FEATURE
every single device and workload
without the hassle or coverage gaps that
client-based EDR tools have. That’s not
to say EDR tools don’t have value – they
absolutely do because of their unique
ability to inspect local processes. But
in terms of time to value and coverage,
NDR is the clear choice.
There are other MSSP services that
can be procured, but the surge in threat
detection services is estimated to receive
a majority of investments according to
several research firms, such as Gartner,
IDC and Forrester. To anticipate the
dynamics and responsibilities between
you and your MSSP, it is advisable to
consider a few scenarios, each with its
own set of considerations, challenges
and advantages:
1) Build and operate your own
SIEM solution
• Takes a long time to realise value for
the organisation; normally 12 months
or longer
• Difficult to find, attract and
retain cybersecurity talent in
the organisation
• Difficult to know which log sources to
start with and which are most critical
to robust security
• Very difficult to establish 24/7 coverage
2) Good or poorly-managed
MSSP relationship with SIEM
as-a-Service
• Value reduces over time when the
relationship is not properly managed
• MSSP has some idea about which
log sources are good for threat
detection. But log analysis for threat
detection is only as good as the logs
you analyse
• Can have 24/7 coverage in the service
3) Good managed MSSP
relationship with a vendor
• Provides value to the customer within
a month instead of six to 12 months
with SIEM as-a-Service
• Value increases over time when there
is a mutually agreed-upon plan and
cadence for operations
• Can have 24/7 coverage in the service
• Build out service with EDR and SIEM
as-a-Service over time to augment
threat detection
Before I wrap up, a couple of
notes of caution. There is no doubt
that selecting an MSSP might be
compelling, particularly in the current
climate where businesses are under
immense pressure to reduce overheads
and slash budgets, but working
with an MSSP does not absolve the
organisation of all responsibility.
For one, while leveraging an MSSP
enables you to outsource much of the
heavy lifting of security operations,
what you cannot outsource is the
organisational learning and contextual
knowledge. These are two critical
components to an effective cybersecurity
defence. Many organisations, even large
enterprises, are hybrid in their security
operations, blending in-house specialists
with outsourced operations. For
example, a service provider can deliver
• Faster to realise value than building
your own; can be up and running in
at least six to 12 months
Once you have made
a decision on which
MSSP to work with,
always consider
dedicating a project
manager to oversee
the implementation.
• Integrates with existing investments
such as SIEMs, EDR, firewalls and
SOAR systems. Accelerates and
augments overall value
Finally, once you have made a decision
on which MSSP to work with, always
consider dedicating a project manager
to oversee the implementation, no matter
which area you start in. Also ensure
to have monthly operations meetings
with your MSSP and quarterly business
reviews. This will enable you to think
strategically about how to build out a
productive working relationship and
identify new areas of improvement in the
service as well as its overall value.
continuous monitoring of endpoints and
networks quarantining of infected hosts
and remediation, while the organisation
maintains and operates its defensive and
access controls.
Second, you still need to do the basics
first and do them well. This includes
perimeter security (firewalls), access
controls (MFA) and endpoint controls
(AV/malware defences). Don’t forget
about users – they’re your biggest attack
surface and first line of defence. So,
ensure you do regular security training
with them and embed security into the
business culture, rather than just seeing
it as an IT or ‘technology’ issue. u
50 Issue 29 | www.intelligentciso.com