Automated security operations for managed security service providers (MSSP)

While the security automation conversation generally focuses on enterprise and government Security Operations Centers (SOC), one of the largest groups that can benefit from automation are managed security service providers (MSSP). MSSPs experience many of the same challenges that traditional SOCs do including: talent shortages, huge data volumes, data aggregation, case management, and reporting. But, they have it on a scale that is hard to wrap your head around, unless you’ve worked in that environment.

But different than a typical SOC, a security analyst at an MSSP simultaneously supports multiple customers—each with their own security platform and runbook. This means that in a single shift, the analyst experiences numerous alerts from a variety of tools that need to be resolved according to the customers’ individual Service Level Agreements (SLA). This level of complexity can have an analyst racking their brain… “Was it Customer A that I’m supposed to call in the middle of the night or was it Customer A that hated that I called in the middle of the night?” The task switching or in this case “customer switching” that takes place can be extremely confusing for MSSP security analysts. This confusion creates an opportunity for significant human error, operational inefficiency and unforeseen delay. And the confusion is compounded for every additional process in the customers’ runbooks.

You think alert fatigue is bad at your organization? Imagine if you were monitoring alarms for 20, 50, 100 or more unique customers. The combination of endpoints, network configurations and application security solutions, along with their own threat intelligence sources, correlation engines and analytics rules is as overwhelming as it sounds. The volume of diverse event types and customer-specific hardware/software configurations can make resolving the alerts in a timely manner challenging for even the best run operations teams. This is one of the main drivers for MSSPs to consider more sophisticated case management, workflow and automation options.

When designing, building, and operating an MSSP service offering, the ability to standardize is extremely important. While security practitioners hate to be painted into a box, they also know that their competition is constantly innovating. There is a need for operational standardization which allows an MSSP to then be more innovative. This sounds like an oxymoron, but using technology to standardize and streamline the repetitive, high-volume, manual tasks that consume an operations team would free-up time for more innovative and competitive projects. The process of streamlining, improving efficiency, and finding new detection methods accomplishes many of the highly desirable goals of a service provider. First off, with automation they’re becoming more efficient and can support more customers and more use cases with potentially fewer people. From a business perspective, this means more profitability. Secondly, they are capturing institutional knowledge that will help as the MSSP inevitably deal with employee turnover. Institutional knowledge ensures that your new hires will not be starting from square one, and they will be able to ramp up faster.

The automation of MSSP activities is a win-win for MSSPs and their customers alike. MSSP are likely able to manage more clients with lower operating costs, while providing an improved level of service. MSSPs win, customers win and the world is a more secure place.