Managed Security Service Providers (MSSPs) perform a critical role for businesses without the resource or competency to handle their cybersecurity inhouse. Some of the key reasons businesses turn to them is to cope with the difficulty in obtaining and retaining skilled personnel, to cover specific IT skills gaps or to help contain the spiralling complexity and costs associated with cybersecurity operations and maintenance.
Even those with an inhouse Security Operations Center (SOC) will use MSSPs to handle some of their most time-consuming and complex tasks. There is only a short window of opportunity to triage and remediate and so the focus now is on emerging threats and threat hunting to root out issues. This, coupled with analysts time, skills gaps and technology gaps is now driving outsourcing. So, it makes sense that MSSPs will become in even higher demand as the skills crises begins to bite.
According to the World Economic Forum Global Cybersecurity Outlook 2023, organisations are now competing for talent from the same small pool and as the skills gap grows, recruiting will become even harder. There are currently 4.7 million working in the cybersecurity sector globally but there are also half as many vacancies at 3.4 million, states the (ISC)2 2022 Cybersecurity Workforce Study which found the workforce gap is growing more than twice as fast as the workforce and grew 26.2% during the course of that year.
An opportunity for the MSSP
As that gap widens, demand for outsourcing grows, particularly as the hard to fill roles are inevitably those requiring the most experience. The Cyber Security Skills in the UK Labour Market 2023 reveals that over a third of vacancies are deemed hard to fill due to candidates lacking technical skills or knowledge and typically require between three to five years’ experience. This means there will be a considerable number of years before the new intake into the profession gets up to the required speed, resulting in more businesses looking for outside expertise.
MSSPs, however, are not immune to the deficit of talent. They too are finding they have staffing issues but clearly they need to ramp up their capabilities to meet this increase in demand. The only way they can do that is through embracing automation and orchestration. Using technology they can achieve economies of scale and become more efficient but dilemmas remain. Should MSSPs use technologies like Security and Orchestration Response (SOAR) to replace analysts and fully automate? Or should they use SOAR technology to augment analyst expertise and make it much easier for them to handle event data from hundreds of different customers?
Augment don’t replace
The results of a recent survey of MSSPs across the EU and the US provides some interesting insights here into the strategies they are pursuing. It turns out that the majority are looking for solutions that can augment rather than replace the analyst. The consensus is that automation speeds up processes and alleviates analyst workloads but automating incident detection and response (IDR) in a single company is very different to automating processes for hundreds of customers.
As a result, the MSSPs questioned in the survey said they tended to use SOAR, for instance, for data consolidation, enrichment and normalisation but not automated response because the best form of response will differ company by company according to its size, the nature of its work etc. Consequently, many customers rely on the expertise of the analyst to determine the response needed and so we haven’t yet seen full automation in the MSSP space.
What this illustrates is that there’s still a gap between what MSSPs need and what is available to them. For example, when the analyst then wants to create a rule such as a specific detection rule they want it to be available to entire customer base. If they must manage each SIEM on a one-by-one basis, it become almost impossible to roll out that use case within the timeframe of the SLA.
Write once, deploy to many
Being able to centrally manage that deployment, create a rule once and automatically populate all SIEMs can make a massive difference to the MSSP. Similarly, leveraging a single SOAR platform would allow analysts to work on event data from all clients at the same time, improving the quality of threat intelligence while allowing a unified set of rules and playbooks to be leveraged across all MSSP customers.
But for MSSPs to truly provide this capability as a robust service, they need tech savvy analysts that can wield the SIEM effectively to take swift defensive or decisive remedial action. The form of response may be automated or, as is becoming fastly more common, could see the use of orchestration to target multiple systems.
Today, the main focus for MSSPs is keeping the price point low to attract custom but if we do see the expected leap in demand for their services, this could provide them with the impetus and justification needed to invest in such automated technologies. The survey found that it was widely agreed that SOAR and UEBA platforms will create opportunities to build new revenue streams and that automation and orchestration will be needed to fill the widening gap between what needs to be done and the resources needed to do it, for instance.
A vision of the future
The market will continue to see a shift towards offering more proactive services. Thankfully, the days when the SIEM was a siloed tool, allowing attackers to exploit the gaps between technologies, has now gone. Now the priority is the speed of the attacker’s intrusion; hence the emphasis on ‘mean time to detect’ and ‘mean time to respond’. There’s now much greater solution focus on providing capabilities well above log prioritisation and the log feed.
When it comes to the SOC, higher level operations require data to be ingested from many different environments in order to determine the nature and systems involved in an evolving incident. The investigation can then use the detected pattern to root out all threats and continue to monitor the network. While these services are, in some senses, straight forward to build they do require a systematic approach outlining the operating methodology, training, integrations, automations and orchestrations required which then allow the digital service definition baseline to evolve. The most effective SOC services leverage that experience and logic to be syndicated amongst the MSSP’s client base.
Going forward, the survey found MSSPs want to be able to bundle multiple cybersecurity functions into a single service package that can be deployed on-premises, in the cloud, or in hybrid infrastructure. They want their security stack to integrate smoothly with itself and with a wide array of customer technologies so they can onboard, configure, and start delivering value to customers quickly. And they will prioritise solutions which converge new technologies such as SOAR and UEBA with existing SIEM platforms and make it easy to deliver a wide array of cybersecurity services under a predictable licensing structure.
But there are of course other technologies now coming to the fore that promise to further streamline operations. Generative Artificial Intelligence (AI), for example, is now being used in a cybersecurity context to collate and summarise data. It can generate summaries of investigations or provide recommendations from the breach reports output by SOAR, helping analysts make informed decisions more quickly.
There’s no doubt that MSSPs have a core role to play in mitigating the skills shortage and that automated technologies will be central to that. But they need to move beyond automating the routine and look at how they can automate more complex asks like IRP. In order to do that, the cybersecurity sector needs to step up and provide them with the solutions needed to deliver on the promise of the technology. It’s only then that we’ll begin to see the skills gap begin to diminish.