QUESTION #1
Is my organization ready for managed security services?
Preparation is key to a good experience with any provider.
BACKGROUND
A MSSP may help reduce specific risks in specific ways. They can only be effective if your environment is ready for their assistance. One common example of this in the space today is for an organization to want a MSSP to provide automation on processes and procedures they still do manually and inconsistently. There’s no escaping the hard work involved in developing process: modernize, standardize, optimize, and automate. Often times, a professional services provider (perhaps within, or tightly affiliated with, your MSSP) is what’s needed for the first three to succeed. Then automate is where the MSSP can shine.
Put yourself in your MSSP’s shoes for a moment. Most are very good at what they do. At the same time, their business model is built on automating repeatable processes. Their objective is to get your organization to a place where they can manage you as they do their other clients, with standard processes and procedures that lead to effectiveness and efficiency. As the customer, you’re focused on security effectiveness. As the provider, they are at least equally focused on efficiency.
If you’ve worked with any type of outsourcing before, then you already know this from experience, but it’s good to remember that MSSPs are no different.
Because no provider will ever know your environment as well as you do, the best way to help them help you is to be organized and prepared.
This starts with technology management.
Most MSSP arrangements work best when you have mature processes in place for hardware and software patching, configuration management, and asset management. Have you made a serious investment in this area? Alert fatigue isn’t unique to an internal SOC. If your environment is unpatched and “noisy” the provider will have to do something to keep you from overrunning the service. And similarly, if they send you more alerts to follow up on than you can handle, you won’t be able to see the value. So, a hygienic environment with proper asset management and patching will help everyone.
Another thing to consider is incident response and recovery. A MSSP can alert you to a serious security problem in your environment, but what happens then?
- Do you have a way to “lock down” and continue to operate or recover if you have a serious breach?
- Do you have a way to recover (immutable backups) from a worst-case scenario?
- Do you have cyber insurance in place?
These are typically all “add ons” or out of scope for MSSPs.
Don’t forget about your clouds. Cloud technology changes fast, but MSSPs may not change as quickly as you’d want, which might mean they can’t handle your preferred cloud provider’s logs and idiosyncrasies.
TIP: Do some work before you buy. Modernize, standardize, optimize, and automate. Make sure you have a solid foundation in place (backup/restore, patching, asset management, EDR, and other basic security). Get help if you need it. Spend some time and money getting your house in order before you sign a contract, because your contract cost will be based on the environment and expected workload for the MSSP. A bit of preparation will increase your odds of having a good experience with your provider.