Doing More with Less: How MSSPs Succeed in Today's Cyber Landscape
Doing More with Less: How MSSPs Succeed in Today's Cyber Landscape

The dramatic increase in the shortage of skilled cybersecurity professionals is one of the most daunting challenges facing the industry. Despite the fact that the industry is full of technology vendors who are developing innovative tools, it is getting harder and harder to find people who can use them. 

According to ESG's annual global survey on the state of IT, 51 percent of respondents noted that cybersecurity represents the biggest area where their organizations have a problematic shortage of cybersecurity skills in 2018. This is up 6 percent from 2017, and 26 percent from 2015. What's more, demand is continuing to increase at a much faster rate than supply. If you have tried to hire cybersecurity professionals recently, you have experienced this first hand – security is a candidate's market right now and the evidence indicates this trend will continue for some time.

Coupled with the changing cybersecurity landscape – think multi-vector (IT to OT) attacks and a massive volume of alerts to manage – the role of cybersecurity organizations has become significantly more complex and challenging. Helping organizations address this unbalanced battle, the managed security service provider (MSSP) market is growing exponentially. 

The Rise of MSSPs

Since 2011, hundreds of MSSP organizations have emerged, aiming to address and leverage the new demand for outsourced information security. Global consultancy firms and IT firms have formed security services divisions. With this growth, we see an increase in competition. MSSPs are struggling to differentiate their offering, maintain and grow margins while remaining competitive. MSSPs are seeking to enter new markets to grow business. Agile entrepreneurs are establishing smaller scale, regional MSSPs, and specialty MSSPs are now emerging, specializing in specific market segments such as energy, pharma, or financial services.      

Furthermore, driven by the competition, MSSPs are seeking new and innovative ways to expand their offering and solve more pieces of the cybersecurity puzzle for their customers. Many of them are expanding from traditional perimeter security and device management to managing threats and offering hunting, incident response and managed detection and response (MDR) services. This aligns with the industry's shift from prevention to detection and response, and the need to manage attacks that bypass the first line of defense.

A Dynamic and Overwhelming MSSP Environment

As MSSPs strive to remain competitive and profitable, during this shifting landscape, they are faced with many challenges. This includes managing tens of thousands of events per day – sometimes more – and serving anywhere between dozens of customers, to thousands for the large MSSPs. Their technology stack is growing and complicating, integrating multiple security vendors and technologies. And while MSSPs are tasked to protect a converged attack surface of IT, OT and IoT, technology vendors only provide point solutions protecting each segment of the attack surface separately – forcing MSSPs to integrate multiple technologies to cover the entire attack surface. Furthermore, MSSPs offering threat hunting managed SOC or MDR and required to integrate standalone technologies for detection and for incident response; e.g. EDR, SIEM and SOAR. Their only alternative is to build their own technology, as many of them eventually choose to do, which may introduce integration and maintenance challenges. MSSPs are also battling a shortage of resources of their own. Just like their customers, MSSPs are severely impacted by the shortfall in information security professionals. MSSPs find it difficult not only to recruit skilled analysts but to retain them. This difficult environment limits their ability to scale, reduces the quality of service and reduces margins.

Three Ways for MSSPs to Win in the New Reality

MSSPs must change their mindsets to remain competitive. They should acknowledge that hiring talent is no longer an option and they must find a way to do more with less. This is achieved by increasing the impact of their managed SOC, making their staff more efficient, simplifying operations, reducing skill level barriers, and freeing experienced, tier 2 and 3 analysts, to focus on critical incidents. Let's explore three different ways MSSPs can start doing more with less.

1.      Eliminate the Fragmented Technology Stack

MSSPs have started to avoid a fragmented technology stack. We are seeing more MSSPs developing technologies solutions in-house.  Working with a single vendor who can provide more of the technology stack in an integrated way that also helps MSSPs manage the consolidated attack surface more effectively.

In addition, MSSPs should aim to integrate in two different dimensions. First, the technology stack should aim to cover the entire NIST incident response life cycle, from incident preparation through post-incident. Ideally this solution will manage the entire incident lifecycle in a single screen. Also, the solution should be integrated across IT, OT (ICS/SCADA) and IoT networks and devices. A segmented approach to IT an OT may result in a lack of visibility across the entire attack surface, reduces the ability to detect IT to OT attacks, and limits MSSPs in responding to incidents at scale.

2.      Set up incident response operations for end-to-end automation and orchestration

One way that MSSPs can prepare for this challenging landscape is by automating and orchestrating incident response. Here are a few ways in which this approach can be implemented across the entire “production floor”:

  • Automatically prioritize incidents according to their business priority and SLA requirements to maintain quality of service and to ensure that critical incidents are never left unattended.
  • Consolidating signals from multiple sensors using a single solution.
  • Enforcing best practices and playbooks across the entire customer base, and across the entire analyst team.
  • Accelerating the dissemination of data to the entire customer base and analysts – to automatically gain insights across different customers (workflows, IOCs, attacks…)
  • Automating repetitive tasks such as collecting data, isolating workstations and alerting stakeholders to free analysts to recapture critical incidents. Doing this can shorten response time by up to 90 percent.
  • Increasing transparency and reduce client support calls by automatically generating situational awareness dashboards and reports for end-customers. Not only does this improve the quality of service, but it also reduces the number support calls allowing support reps to focus on priority tasks.

3.      Implement Effective Training Plans

A well-trained incident response team can easily do the work of two, however, they need to be trained properly in order to do so. Just like their enterprise customers, MSSPs must ramp up their training plan and seek for more effective ways to do it.

Hands-on training can enable MSSPs incident responders to experience and familiarize with the actual tools they will use – an approach that has been shown to be more effective than tabletop or classroom training. The result will be a team that can dramatically reduce the response time and will perform much more effectively to prevent a breach.

Summary

MSSPs should shift their operational mindset to increase the impact of their current team, instead of putting a focus on expanding their current team. With this approach, they can scale their operation, support more customers, and grow business – while maintaining quality of service and increasing margins. This new operational approach can be enabled by automating and orchestrating security detection and response playbooks workflows.

I am confident that within a few years, this approach will prove value and success – and ultimately evolve into the industry standard for MSSPs. As always, early adaptors are more likely to be the ones that will differentiate, gain the market share and grow their footprint in this competitive arena.