SOC-as-a-Service
Todd Thiemann

Debunking Cybersecurity Myths: Part VI —The Dangers of Relying on a Managed Security Service Provider

Last time we cracked the myth about artificial intelligence and machine learning; now it’s time to tackle the subject of managed security service providers (MSSPs).

I hear frequent confusion at trade shows and in customer conversations around whether managed security services are the best fit for security operations. Managed security services have been around for more than 20 years, becoming ever-more prevalent as companies outsource management of infrastructure like firewalls, email gateways, and intrusion prevention systems (IPS). This has led to a misperception concerning what managed security service providers typically do for your security operations, including their abilities concerning managed detection and response (MDR).

Myth #6—A Managed Security Service Provider is the Best Fit for Security Operations

MSSPs typically have a menu of service options to maintain security infrastructure. Their focus is remote management of security devices. Their offerings are a mile wide and an inch deep in any particular area.

Monitoring Versus Managing

Effective MDR services require continuous monitoring, such as Arctic Wolf’s 24×7 monitoring services. MSSPs, however, focus on security devices such as SLA-based changes to firewall rules, and typically don’t provide 24×7 eyes-on-glass monitoring and threat hunting in your environment. For some MSSPs, 24×7 monitoring means network operations cventer (NOC) monitoring for networks, but NOCs are a different beast from security operations centers (SOCs) and security monitoring. MSSP management also typically covers an MSSP’s designated IT stack rather than your security infrastructure (antivirus, firewall, and etc.).

Detecting and Responding

MDR services reduce threat dwell time by accelerating how quickly analysts can detect a threat. That means enriching log data with threat intelligence, correlating events in a SIEM,  and threat hunting in your environment to find the bad stuff. This also means providing a holistic view of your attack surface by ingesting events from on-premises and cloud sources.  For instance, cloud assets like software-as-a-service (Office 365, G Suite, Salesforce, and so forth) or infrastructure-as-a-service (AWS, Azure).

The R in MDR is critical. Response with a SOC-as-a-service provides full context and details to promptly respond to an incident, not a response along the lines of, “Your house is on fire. Good luck putting it out.” MDR services provide detailed information so you understand the significance of the threat and how to effectively stomp it out. MDR services reduce the demand on IT teams by evaluating threats and minimizing the noise, only bringing your IT team into the fray when significant threats need their attention.

Know the Difference Between MDR and MSSP

Security operations require sifting through the noise to find real threats without disrupting important initiatives and endeavors by enterprise IT staff. Enterprises that use an MSSP risk sifting through a lot of false positives. Alternatively, MDR providers often provide outcomes that enable enterprise IT staff to quickly remediate threats.  To learn more about how MDR compares to MSSPs, download this white paper.