Managed security services providers (MSSPs) have come a long way. Historically, many organizations have lacked the skills and people to build internal security teams, so early MSSPs focused on staff augmentation. But throwing bodies at the problem did not necessarily improve processes or effectiveness, and the results were often just expensive outsourcing.
Service providers have been increasingly embracing more advanced technologies that can triage and reduce alert fatigue, increase accuracy, and give smaller organizations access to complex automation solutions that they can’t manage themselves. We’ve seen this with a recent wave of managed detection and response (MDR) services, making advanced detection and response capabilities available to a wider market.
Threat intelligence promises to help enterprises get ahead of attacks, and proactively look around the corner – not just reflexively respond to alerts and incidents. But managing and making sense of threat intelligence has proven difficult for many security teams, especially smaller ones.
Industry analyst firm Gartner reports that few organizations today have an accurate picture of their own threat landscape. They say security and risk management leaders struggle to know what threats should constitute real concerns for their organizations.
Today, there’s no shortage of threat data available from open-source feeds, commercial providers, industry associations, and internal security processes. However, aggregating, correlating, and prioritizing this massive amount of data to create a “single source of truth” presents a much greater challenge. And ultimately, threat intelligence only works when it can communicate the relevant data to the right people, at the right time, so they can act upon it swiftly.
According to Tony Cook, senior director of digital forensics and incident response and threat intel at GuidePoint Security, managing threat intelligence can overwhelm small and medium-sized security teams. This typically requires expertise, and complex systems that are only practical for large enterprises with specialized threat intel analysts, Cook said.
Threat intelligence platforms (TIP) are available on the market that can automatically extract relevant indicators from threat feeds, perform enrichment to add contextual information, and integrate with existing security controls. But many security teams find them too expensive and complex to deploy. And conventional TIPs don’t easily integrate with other SOC orchestration, automation, and collaboration tools.
Here's an opportunity for service providers to help their customers manage threat intelligence, sift through the noise, and deliver concise, actionable threat alerts to their customers. With a shared resources model, MSSPs can make the investment in scalable TIP platforms, expert analysts, and effective collaboration tools to get the right intel to the right people – quickly, and automatically.
“By providing threat intelligence as a service, MSSPs can play an important role in helping organizations detect and mitigate emerging threats, vulnerabilities, and indicators of compromise that could impact their networks and systems,” Cook said. “By identifying potential threats and vulnerabilities before they are exploited, businesses can significantly reduce the likelihood of serious security incidents, and the associated financial and reputational damage.”
The industry-specific information sharing and analysis centers (ISACs) can also play an important role. A wide range of ISACs have emerged, covering financial services, healthcare, energy, automotive, aviation, maritime, education, and other industries. ISACs can help aggregate threat intelligence and other security data from multiple sources, and disseminate this information quickly, and accurately to their members, based on established threat level protocol (TLP) classifications. More advanced ISACs are also starting to implement bidirectional sharing – so their members can share back real-world intel for the benefit of the entire community.
This same hub-and-spoke intelligence sharing model has been implemented by other types of communities and service providers – in healthcare, manufacturing supply chains, and even major sports franchises. Many of these intel sharing communities are being built by MSSPs who find like-minded customers eager to receive proactive threat intelligence and benefit from a collective defense model.
“The goal of threat intelligence is to help organizations make better and faster decisions, based on timely, and contextual data,” said Cook. “By making this technology available to a wider market, MSSPs can help businesses strengthen cybersecurity, safeguard their assets, and enhance their overall resilience in the face of evolving cyber threats.”
Willy Leichter, vice president, Cyware
