News

Blog

Friday, October 20th, 2023

Is Your SOC Falling Short? Maximize Your SOC’s Potential

In 2023, the threat landscape is increasingly evolving, with the average cost of a ransomware attack nearly $2 million. As organizations struggle to deal with this in house, they often turn to Managed Security Services Providers (MSSPs) to keep them secure and do the job better.

To maintain competitiveness as an organization, it’s essential to seamlessly incorporate and utilize new cutting-edge technology while ensuring your MSSP can effectively monitor and secure these innovations. They have to be the right fit for you.

Unfortunately, many MSSPs are unwilling or unable to support new products, often pushing their one-size-fits-all solutions, regardless of your actual needs. This situation can force you to adopt their products or figure out how to integrate new technology independently, potentially compromising your data and system security.

Here are the top five signs that indicate it may be time to break up with your current MSSP provider:

1. No proactivity and Poor Communication

Are you constantly wanting more from your MSSP?

Having a service provider with world-class, around-the-clock security monitoring and alerting, incident response and remediation capabilities is crucial, but communication goes both ways. A great security partner should be reaching out to make sure that their services are meeting your needs. They should be providing you with important high-level alerts in a fast and efficient manner, keeping you up to date with what is happening in your network, and discussing any potential areas of risk that you should be aware of. Your MSSP should have a detailed strategy which includes your security goals and objectives. Often MSSPs can spend too much time reacting to threats/ tasks that proactivity can suffer. It is your MSSPs job to inform you and have your best interests at the forefront of what they do.

Communication with your MSSP should be accessible and constant. They should schedule routine calls and make time for calls outside of scheduled meetings to discuss your needs and concerns. When it comes to reducing cyber risk, the most effective MSSPs are those that build strong relationships with their customers.

2. Poor Engineering Capabilities

There’s a perfect fit for every company, but when it becomes unclear what you’re getting and from whom, you can end up with the wrong fit.

A great MSSP offers a variety of services that can be tailored to meet your unique needs. That includes security engineering. Your MSSP must be able to communicate the health status of your log sources in a manner that is suitable to you. One of the most important elements of having a security operations centre is ensuring that your security tools are properly tuned, sending healthy logs to your SOC and that you have visibility over your entire estate. That clear visibility is crucial for your organisation. Why? Because many cybercriminals employ sophisticated methods of lateral movement and disabling security tools when they get deeper access into your environment. An example of that is ZLoader for its defense evasion capabilities, like disabling security and antivirus tools and selling access-as-a-service to other affiliate groups, such as ransomware operators.

3. Too many alerts and false positives

Organisations can become overwhelmed by the volume of alerts generated by their security provider. This can lead to the client getting overwhelmed and potentially missing legitimate attacks against their network. Partnering with a MSSP should help you reduce alert overload and make the most of the information provided by the security solutions in place. More importantly, you should be getting answers to questions like What happened? When did it happen? How did it happen? What’s the risk? What should we do next? Not only that, but your MSSP should give you strategic recommendations that reduce overall risk in your environment. This will enable you to maximise the impact of your security deployment and rapidly respond to legitimate cyber threats.

A high degree of false positives is another area of concern for many organisations who outsource their SOC to an MSSP. Let’s face it: false positives make you waste your time and money. Recent research shows that almost 45% of the incidents that MSSPs send to their customers are false positives. The problem compounds when the MSSPs don’t do anything about it. So, what should they do? Firstly, they need to give you transparency around what the false positive rate is. Then, they need to work on a plan to reduce that rate. That’s done by creating and constantly reviewing security procedures, defining and regularly reviewing security rules, and tuning rules to specific environment thresholds. An important element of reducing false positives is also applying context.
When SOC analysts are investigating offences within your environment, context is king. They should combine external threat intelligence with internal knowledge of your systems and data (knowing critical assets, user behaviour, geo-location context etc.) to correlate the events and investigate the legitimacy of the alerts. After they have deemed events as malicious, they should raise incident tickets. They should also seek feedback from you. This allows the analysts to determine whether the corresponding alerts should be reported in the future.

4. Poor quality of service & reports

Quality of service is one of the most important elements of an MSSP offering. Why? Because if your MSSP is not heavily focused on quality, that means they are not interested in learning how to be better and in turn offer a great service. Quality is comprised of many elements including communication, transparency, focus on metrics and KPIs, and proper reporting. Have you ever found yourself frustrated with the standard reports that your service provider is sending you? You may be unhappy with how you have to export or manipulate data in an Excel spreadsheet or sort through the data using googling formulas, only to find that a single mistake can ruin your whole report. As a client, you need to have access to reporting and business intelligence tools.

Often services providers do not leverage the knowledge they’ve gained from having clients in a variety of industries. A skilled services provider uses this information to build out unique use cases and correlation rules that a company’s in-house security would not be able to do on their own.

So, what kind of reports should you be expecting? Outside of the usual incident reports that you get on a (probably) daily basis, you should expect the following reports as well:

– Log sources reports

– Threat Intelligence reports (These reports are crucial because they explain what’s happening in the industry, what your organisation should be worried about and how you can keep an eye on the most updated vulnerabilities that may affect your business)

– Monthly assessment reports

– Quarterly Business Review reports (the QBR reports should go a step further and provide you with context around your security posture, the threat landscape, the health status of your security environment and tips on how to reduce your cyber risk. More importantly, they should help you communicate these to your board. If your MSSP is not holding QBRs with you, that could be a red flag!)

5. Lack of Transparency

You may see many MSSPs offering 6-month free trials or promising only a minor investment upfront, only to be slammed with huge bills once this time lapses. Transparency with your clients is key and there are plenty of places to look out for this – start with the companies’ website, do they have case studies/ testimonials from previous clients? Ask the questions up front, are they being honest and transparent?

We have also come across instances of MSSPs telling clients that they have used up their support hours for the month/quarter – it is vital that your security provider is fitting your needs and not just out to charge you whenever additional, unforeseen incidents arise

Don’t forget about innovation

Cybersecurity is all about innovation. If your MSSP are set in what they are currently doing well, by not innovating, they will be left behind.

The risk is too great, and the danger is too real.

Your MSSP should be constantly proposing new solutions that fit your business needs and strategy. They should always analyse your company considering your business needs and come up with new ways of protecting you from imminent cyber threats.

We know break ups can be hard.

More and more organisations are now considering Managed Detection and Response (MDR) to augment their security teams. To help security leaders decide whether MDR is right for you, reach out to Smarttech247 today. With our MDR platform, VisionX, our customer achieved a 319% ROI in 2021 – Read the full TEI report here.

The Smarttech247 Difference

Smarttech247’s Managed SOC is much more than just a service; it’s your 24/7 Trusted Security Partner. We excel in elevating your Security Operations (SecOps) by seamlessly integrating with your team, acting as an extension of your operations. What sets us apart is our cutting-edge platform, VisionX, which provides an additional layer of visibility and insight. With VisionX, you gain access to an array of advanced features and functionalities that enhance your SecOps capabilities.

One notable advantage of VisionX is its ability to serve as a comprehensive Managed Detection and Response (MDR) platform. By seamlessly integrating our full MDR services into your SOC, you unlock a new realm of possibilities, adding immense value to your cybersecurity strategy. This integration empowers you to make a real difference in your security posture, ensuring that your organization is safeguarded against the evolving threat landscape. With Smarttech247, you’re not just partnering with an MSSP; you’re forging a security alliance that goes the extra mile to protect and elevate your SecOps, making a substantial impact on your overall security.

Ready to Enhance Your Security? Get a FREE Health Check Today!

Smarttech247 offers a high-level evaluation of your cyber security controls. The Health Check will cover the 4 critical protection layers including:

  • System and Technical Security
  • Policies, Procedures and Processes
  • Education and Awareness
  • Compliance 

You will receive a comprehensive 5-page report. This report will provide an overview of potential gaps and vulnerabilities, including exposure through people risk and supply chain risk. The report will also offer recommendations for enhancing your cybersecurity. 

Reach out to the Smarttech247 experts today!

Contact Us

The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.

    Copyright Smarttech247 - 2021