MSSP Security at Scale: Top Challenges at an MSSP from a CISO’s Perspective

MSSP Security Today: Where Do We Stand?

Cybersecurity has rapidly risen to one of the highest priorities among enterprises worldwide, meaning that both the skills and costs of security teams are quickly expanding by their side.

For many firms, an in-house SOC just isn’t realistic from a cost and resource perspective – which makes managed security service providers (MSSPs) the ideal solution for price-sensitive companies that require a powerful solution. Indeed, the global MSSP security market is expected to grow 264% between 2021 and 2031, which is a compound growth rate of 14.2% every year. 

And while MSSP security has benefited from this period of rapid growth, CISOs and their teams have become bogged down by the many challenges that have come out of this growth. 

After serving as CISO at Avertium and CEO of TruShield, two MSSPs, SnapAttack’s Chief Growth Officer Paul Caiazzo realized that there was an opportunity to bring the scale, resource effectiveness, and agility that MSSPs needed to a comprehensive platform.

 

Challenges CISOs face at MSSPs

Paul’s experience with Avertium introduced him to the many daily challenges that CISOs everywhere face at a rapidly growing managed security services provider – such as:

  • Security at Scale – Scaling across complex, decentralized client environments is challenging, because MSSP security is not as simple as “copy and paste” when applying the same defensive processes across even two similar firms. Each has its own tool sets, data processes, and coverage requirements.
  • Building and Growing Security Teams – It is so difficult to find, train, and retain the right talent to manage the many unique client environments at an MSSP. This talent shortage in cybersecurity makes it tempting for MSSPs to scale through technology.
  • Lack of Integration Across Technologies – The cybersecurity technology landscape is as competitive as it is crowded. With each tool using its own query language, working across incompatible tools can be challenging for any MSSP.
  • Agility – MSSPs need to have the ability to mobilize quickly in the face of a crisis.
  • Lower Margins – With the MSSP market being so competitive, additional costs within the business are often a non-starter unless those costs offer immediate and direct impact on the bottom line.
 

Watch now: How MSSPs Can Overcome Challenging and Uncertain Economic Times

 

Shifting to Proactive Cybersecurity 

The Rise of Threat Hunting 

Whether XDR, MDR, EDR, or SIEM-based, effective threat detection offers an informed view of a business by examining all potential areas of vulnerability from the attacker’s point of view as well as the strategies and tactics the attacker might employ against the firm. 

Though it began as a mere component of many cybersecurity services, threat hunting has evolved into its own dedicated offering due to the complexity of the craft and the skill of the technician. However, as with any modernization, many MSSPs’ clients – clients who have been advised time and time again to invest in the next cyber silver bullet –  felt reluctant to adopt it. 

Even with a group of talented threat hunters, the appropriate tools in place, and sophisticated techniques, it can take days or weeks for a dedicated team to find the prize. 

And that’s if they know what to look for

Why? Because they have to answer questions that don’t always have straightforward answers, like: 

  • Who is the attacker and are they relevant to us? 
  • What TTPs are they using, and which should we prioritize? 
  • What controls will help identify their activities? 
  • How do I find or build a detection that will defend against the attack? 
  • Will my detection work across my environment?

 

The list goes on. Some of the newer SIEM platforms claim to offer users threat hunting capabilities right out of the box, but that’s hardly the case without customization done by experienced operators.

More on threat hunting: The Art + Science of Pre-Crime Threat Hunting

 

 

Purple Teaming: Dynamic Collaboration 

For Paul, threat hunting represented a long-awaited shift towards more proactive, preventative security operations. Amid this shift, solutions like purple teaming arose to connect teams and support once-tedious activities like threat hunting.

Purple teaming bridged the gap between red and blue teams, allowing for continuous collaboration and more meaningful context for both teams. This solution bolstered MSSP security teams’ ability to collaborate and share information, which translated to more effective engineering and more robust detections.

Another priority to Paul was the accessibility of cybersecurity – he knew that SecOps teams could be so much more effective if only they worked together, but a widespread reluctance to collaboration was holding most of them back.

 

SnapAttack: The Comprehensive Threat Hunting + Purple Teaming Solution

Most recently, SnapAttack partnered with Avertium to leverage detection-as-code capabilities in their already robust Fusion MXDR offering. In this case, a modernized approach to threat hunting and continuous purple teaming gives more power and security to clients while simultaneously enhancing Avertium’s own operations through scalability, deeper insight into threats, and agile detection deployment.

 

This is what drew Paul to SnapAttack, because it complements and resolves challenges that MSSPs like Avertium face – delivering a powerful force to confound and disrupt the adversary when combined with well-configured SIEM, EDR or XDR client toolsets and highly skilled analysts.

“SnapAttack exists to break down the barriers between teams, between tools, and between organizations that make the seemingly simple goal of protecting your organization difficult or impossible,” says Paul. 

Our partnership with Avertium helps us fulfill our mission across hundreds of companies around the world in many different industries, each with unique environments and security tools. Avertium has always been deeply committed to delivering customer success through innovation and expertise and I’m delighted that SnapAttack’s vendor-agnostic approach to threat intelligence, adversary emulation, and detection-as-code is able to contribute to that.”

With just one platform, MSSPs can streamline their threat hunting process to more quickly mobilize against emergent threats and scale with ease across their complex clients – no matter what threat hunting tools they use.

Mapping coverage to the MITRE ATT&CK matrix, SnapAttack brings clarity and confidence to SecOps by giving even junior analysts expert guidance and standardized reporting with dashboards.

Learn more: Are we protected? Mobilizing threat-informed defense through continuous purple teaming

1. As clients ask “are we covered?”, MSSPs can quickly mobilize and act on their questions about alerts by:

  • Checking their coverage against emergent threats automatically as new threat sessions are created.
  • Get upstream of the alert by using SnapAttack’s powerful features to create better detections faster – regardless of tooling.
  • When new threats are disclosed, automatically find out whether they’ll be detected and if there are multiple points of coverage with the ability to immediately deploy threat detections into the field.
 

2. Improve resource effectiveness and margins

  • Reduce time spent on a typical threat hunt by up to 98% – that’s days or weeks less than customer-deployed SOC solutions, built in hunting tools, or other third-party software.
  • Eliminate alert fatigue and focus their SOC and IR teams on critical needs by saving the time they’d normally spend preparing for the hunt.
  • Prioritize, triage, and respond to high-fidelity detection hits in the production environment.
  • Organize red team/CTI knowledge in an easily digestible and usable way, enabling their blue teams to better understand and stay ahead of any given threat, and collaborate any time.
 

3. Scale SecOps quickly and efficiently across client environments and tooling by enhancing collaboration

  • Communicate across cyber defense teams and deploy detections across different tools with an integrated view of data sources + context.
  • Test and deploy 1,000s of pre-written, validated detection analytics.
  • SnapAttack’s integrated view across data sources offers context and the ability to communicate across cyber defense teams and deploy detections among different tools.
 

4. Streamline and standardize reporting with dashboards

  • Quantify + visualize MITRE ATT&CK coverage for a specific actor or threat to deployed detections + gain immediate perspective on their actual detection coverage mapped against ATT&CK.
  • Give teams the ability to create, translate, deploy, validate detections across their stack without having to know syntax for a myriad of security tools, enabling them to collaborate seamlessly.
  • Give SOC Managers an easy way to report to CISOs their actual coverage against a given threat, as well as measure detection team performance and overall security posture.
 

5. Level up junior analysts while they’re on the job

  • Enable even junior analysts to write and validate detections – no coding knowledge necessary with our revolutionary point-and-click detection builder.
  • Enable analysts to compare production-environment alerts with known malicious logs, improving alert fidelity and customer outcomes.
  • Teams can quickly understand any given attack technique by observing the adversary, their victim and the true positive evidence left behind.
 

6. Know clients are covered and feel confident in protection

  • See coverage and gaps across the entire kill chain and across the entire technology estate. Measure coverage with MITRE ATT&CK, identify gaps, and continuously validate detections.
 
Ariel Ropek, Director of Cyber Intelligence at Avertium, says: “SnapAttack enables us to distribute our latest threat intelligence content packs to all Avertium Fusion MXDR customers across any SIEM, EDR, or XDR technology. Our adversary tactics evolve with new threats, and this new detection-as-code technology allows us to maximize our customers’ technology investments and scale our defense operations at extraordinary speed.”

 If you want to keep up with SnapAttack, please subscribe to our newsletter.

And if you’re ready to talk, book a meeting on Paul’s calendar or book a demo of SnapAttack.

 


 

About Paul Caiazzo

Paul Caiazzo is the Chief Growth Officer of SnapAttack. Before SnapAttack, Paul served as Avertium’s CISO and SVP of Corporate Development.

As Avertium’s CISO, Paul oversaw many activities at Avertium to ensure that it was operating at optimal efficiency, working to reduce risk for both Avertium and their clients. 

With over two decades of industry-leading experience, Paul credits his extensive background in the federal government and financial sectors to having first-hand knowledge of not only how crippling cybersecurity issues can be, but also the perspective that resilient security supports achieving high initiatives. 

While at Avertium, Paul was named “CISO of the Year” in the fifth annual CyberSecurity Breakthrough Awards program conducted by CyberSecurity Breakthrough, a leading independent market intelligence organization that recognizes the top companies, technologies and products in the global information security market today.