Some things never grow old. In the world of security providers, there will always be a lack of professionals, time, and real-deal vendors, while you will always face an abundance of risks, complexity, and cost pressure. However, there are some less obvious challenges that impede the growth and scalability of your MSSP or MDR. Let’s dive straight away into some distressing day-to-day issues to solve them and bring your business to the next level.
Challenge 1. Log source coverage
We’re starting right from one of the most complicated ones because no matter how long you’re in cybersecurity, you know that finding a balance is tricky. Where is the middle ground between great coverage that keeps you on the safe side and huge data volumes paired with alert fatigue? Well, this question is worth hours of discussion because each case is unique. However, there are universal recommendations that hopefully prevent your eye from twitching every time someone asks about the logging strategy.
Before you start doing anything, reframe the question from What logs should I collect? to What for do I collect this particular log?
Now, this is what you should take into account while selecting logs:
- Don’t try to cover all of the techniques. Instead, improve your knowledge of the kill chain to understand the attack vectors. You can start with the basics on MITRE ATT&CK and then polish your knowledge with a series of articles from Jose Luiz Rodriguez on ATT&CK data sources.
- Remember that no attack comes down to a framework only. That’s why you should be flexible.
- Stay up-to-date with the new techniques by constantly checking the latest research and keeping an eye on the industry leaders.
- Always consider the business field and the region of your clients. Based on that, define the most common APTs and attack vectors.
- Always use only the reliable and latest threat intelligence, avoiding historical data.
- Remember that visibility is critical not only before but also during and after a cybersecurity incident.
The great foundation of your log source knowledge can be the NIST Guide to Computer Security Log Management (document 800-92). While NIST is still working on updating this guide, the institute released a memorandum for the heads of executive departments and agencies. The revisions are mainly driven by the progressing nature of recent attacks.
The next step, equally as important as log collection, is analyzing logged events. We’ve already covered the tips for successful log analysis here.
Challenge 2. Variety of platforms
Being a security service provider creates a challenge of versatility. For the sake of clients’ satisfaction and a bigger target market, you should be capable of supporting various products and tools, including several SIEMs, EDRs, and XDRs. This creates a daunting management issue, requires an extra learning curve, and demands more specialists in your team.
To deliver and support a great quality of services, the best way to go is to look for universal solutions. In the case of cybersecurity, the first thing you should integrate into your working procedures is Sigma. It is one common language for cybersecurity that allows you to create one generic query and then use it for various platforms. If you are new to Sigma, check the following materials:
- SigmaHQ GitHub repository
- A cheat sheet on the basics of detection engineering with Sigma by Josh Brower and Chris Sanders
- Anatomy of a Sigma rule by Thomas Roccia
- The pySigma GitHub repository launched by Thomas Patzke and Florian Roth. pySigma is a python library for parsing and conversion of Sigma rules into queries
- A guide to Sigma rules for beginners
Another tip is opting for trusted vendors that can cover several needs with one solution. However, avoid one-size-fits-all products because the broader the offer is, the harder it is to keep it profound enough. Check how LTI solved the challenge of managing multiple SIEM and EDR solutions by leveraging the SOC Prime’s platform.
Challenge 3. Newly emerging threats
The threat landscape is changing at an increasingly high speed, which leaves us with the only option of constantly improving the detection and response methods. Every business finds its own answer to this challenge. Some go hard on new software, while others employ new specialists. But is it really effective? Such measures will grow the cost but not necessarily bring the desired results. What is the most appropriate approach?
These are the recommendations that can significantly strengthen your security posture in the face of the forever-changing threat landscape:
- Opt for behavior-based detections instead of IOC-based rules. Behavior-based detection rules simply last longer because they are mainly searching for the patterns that adversaries use repeatedly. At the same time, IOC-based detections are best used retroactively to check the historical data and find if you were attacked before. Just remember that a simple query made to identify unusual rundll32 activity will serve you much longer than a detection based on the IOC report.
- Integrate/polish your Threat Hunting procedures. Although many businesses avoid Threat Hunting or perform it in a very basic manner, it is a great solution to improve your proactive cyber defense.
- Stay aware of new threats, attack vectors, techniques, threat actors, etc. Always be on track with new reports, learn, and try to follow the industry leaders and experts. It can certainly save you from a big chunk of unpleasant surprises.
- Use collaborative cyber defense to your advantage. There are different open-source projects that can be highly beneficial for your business. Try starting with the GitHub repositories, such as LOLBAS, ELF Parser, YARA, regexploit, lynis, etc.
- Search for detection rules in the Cyber Threat Search Engine. It is a great way to find detections, threat context, binaries, and corresponding Red Canary simulations.
EXPLORE THREAT CONTEXT
Challenge 4. Timing
While we might argue what the most valuable asset is, everyone would agree that time is priceless. Not being able to detect threats timely can result not only in financial losses but also in data loss, compliance issues, and reputational risks. Of course, when speaking of cybersecurity, nothing and no one can give you a 100% guarantee, but being consistent and strategic will do more than you think.
Timely detection often comes down to the factors we’ve already mentioned: kill chain knowledge, wise log collection and analysis, Threat Hunting integration, and staying up-to-date on newly-emerging threats. However, an additional step for boosting the speed of service delivery is automating the recurring processes where possible. But what automation is the most efficient for MSSPs and MDRs in particular?
To free up more time and resources for business-critical activities, try automating the following procedures:
- Scanning, and monitoring. Usually, these processes are easy to automate because they don’t require much human attention.
- Data enrichment tasks. Most of the data-related tasks at the initial level might be automated because human attention is much more useful afterward.
- Basic sorting and analysis. Before you pass the raw data to your analyst, you can easily automate the process of sorting and simple analysis, at least for the most typical cases.
- Low-level incident response. The incident response might vary a lot. However, some of the basics can be easily automated
- Other ideas: automated pentesting, detection deployment, software updates, etc. This list can be modified and extended depending on your company policies and strategy.
The concept of Robotic Process Automation (RBA) is still argued to have several downsides, such as:
- Not all cybersecurity tasks can be automated. It is actually far from that.
- RPA bots can be hacked, resulting in operational disruption or sensitive data loss, for instance.
- You still require a knowledgeable specialist to set up the automation process and keep it going. So you can’t automate your processes and forget about them.
- As the threat landscape changes, you would also have to make several adjustments.
- Some businesses can’t apply automation because of their policies.
Challenge 5. Competition
Probably every business would claim that high competition is one of their challenges no matter what they do. However, each industry has its peculiarities, so the strategies to stand out from competitors would also vary dramatically.
As a security services provider, you can always come back to the following checklist that will always bring you back on track:
- Proof of expertise and quality. You can imagine that every single provider says they are the best. Be the one who can prove it, and let your reviews talk. If you do a great job, your satisfied customers will most certainly share their positive experiences. Sometimes you just have to ask.
- Choose your partners wisely. If you have a selection of reliable vendors, you won’t have trouble proving your services’ quality.
- Show your high value. Some businesses might start engaging in a rat race by lowering prices and acquiring more clients than they can manage. Try to go for quality over quantity, and you will see the miracles of word-of-mouth marketing.
- Prove your effectiveness with clear reporting. Remember that you are providing services to businesses, and nearly every decision company leaders make is based on ROI. Show that your services are critical by providing regular and explicit reposts.
- Speed and efficacy. Cybersecurity makes every second count. So you should work on delivering quality results with the best timing possible. However, avoid giving unrealistic promises.
- Be different. Even though this niche is loaded with offers, look at how your competitors market themselves. Do they engage with the community? What are their main selling points? And how do they attract new customers? Those are only a few questions that might help you turn your strategy around.
Cybersecurity is a challenging industry, so there will always be challenges to overcome. But if you have a proper strategy, consistent approach, and high-quality vendors backing you, nothing is impossible for you. SOC Prime is a trusted partner of numerous MSSPs and MDRs. Check the effectiveness of the biggest threat detection marketplace by yourself for free.