Every MSSP knows that the future to increased revenue lies in automation. And yet, according to a recent survey, many MSSPs say that their ability to create new, value-added service packages remains limited not because of lack of innovation but because of the inflexibility of the market. This is partially down to the inelastic pricing of MSSP services in the eyes of the customer. One of the main reasons companies seek MSSP services is to lower costs, so to justify a price increase, the value must be compelling. In addition, solutions just aren’t built with the MSSP business model in mind, which means they then need to self-limit their use of the technology.
MSSPs must invest in emerging technologies that add value to the SOC and integrate with the Security Incident and Event Management (SIEM) system. They cannot afford to stand still which is why there is now a focus on automated threat detection and response in the form of Security Orchestration, Automation and Response (SOAR) and Unified Entity Behaviour Analytics (UEBA).
New revenue streams
Both offer the prospect of new revenue streams. SOAR allows the MSSP to use playbooks mapped to the MITRE ATTA&K framework to detect, respond to and mitigate threats automatically. UEBA, on the other hand, builds baselines for user and group behaviour used to identify unusual patterns and fend off unknown and insider threats. Any anomalous behaviour on the network that falls outside of these boundaries is flagged for analysis in real-time.
Those MSSPs offering SOAR have found customers value the best-practice workflows and playbooks that trigger incident response actions, according to the report. It found that the MSSP was able to deploy the SOAR across the customers own technologies, such as firewalls, Endpoint Detection Response (EDR) and other tools.
What’s interesting, however, is that the survey also revealed that MSSPs are only partly utilising these solutions. They’re frequently restricting the use of SOAR to data consolidation, enrichment and normalisation (which happens behind the scenes), rather than using it for automated incident response (which would be a chargeable service).
Failing to capitalise on investment
The reason given for this is that the MSSPs claim SOAR is not something that works for them out of the box, without any modifications. SOAR requires planning and needs to be discussed with customers because every customer may have a different setup. In reality, while automation speeds up processes and takes the load off analysts, automating incident detection and response processes in a single company is quite different from automating MSSP processes for hundreds of companies. The best response for a 50-person company may not be the best response for a 5,000-person company.
However, not capitalising on the investment in SOAR makes little sense, particularly as those customers that are using it with their own technologies clearly relish the benefits. So, what needs to happen to change this?
Ultimately, the market needs to cater to their needs. MSSPs need a clear path to new service creation and that means they need SOAR vendors who can simplify the process. What they’re looking for are flexible licensing options, for instance, and hands-on training to teach MSSP analysts how to design playbooks and implement use cases to speed response and shorten SLAs.
As the MSSP begins to work with each customer to get the right rules and playbooks in place, this will increase visibility, which in turn will see customers become more well disposed towards such services and come round to the idea of paying more for the privilege.
Overcoming the challenges
MSSPs who have deployed UEBA have found this to be more challenging due to licensing structures and the data volumes involved. UEBA analyses masses of data and requires significant infrastructure capacity. So MSSPs will seek to converge these new technologies with existing SIEM platforms, making it easier to deliver a wide array of cybersecurity services under a converged and predictable licensing structure.
In an ideal world, MSSPs want to be able to use a single platform to work on event data from all clients at the same time, rather than have their analysts working in customer silos. According to the real-life experience of MSSPs, the best features are those that allow flexible configurations and easy customisations per client. MSSPs don’t want to be limited by an interface that provides a one-size-fits-all menu of clickable boxes and buttons.
To get to this point, they must be able to build working relationships with vendors to help configure and support the solution for rollout across their entire customer base. It’s a working relationship that can also help benefit the MSSP by allowing them to build up an understanding of the inner workings of the cybersecurity platform and to influence roadmap decisions to assure the continuity of affordable services and efficient operations.
But the danger today is that vendors continue to produce cybersecurity platforms and solutions for ‘the enterprise,” when MSSPs need platforms and solutions that will allow them to manage hundreds and perhaps thousands of enterprises at the same time, and from a central and unified management tool. Unless something changes, MSSPs will invariably only leverage some of the feature sets in these solutions, and MSSP investment
overall is likely to remain low. It’s now down to vendors to attend to the unique needs of MSSPs or risk holding back the market.