As many married couples can attest to, relationships are not always calm seas. A dedicated class of professionals, namely marriage counselors, have arisen to help calm the violent seas marriages have created. But what of the relationship between you and your managed security service provider (MSSP)?
Things started as all great relationships do, full of promise. You saw the value of bringing on board an MSSP. It was going to make your work life easier, not only your work life but your teams as well. Now they could be better directed on projects rather than continually putting out fires. Almost from the start though problems seemed to crop up, there was no honeymoon period. However, due to contracts been signed and budgets amended for the bright idea you gave it some time. Now the relationship borders on abusive and your team is inundated with alerts that there is no real end in sight.
There are no MSSP relationship councilors, at least not yet, but many business leaders have found themselves in a similar position. So, this article is here to provide a few warning signs the relationship is on the rocks and it’s time to abandon ship.
Just to get to the point where an MSSP is found and a contract signed took a significant amount of meetings, budget adjustments, and repeated stress syndrome being developed in the hands of those having to compile reports. Once done, the sense of relief was palpable. That was until you received a call from the MSSP regarding the onboarding. Now its months down the line and there is no end in sight, with meeting after meeting needs to be scheduled for yet another problem that has sprouted from the once-fertile ground that was a promised service.
Here are some factors that mean your MSSP may not be what you needed it to be:
- Onboarding takes longer than a week.
- There is a lack of documentation or a lack of willingness to share said documentation.
- No provisions for proof-of-concept devices to test the service before the bottom line is inked.
The reality is that there are providers that can provide a turnkey solution that does not take the lifespan of most household pets to onboard. One of the issues with delayed onboarding is that no real benefit can be given to the one paying the subscription fees. But it was not the only value that disappears, the organization’s cybersecurity is fundamentally jeopardized.
Alerts fatiguing the Team
For many in similar positions, they successfully cleared the first hurdle of onboarding. Success! But something is not right in the state of Denmark as Hamlet would say. Your morning email routine has been invaded by alerts, sometimes close on a hundred in the space of time you were away from your desk. Has a breach occurred? Which of the alerts is the fabled needle in a haystack? A feeling of dread fills the pit of your stomach as the truth hits home, any one of them can be the needle. What’s worse is this is now the daily scenario.
Ideally, alerts need to be sent to the customer when they are deemed to be significant, either a threat or behavior that might allude to a threat emerging on the horizon. The MSSP needs to be able to detect worrying trends before that turn into a nightmare, this means that they would need to track events over extended periods.
A bad MSSP partner will:
- Flood you and your team with alerts, sometimes in the hundreds depending on the organization’s size, daily.
- No extra information as to threat severity, for example, will be provided along with the alert.
- Infographics and other visual tools the MSSP provides are next to useless in conveying vital information.
Now, you and your team spend far more time than ever imagined reacting to alerts. All the other projects you’ve had in mind are delayed or canceled. You are now thinking of hiring staff just to manage the managed security service provider. Your team has in essence become firefighters rather than developing strategies to supplement the existing security resources.
More Staff, no reduction in Problems
The Tsunami of alerts, a vast number of which prove to be false positives, has got every one of your team analyzing what in essence should have been analyzed before you were alerted. You have two options, hire staff to manage the alerts and other issues that come up with the MSSP, or break up with the MSSP. Breakups can be messy affairs as personal and business relationships can attest too. You go with option one, but place the MSSP on notice making sure an eye is kept on them.
Option one is by no means easier, finding the right staff is a problem faced by you and your MSSP. Some managed providers go one step further to offer specialized staff to get the managed product managed, at an extra and substantial fee. No matter which option is chosen there are extra costs to be considered, let alone the vast number of other variables. This was not the reason you brought an MSSP on board. Rather than seeing a decrease in security-related issues, an increase has been experienced.
Unfortunately, you have traveled down the rapids with the chosen MSSP and it has only been your effort that prevented the raft capsizing. A good warning sign that this may be an organization’s future is the inability of the service provider to incorporate previous use cases the organization has experienced. This will inevitably be mean a future of further hires and buying of subsequent tech packages to try and correct MSSP deficiencies.
Your Team is Detecting Threats before the MSSP
If there was ever a red flag warning of an MSSP not worth its salt, it’s your team detecting breaches and compromises before an alert is received by the MSSP. Questions as to why a service is being paid for that you seem to be doing better need to be answered. No longer is this an argument about who does the dishes with marital bliss long been given up on. Now this a matter causing is a non-reconcilable difference in the relationship.
On the side of the MSSP, this can happen for several reasons. Junior analysts working on night shifts lacking the required experience to detect anything meaningful let alone threatening. There use of legacy logging or SIEM technology means that certain threats, particularly those leveraging modern technologies or cloud technologies, cannot be detected. What these factors do share in common is that it is often up to you to detect and remediate or worse when a penetration test is conducted and they managed to gain access to gigabytes worth of intellectual property.
If this is the case the relationship between you and the MSSP is doomed, and here’s why:
- The MSSP does not have nearly the same visibility into the network as you do, when they should or at least as near as to make no difference for security applications.
- They lack the relevant technology stack for modern threat detection and remediation.
- They have made mistakes regarding configuration management.
If one of those three bullet points is the case, now is time for that divorce no matter how messy.
Your MSSP cannot sync with new Tech invested in
The above four warning signs seem to happen in a sequence and the relationship deteriorates as a result. This one, however, is not bound by time or the other four warnings. As soon as you incorporate new technology within the organization and your chosen MSSP cannot help maintain it and generate logs, other important data points, and threat remediation because they do not support it. What’s more, is they have a similar product that you should have bought rather, the air raid siren should be blaring loudly.
The right MSSP and they do exist unlike Prince Charming, should be able to configure their product with existing and future technology when incorporated. Further, the list of “additional products” deemed vital by the MSSP you need to fork out for should ideally be zero.
The year 2020 has shown that the uncertainty of life is a given and that wasted expenditure can be the one factor that cripples operations. When that wasted expenditure is related to necessary cybersecurity products immediate action should be taken. If any of the above points ring true for yourself it may be time for immediate action and skip the counseling. Rather go with the MSSP that checks all the boxes.