This post was originally published by Sam Tormey.
I spoke with security expert Steve Wood about daily life as a security analyst. He provided me with general advice for MSSPs who are getting started, perhaps with a technology provider like .
Steve has been in InfoSec for 16 years now and has worked all over the industry and in the Department of Defense. Steve said that dynamic MSSPs find great success with AlienVault’s Unified Security Management (USM) platform. Steve gave the analogy of USM as a high-performance race car. AlienVault sells the car; however, we don’t sell the race car driver or the team. Winning the race requires a dynamic team.
The simplicity of Steve’s response to a class of my questions about MSSP behavior impressed me. I asked how to respond to alarms, set up and staff SOCs, establish proactive policies and procedures, and more. Steve said that before an MSSP can know how to act, they first need to clearly establish what services they will offer and what agreements they will have with their clients.
For example, an MSSP may decide to only offer monitoring. In this case they would only need the staff and resources necessary to set up and maintain USM, and give a phone call to their clients whenever an alarm of an attack bubbles up.
However, if the MSSP decides they want to offer a more complete service, perhaps incident response and context around the incidence (NetFlow and packet capture), then the MSSP can focus on hiring the right personnel for that. So, decisions such as, what hours do we man the SOC, what types of skills do we hire, do we need someone on call, etc. become clear once the MSSP decides what they are going to offer their clients.
Steve also insisted that, “Security is not a technical problem, it is a human problem.” You should not focus on protecting your business against attack tools. For example, it is misguided to think that “Malware struck company X.” Instead, think, “A group of hackers used malware to strike company X”. It is much better to find out “what is their goal” and “why did they do it” rather than “how did they do it?” You should focus on protecting your business from teams of organized and focused criminal hackers who have a specific motivation to hack your business.
Steve used the contemporary example of China hacking paint companies in the US. China has had explosive urban development, so there is a large market for industry-grade paint intellectual property. Security teams that understand the human element beforehand are more prepared for this threat. So, if an MSSP decides they are going to work with unknown and serious threats, they will need someone on their team with analytical skills who understands human factors for their situation, perhaps a liberal arts major who understands Chinese culture.
Steve also talked about the difference between known and unknown threats. There are lots of tools, SOCs, antivirus, etc. to protect against known threats. These threats are typically known already because they have already successfully attacked another entity who reported it.
Steve worked for 4 years in a ‘Hunt’ SOC, where they sought out unknown threats. An unknown threat could be something that IDS misses or something previously unknown that slips past the firewall.
Our conversation turned to automation and compliance, and Steve’s complaint was that a lot of partners rely solely on automation and compliance. The problem, he says, is that these can only address known threats and these can lull partners into a false sense of security. Ultimately, only a security team can really protect against unknown threats. This team can either be in-house, or through an MSSP.
I also asked Steve about automation and procedures. Steve said the purpose of automation is to help with scaling. And the purpose of procedures is so you, the practitioner, “don’t get burned on the easy stuff”. Similar to everything else, procedures should be established once a MSSP has defined its offering and should be customized to the MSSP’s particular environment and team. Procedures are very important because without them, eventually things get unwieldy.
In conclusion, MSSPs who are just starting out should first decide exactly what services they are going to offer. They should also remember that a security team is what is really required for companies to have the best security posture. This is because only a team of security experts can bring a sophisticated vantage point of the intentions of hackers, an ability to detect unknown threats, and the required technical prowess to utilize security software, like USM.