issues.
For this post, I want to suggest a slightly different approach to the managed services acronyms. Rather than talk about which one best fits, based on definitions that are all constantly changing, I’d rather discuss the maturity of security operations in general. Many providers want to place a label on the services provided, but it really comes down to understanding what is needed and establishing a good relationship with the right provider.
Here are some maturity guidelines on the types of managed security services:
SECURITY MONITORING/ALERTING: This service is focused on security, yet it is limited in that it only provides general monitoring and alerting. It can be done through a few different ways, but most are simply using a Security Incident Event Monitoring (SIEM) solution that correlates logs from multiple systems (endpoints, firewalls, identity stores, IDS/IPS, etc.). A strong provider in this area will not only alert you to anomalous behavior, but they should also work with you to tune these alerts to be efficient.
AUTOMATED SECURITY RESPONSE: This level of service is starting to focus more on incidents or events rather than just alerts. As these incidents are detected, some response functions are carried out, depending on clearly communicated processes, playbooks or scripts that are utilized. This service is more focused on automation.
ADVANCED SECURITY OPERATIONS: This service should be focused on day-to-day security operations related to the prevention, detection, response and reporting of security incidents. Not only the correlation of internal alerts/events, but also factoring in the external insight related to the industry. Additionally, I would include specific capabilities around the advanced analysis of incidents to determine risk to the organization. This service is much more focused on the human element, rather than simply playbooks or scripts.
Within these definitions, providers will attach the terms of MSSP (Managed Security Service Provider), MDR (Managed Detection and Response) and/or SOC (Security Operations Center). The problem is that many vendors will mix and match those terms to mean different things across the levels of service. So, with definitions such as these, you will want to consider a number of things in the context of your organization and your security program prior to engaging a vendor:
- PROVIDER REQUIREMENTS – This is the first thing you need to define well – the requirements for your security services. For instance, are you looking to augment staff and have a vendor give you alerts? Or, are you looking for a vendor to have access to your systems and respond to security incidents? One very basic example I give is when there is a potential for compromised credentials. Will your security service provider have access to suspend/reset that user password?
- PROVIDER OFFERING – Now that you know what you need for your organization, match those to the provider’s current and future offerings. Understand specifically what is available today versus those services that are on a roadmap to be offered in the future. Many vendors that are just starting out may not have the ability to provide all services immediately.
- SERVICE LEVEL EXPECTATIONS – Once you know what you’re requesting from your service provider, it is critical that both parties agree to the parameters of service levels. Do you expect different service levels for different incidents? Perhaps you expect 24 x 7 support and associated processes? Make sure those differentiators are clear in the service level agreement.
- ONGOING SUPPORT – When dealing with service providers, it’s critical to understand their pricing model both today and as additional services are added. You will want a service provider that will scale with your growing business and accommodate your maturing security program. Many times additional services come with an additional cost.
I have reviewed a number of service providers that can meet the needs of many organizations (using FocusPoint’s vetting process). One that continues to stand out as a provider that understands where the industry is headed is Arctic Wolf (www.arcticwolf.com). Their security services range across all levels of maturity and they take the time to work with companies to understand their requirements prior to selling them solutions.
In working with multiple organizations, I find they struggle with maturing their security program because they are so focused on day-to-day functions that require them to be reactive rather than proactive. Overall, I highly recommend using some sort of managed security services, especially if your company is looking to focus more strategically.