Cyber security managers around the world are changing the way they operate, looking towards a more mature cyber security landscape. Their relentless adversaries support this movement with obsessive attempts to cross the edge and exploit the data. Companies are adapting their tactics, technological equipment and procedures with the help of managed service providers, who, amid a global shortage of skilled workers, can accumulate expertise and the best professionals in the industry.
The number of players in the managed service provider market is gradually growing. They are differentiated by areas and methods of operation, gradually migrating from the previously common model of managing specific technological means for cyber defence (MSSP) to a full-fledged integrated service that includes detection, investigation and response (MDR).
IDC, the world’s leading analyst agency, asked 410 CISOs from leading US companies how they choose their managed services partners (MSSPs and MDRs) to help the market define the criteria for evaluating the quality of services in this fast-growing market segment.
Respondents identified the eight most important attributes of a cyber security provider, which are the following:
We have analysed these criteria and offer you a detailed description of each attribute.
Speed of service connection. The speed of connecting to the services of an MDR provider varies from hours to weeks. According to Octava Defence’s experience, the connection takes an average of 2–2.5 months. Configured adaptation processes help mitigate risks through such elements as threat modelling, overall security status reviews and/or security architecture reviews. The first day of live use of an MDR service will usually not provide the desired level of protection. Achieving a more secure, mature position takes time, especially for organisations that have not previously used a SIEM or other system to collect historical data, which is key to machine learning (ML) algorithms. Over time, the MDR service will be better at identifying what is normal and what is abnormal activity. Typically, it takes 3 to 6 months, followed by ongoing tuning to reflect new threat types, controls and system updates. Nevertheless, the reduction in time to connect the service is a key difference.
24/7/365 monitoring Not all cybersecurity service providers work around the clock, while attackers have no time constraints. That’s why the continuity of monitoring and support for monitoring and incident response centres (SOCs) has quickly become a necessary feature of cyber security services. At Octava Defence, the L1 shift is already working around the clock (24/7), and the process of supporting L2-L3 cyber analysts provides for different levels of escalation based on customer requirements.
An important thing is the existence of a process for the managed exchange of threat intelligence (curated threat intelligence) in the format of various types of indicators of compromise (IoC). The expansion of the risk surface, driven in part by the rapid transition to the cloud, has increased the number of indicators of compromise (IoC) that SOC teams must investigate. Exchange of threats with verification or additional checks helps reduce false-positive alerts by focusing on threats that are more likely to target an organisation and cause damage. At Octava Defence, we collect information about possible threats from various sources (commercial and free, closed and open, public and private), classify them, and enrich the work of security tools and SIEM systems with this data. SOAR-class systems allow some processes to be automated, thus improving the quality of service.
Encryption. Some MDR providers include data encryption services in their offerings or offer it as a separate product. Encryption will be another important layer of data protection in terms of ensuring privacy. It so happens that in Ukraine, this class of solutions is generally separated from MDR services; nevertheless, Octava Defence, due to its structural proximity to one of the leading developers of encryption tools, has the relevant competencies and can meet the needs of data encryption, such as the implementation of GDPR (General Data Protection Regulation) requirements for personal data.ів шифрування, має відповідні компетенції та може задовольняти потреби у шифруванні даних на кшталт реалізації вимог GDPR (General Data Protection Regulation) щодо персональних даних.
Expertise in threat hunting. The threat intelligence gained through curated threat intelligence should be used for further threat hunting. Reactive threat hunting, targeted threat hunting and proactive threat hunting are all important to help organisations improve security maturity and strengthen security. A professional cyber security provider conducts research on attackers and understands what they do and how they do it.
In the case of Octava Defence, we use constant proactive threat hunting, which is the optimal preventive strategy. Also, the use of SOAR (Security Orchestration, Automation And Response) tools allows us to implement more complex and efficient Threat Hunting processes.
Extended endpoint protection (EDR / XDR). A modern cyber security service provider must cover all types of endpoints with its tools, including the Internet of Things (IoT), the Industrial Internet of Things (IIoT), and the Internet of Medical Things (IoMT). All of them require monitoring and protection, so the availability of EDR/XDR systems is a must today. The greatest efficiency can be achieved when they are used in the MSSP/MDR model when the service provider not only implements but also provides further operational support for these systems.
At Octava Defence, we provide continuous monitoring and retrospective analysis of endpoint health based on behavioural methods and data enriched by the context of EDR/XDR class systems.
The availability of a cyber security orchestration system (SOAR) determines both the level of process organisation of the service provider and its ability to provide efficient cyber defence in terms of advanced capabilities for analysing, investigating, and responding to incidents, as well as tracking SLA indicators.
SOAR solutions allow you to collect data on information security events from various sources, enrich incidents with the necessary additional information, process them using a playbook, and launch responses to them using both manual and automated scenarios.
SOAR is a key component of Octava Defence’s Security Operations Centre, which, in addition to collecting and processing all customer alerts and incidents, allows us to provide customised services through multi-tenancy functionality.
Incident detection and response time. Speed is essential for detecting and stopping threats.
Typically, these metrics can be measured by the following indicators:
However, it is very important to agree with the service provider on the context of these indicators so that expectations are the same in terms of content and interpretation. The existence of this kind of SLA is also a sign of the service provider’s maturity.
At Octava Defence, we have several variants of service agreements: from a standard SLA to a unique one for each individual customer, including the use of automatic playbooks. Most often, we operate with MTTD (Mean Time to Detect) and MTTR (Mean Time to Response) indicators.
In addition to analysing the criteria already mentioned, when choosing a cyber security provider, we recommend finding out how your partner invests in its own development. To remain competitive, MDR providers must continually invest in their people, processes, and technology. At Octava Defence, we have an R&D centre to monitor and test new technologies, optimise processes, etc.
Learn more about managed services and SOCaaS from Octava Defence.