With cybercrime rates and nation-state threats ever increasing, security operation centres (SOCs) often do not have the staff or skills in-house to effectively monitor and respond to threats. This is pertinent in the UK, where the chasm between employer demand and a ready supply of cyber security expertise is the second largest in the world, and especially acute at smaller enterprises that might not even have a SOC.
In light of this, it is becoming increasingly common for organisations to opt for either a completely or partially outsourced model, which often amounts to choosing between approaching managed security service providers (MSSPs) for help, or enlisting a managed detection and response (MDR) team. While both are interchangeably referred to as “Security-as-a-Service,” organisations need to be aware of the fact that the two models often function very differently. MSSPs offer outsourced security management of traditional preventive security technologies and alerting functions. MDR solutions Focus on detection and hunting for advanced threats that are designed to bypass traditional defences, and eradicating the threats before they have an impact on your business.
MSSPs often claim that they can provide comparable services to MDR, but the two are in fact very different, which can sometimes lead to mismanaged expectations, and ultimately, disappointment. It is therefore crucial to understand the three fundamental ways in which the models diverge: technology, expertise and relationship.
1. Difference in technology
The key difference between MSSP and MDR is technological. While the former tends to prescribe a standard stack that they can manage remotely, the latter allows security teams access to high-level and tailored technologies they previously lacked. Therefore, organisations need to carefully consider the level of sophistication of their current security infrastructures before evaluating whether they need to outsource, and if so, what model to opt for.
Most MSSPs will provide services that can be described as security technology management, such as security event monitoring, basic threat detection, and alerting services. Rather than being a comprehensive aid to the security team, an MSSP is able to take on individual and cherry-picked aspects of security monitoring and management at the organisation’s discretion. While it is easy to see how this can make security operations slightly incoherent, it might be just what a certain company needs if they lack expertise in one specific area only.
For many smaller enterprises with limited security budgets, having to invest in security infrastructures that provide just about the minimum level of security needed for the business to avoid falling prey to even quite basic threats, often while employing fewer security professionals than necessary is a bitter reality. More comprehensive outsourcing of the incident detection and response process can then be the only way to adopt more sophisticated technologies, without stretching security spending and the working conditions of said security professionals to breaking point.
As such, an MDR approach is fundamentally different from that of MSSPs in that it allows access to extremely sophisticated detection and response technologies and expertise. With MDR, an organisation can access a different grade of technology – and trust that it is being used to its full potential to monitor, detect and respond to threats by the industry professionals who understand it best. While an MSSP solution can help organisations maintain a basic level of security, if you are a mid-to-enterprise sized organisation, forensic tools are a must to hunt for and contain threats that may be lurking in the darkest depths of networks.
2. Difference in expertise
The level of expertise provided by an MSSP differs from that of an MDR service. Again, the size of the organisation and the sophistication of the internal SOC will determine what solution is best, with the choice being between a more reactive or proactive approach.
MSSPs typically offer less human security analyst support and often rely on Tier 1 SOC analysts due to the focus on perimeter protection and a more passive approach to detection. In comparison, an MDR service provides an entire team of experienced security professionals, forensic analysts, incident responders and threat hunters to proactively monitor and take action to maintain a secure network.
3. Difference in relationships
MSSP services can be significantly cheaper than MDR services, due to the different service level that they offer, as well as the fundamentally different workflow ownerships that come with each model.
While an MSSP will often simply forward alerts to a member of their client’s IT team – who then must try to determine if there is a real threat and how they should respond – an MDR team reports only verified information for action and even takes the action to remediate the situation if the partner tells them to do so. Rather than acting as relief by situationally providing the bare necessities of an endpoint and network security infrastructure, an MDR team can form a partnership with the organisation and become an extension or augmentation of the in-house security team.
By advising on remediation processes and issues, such as firewall blocks and DNS, having an outsourced team on hand 24 hours a day ultimately helps the organisation evolve its security posture to keep up with the changing threat landscape, as well as maintain an agile and effective security posture to successfully deal with both the threats of today, and tomorrow.
In the end, outsourcing parts of a SOC offers a cost-effective way to allow security professionals to focus on their day job, and rest assured that anything untoward will be identified as quickly as possible after the point of compromise, by either themselves or the external team, along with suggested actions for remediation. While MSSP services often help certain organisations move closer to that reality, there is a consultative aspect to managed solutions that others might depend on to ensure that their organisation has a satisfactory security posture. As SOCs increasingly look to outsourcing as a way of mitigating the difficulties brought on by the continued pressure of the skills drought, it is paramount that they properly investigate solutions when choosing what model best fits their requirement.
Andrew Bushby, Lead, Fidelis Cybersecurity
Image source: Shutterstock/Wright Studio