As the threat landscape has evolved (e.g., increased number and size of DDoS attacks), MSSPs are being forced by the market to evolve their service offerings. It simply is no longer acceptable for an MSSP to manage perimeter firewalls, a couple of Internet-facing applications, and perhaps a couple of important internal systems (e.g., Active Directory domain controllers). Why not? Because such (effectively) stand alone ‘soda straw’ views do not provide the MSSP (nor the customer) with the context needed to be able to detect today’s sophisticated attacks. For example, with that hypothetical monitoring scenario, it would be extremely difficult to detect lateral movement, let alone a compromise of individual systems.
Using the Mitre ATT&CK ontology as a framework, it is readily apparent that to validate any of the eleven attack tactics, that multiple sources of ‘sensor’ data are needed, let alone multiple data elements from those sensors. That validation requires more sophisticated analytics than typically previously used. This need for more sophisticated analytics from more varied client data sensors / sources is also driven by changes in the client’s environment. For example, increasing adoption of more SaaS offerings has led to a growing challenge in acquiring, aggregating, and analyzing those SaaS logs. Growing adoption of PaaS and IaaS services has also often led to a growth in shadow IT as BUs circumvent the CIO. Growing adoption of microservices, containers, and IoT has led to an explosion (literally?) of an organization’s attack surface.
Another challenge that MSSPs are facing is a change in their customer base. According to Channel Futures, the growth in business for MSSPs is recently coming from SMBs. Smaller individual revenue streams from more customers means more complexity in data analysis and a greater diversity in the numbers and types of ‘sensors’ to analyze. Previously, MSSPs had concentrated on fewer, larger customers, but a shortage of security personnel and increasing concerns about cyber threats are forcing more SMBs to outsource increasing information security needs.
Expanded security use cases from this expanding customer base now requires better analytics tools too. There’s a theme here. What is not needed is not simply better anomaly detection. What is not needed is simply more (SIEM) correlations. What is needed is machine learning for better (more efficient), more (volume), and far faster (near real-time) machine learning led analysis of this growing analytical challenge for MSSPs, which are being forced into MD&R providers So MSSPs are themselves hunting for new tools - starting with improved detection.
You too should be hunting for new, better detection tools. Contact us to find out more.