20 years from now, MSSPs (or whatever it is they evolve into) are going to look back on this time as the “Good Old Days,” where the confluence of the breach epidemic, security skills shortage, and enterprise IT’s desire to migrate to OpEx models was driving clients to their doorsteps. They won’t be the Good Old Days for everyone, though. Only for those MSSPs that were able to establish a level of operational excellence that, for many, remains elusive today.
Let me explain. When enterprises seek to outsource security services, they are often looking to offload problems onto someone else. Incident response is perhaps the most prominent example of this – enterprise security teams don’t have the time or resources to effectively analyze Everest-sized piles of security alerts, so they offload this problem onto MSSPs.
This is a mixed blessing for MSSPs. On the one hand, business opportunities are plentiful. On the other, when clients offload their cost and complexity problems on you, you’d better be able to achieve a level of operational excellence that inoculates yourself against those same problems. Otherwise, your clients’ ills will make you sick.
In a sector that has historically thrived on technology hype, the prevalent challenge for incident response teams today, ironically, is the rather boring operations game. They don’t need more overhyped technology; they need better strategy and processes (supported by technology) that enable them to tame the alert overload issue.
Historically, MSSPs and enterprises have taken similar approaches to this problem – hiring more analysts to process the ever-growing volume of alerts. Enterprises have determined this is not a sustainable model, hence their desire to offload alert analysis to MSSPs. MSSPs, in turn, need to find a way to turn this operations nightmare into a sustainable business process. Security orchestration technology can help to some extent, by decreasing the amount of time it takes analysts to investigate and process alerts. This still preserves all of the wasted motion involved with investigating false positives, though, so it is more a way to accelerate a broken process than it is to implement a good process.
The only way to truly fix the alert analysis process is to achieve the obvious – automating alert analysis in a way that makes it unnecessary for a human to ever touch a false positive. MSSPs that accomplish this will be the ones lucky enough to look back on these times as the Good Old Days. Those that don’t…not so much.