Your MSSP could be ripping you off – what to do about it

Other suitable titles I came up with:

• How to get more out of your MSSP than 90% of everyone else
• Questions you need to ask your MSSP if you actually care about improving security posture
• How to win at MSSP’ing

Gob-smacking attention-grabbing questions to make you realise you’re in the right place:

• What if the MSSP you are paying £££ is doing little more than being available 24/7?
• What if the awards they are winning are because most of their focus is on marketing and publicity, meanwhile activity in the SOC itself is about as interesting as watching paint dry?
• What if random people were invited into the SOC on publicity days, to make it look like the SOC was full of busy and important looking analysts?
• What if these random people were given local admin accounts on those SOC PC’s, whilst the employed analysts had to wait three months to get access to some systems? Surely not?

Welcome to a day in the life of an average MSSP.

Your next-gen-ground-breaking-security-horizon-machine-learning-Managed Security Service Provider (MSSP) could be doing the bare minimum. What do I mean by that? Of course, all MSSP’s have one main motivation, like any other business, to make profit. So, guess what happens when you on-board? They hook you up to all of their generic content rules which every other customer is using. Some of these may be rather clever, and perhaps can detect more than your current offering. But, don’t for one minute think that they are sufficiently tailoring their services towards you. MSSP’s offer a very much one-size-fits-all approach.

Yes, it may give you comfort that someone is monitoring your environment 24/7. But you can get so much more out of your MSSP. And for every day that you don’t extract this value, you are wasting the resources of an extra team of experts. Not only that, you are unknowingly making the MSSP worse – the analysts are likely becoming bored of the lack of interesting and new projects. Bored analysts will likely leave to find more exciting work.

This post isn’t an MSSP bashing post. It’s to give you a little glimpse of the reality of how (at least) some of them are managed and how to extract much more value from them.

Before we start, though, a little foreword: I am not a MSSP or Security Operations Centre (SOC) expert, I have not built or managed them.

My experience here is purely from the perspective of: working for an MSSP, working for a company who outsourced to an MSSP, networking with other SOC people and reading various material about MSSP’s.

Getting straight to the point, here are some points about MSSP’s and practical steps you can take to extract more out of yours:

• The SIEM “rules” they have in place for your infrastructure are very likely “one size fits all”. Every organisation’s infrastructural architecture is different. So, sit down with your techies and come up with some ideas for tailored monitoring and indicators of compromise (IoC’s) for your environment (ideally based and prioritised on your threat profile). Then, sit down with your MSSP and have it out. If you show an interest in tailoring the monitoring for your environment, they will match your interest and put out.

• Analysts at the MSSP are basically your extended security team – utilise them. It amazes me how many customers don’t actively extract value from their MSSP. They are paying a premium to have a virtual 24/7 team of security experts by their side – use them. Trust me, you will be doing the analysts a favour.
  SOC work can be boring as that time your wife dragged you around IKEA to “see what we can do with the spare room”. For instance, a customer with the same old vulnerability scan from the same old host against the same ports on the same destination PC at the same time of the same day every week? Yup. Did they ever inform us of this expected and authorised activity, or respond to our suggestion to whitelist that exact alert? Nope. Okay that was an extreme example. But my point here is that the analysts are probably looking for something more exciting to do. So:
  • Seen a new malware strain, threat actor or vulnerability in the wild? Ask your MSSP to do some research to ascertain if you should be worried and if so, what they or you can do about it.
  • Tell them you had a pen test last week and for them to investigate what was identified.
  • Ask them why an account keeps getting locked out.  
  • Seen some new IoC’s in the wild? Send them on to your MSSP. They should be digesting logs from most of your IT environment and can scan for matches against the IoC’s.
  • Worried about some suspicious traffic you’ve observed? Tell your MSSP what you know and let them figure out the rest.

• When your MSSP escalates an alert – give them feedback. As an analyst, one of the biggest frustrations can be a lack of feedback from the customer. Analysts are often quite blind when it comes to the customer environment. Hell, often they don’t even know what happens to that escalation they spent time investigating and escalating to you. If you could even just respond with whether it was a true or false positive, it would help them next time and therefore help the accuracy of their investigations on for your environment.
  
  I’ll go a step further. If an analyst knows a customer pays attention to the alerts and not only acknowledges them, but actually gives useful feedback. Well, all I can say is for an analyst it is the daytime equivalent of a wet dream. They will give your alerts more attention. They will investigate harder and deeper. They will take more time.  
  
  This works because it’s rare that customers have a great deal of care. Maybe they took an MSSP offering because they didn’t have the expertise in house or have the budget to do it themselves. Maybe they don’t even understand what information security is. All of these factors increase the likelihood that the customer won’t give feedback. So, be that organisation that does. It will create a snowball effect whereby you are simultaneously improving your security posture internally and the value your MSSP can add. Everybody wins here.

• DO NOT tell your MSSP when you are penetration testing or red teaming. The amount of times I saw customers advising that testing was happening the SOC could “suppress alerts”. I’m sorry (not sorry) but, any remotely clever security person would see this is as a perfect opportunity to test the very reason you are paying an MSSP in the first place. Have the testers record every action they take and after the testing, assess which actions were prevented, detected or responded to line by line. This is a great opportunity for continuous improvement. You will likely discover logs and infrastructure which isn’t being monitored, alerts which aren’t turned on, or the creation of new alerts based on your environment. LEVERAGE EVERY DROP OF THIS OPPORTUNITY.

• Push for regular reviews with your MSSP, and ATTEND THEM. There can be a lot of benefits from just turning up to these meetings and hearing your MSSP out. They should be giving you metrics on your environment and making suggestions off the back. For example, they should at least be telling you what types of activity they have seen the most of, whether it is abnormal (assuming they know what normal looks like for you), what were the most hit rules/devices, what percentage of all alerts were false positives, and if any of them can be tuned or whitelisted, etc.
  If they aren’t providing this, ask them for it as well as anything else you would like to learn or tune. Visibility is key.

• Give them access to your security things. If you have an AV console which contains the granular detail to ascertain whether an alert is a true positive or not – have you considered giving the MSSP access to it? Imagine if, instead of them escalating any uncertainty to you to investigate, they could log in and investigate it themselves? Well, it’s possible. You probably already did your security due diligence, got NDA’s signed etc. Ideally, your IT or Security team would be focusing more on proactive activities rather than reactive ones, so shift whatever you can over to your virtual SOC to handle and free up the time of your team.

• Pick up the phone. Having a (better) relationship with your MSSP can only do good things. My most exciting days as an analyst were those where I spoke directly with the customers in trying to meet a shared objective, coming up with ideas, giving recommendations and understanding their mindset and approach. Endless email communication is mundane and makes it difficult to build a relationship.

• Test your MSSP! Earlier we touched on the fact you shouldn’t inform them in advance of any type of testing. Well, not all organisations have such testing often enough. You wouldn’t deploy a customer facing web application without testing it for functionality and security, would you? You wouldn’t buy a car without first test driving it? You probably test your DR solution once every once in a while. So why is an MSSP any different? Test that shit. If you have a pleasant budget, get a red team exercise arranged to test one of your organisations key threat scenarios. A red team exercise is the next best thing to a genuine data breach scenario. Ensure the testers are quiet at first, and become more and more noisy/obvious as time goes on until something is detected.
  
  See how the MSSP respond, do they just send you an alert? Or do they jump on the phone to you? What recommendations do they give you to respond to the threat? How long did it take them to detect the first signs? How long did it take them from the tester performing the action, to the MSSP informing you? What did they miss? What were they good at?

Whilst we’re on the point. here’s a high-level checklist you can use to cross-check what feeds are being monitored in your environment:

• Perimeter and network firewalls
• Web proxy server
• Perimeter and network IDS/IPS
• Domain controllers
• Honeypot logs
• DNS servers
• DHCP servers
• Anti-virus
• Endpoint logs
• Wi-Fi
• Any other funky “next-gen” security stuff you have

Now. These ain’t no exhaustive lists, but they are a starting point. So, get a move on.

If you liked what you read (and actually did or will do something with it), please pay homage and share. If you got this far without throwing your laptop out the window, you’re welcome, subscribe to my future rants.