Strengthening cybersecurity resilience in a changing world

The data tells us that more and more customers are turning to outsourced security management because they simply can’t keep up with the pace and sophistication of cyberattacks. And they expect that the expertise of their MSSP partners will detect and stop attacks quickly. By Hugo Bishop, Regional Sales Director, Northern Europe, Stellar Cyber.

  • 3 months ago Posted in

Many MSSPs have evolved their SOCs over several years, amassing as many as 30-50 discrete cybersecurity tools, only a handful of which are used by any one analyst. Detecting and responding to complex, multi-vector attacks in this environment requires swivel-chair integration of disparate signals – essentially two or more analysts correlating signals they’ve found. An MSSP may be evaluating betwen10 and 100Tb/day of data, with analysts who are buried in alerts and unsure which they should be prioiritising; it’s no wonder many large data breaches have taken weeks or months to discover. 

The fundamental challenges boil down to this:

Reducing the amount of data presented. 

Correlating multiple, related threat signals to reduce the time analysts need to detect complex attacks.

Guiding analysts about how best to address threats, further reducing response time.

Automatically stopping many threats by communicating with firewalls and other systems.

Today, dozens of the largest global MSSPs have adopted new SOC platforms that reduce manual data interpretation, making it faster and easier to spot threats. With the right platform, these organizations have been able to reduce Mean Time to Detect (MTTD) by as much as 8X, and reduce Mean Time to Remediate (MTTR) by up to 20X. 

Here are some essential considerations for choosing a SOC platform that eliminates swivel-chair integration and detection delays.

Built-In Functionality

A good SOC platform should reduce deployment time. It significantly helps if a range of key cybersecurity tools (NG-SIEM, NDR, and UEBA, for example) are built into the platform. Getting all of these in one console under a single license reduces costs as well as training time. Today’s eXtended Detection and Response (XDR) platforms are a good example.

Data Integration 

MSSPs monitor and secure networks and other IT systems by collecting and interpreting data from throughout the infrastructure, and it’s extremely rare to have a stack of security tools that shares a common data format. But an effective SOC platform should easily integrate data from any source, including not just firewall or server logs, but EDR systems, identity management systems, clouds and applications. Then, it should automatically normalize that data into a common format for storage in a data lake. Unlike Closed or Anchored XDR platforms, which typically integrate only with discrete tools from the same vendor, Open XDR platforms are built to integrate with most or all third-party security tools, eliminating vendor lock-in, and giving visibility and protection across the whole attack surface.

Detection

An effective platform must evaluate the ingested data and automatically detect common threats. This eliminates 90% of manual detection by converting terabytes of data to thousands of alerts per day. The leading SOC platforms have incorporated AI technology, specifically Machine Learning (ML), to accomplish this.

Signal Correlation

It is impossible for human analysts to quickly correlate related signals from disparate consoles. The SOC platform should automatically analyse collected data and correlate related signals to reveal multi-vector attacks, using a combination of customizable playbooks and Graph Machine Learning (Graph ML) to detect suspicious behavior. Ideally, the platform should then also prioritise attack incidents in order of severity.

Analyst Assistance

A strong MSSP SOC platform can further speed resolution of complex threats by using Generative AI (Gen AI) to provide instant responses to analysts’ questions. This capability provides further operational efficiencies by reducing the number of analyst decisions to 10-100/day and cutting threat response times by up to 400%. For example, an analyst can ask, “Show all the incidents where data was exported between 12-9AM,” or “Which emails went to domains in Russia?”

Hyper Automation

A few SOC platforms are now adopting Hyper Automation features as well. These platforms use ML and bidirectional integration with security infrastructure systems to shut down attacks.  For example, the platform might notify a CRM platform to stop a user from sending email and attachments to Russia, or cause an identity management system to invalidate a user’s spoofed login credentials.

The speed and sophistication of cyberattacks accelerates unabated, the complexity and array of cyber security tooling continues to spiral, and there aren’t enough security analysts in the world to keep up. In fact, there are more than 3 million security jobs going begging worldwide due to a shortage of analysts. To prosper in this environment, MSSPs must adopt AI-driven, highly integrated SOC platforms that reduce this complexity, deliver cost and operational efficiencies, and enable fast and accurate detection and response for their analyst teams.

By Dael Williamson, Chief Technology Officer EMEA at Databricks.
Nadir Izrael, Co-Founder and CTO at Armis discusses the importance of critical infrastructure...
It’s getting to the time of year when priorities suddenly come into sharp focus. Just a few...
By Andrew Strevens, Chief Integration Officer for the new organisational Hampshire and IOW...
By Darren Thomson, Field CTO EMEAI at Commvault.
By Asher Benbenisty, Director of Product Marketing at AlgoSec.
By Laura Friend, UK Enterprise Lead, Amplitude.