MSSPs: Here’s How To Turn Your Clients’ Data Into Actionable Intelligence

There’s no question about it: The world needs managed security service providers (MSSPs). Qualified cybersecurity professionals are getting harder to find and retain every year. Researchers predict that there will be 3.5 million unfilled cybersecurity roles by 2021, according to The New York Times.

Meanwhile, cyber threats are becoming increasingly prevalent and more damaging. According to the World Economic Forum, cyber attacks topped the list for the biggest risks facing businesses in North America.

Without MSSPs, countless organizations would be left lacking the resources and expertise they need to prevent, detect, and respond to today’s highly sophisticated cyber threats.

Businesses Need MSSPs, but What Do MSSPs Need?

In three words, actionable threat intelligence.

Threat vectors are multiplying as customer networks become more spread out. The traditional perimeters have all but dissolved thanks in large part to cloud computing. Consequently, it’s more difficult than ever for security operations centers (SOCs) to gather adequate threat intelligence about hackers’ tools, techniques, and procedures (TTPs).

In 2019 alone:

Factor in the slew of new zero-day threats, hundreds of new malware families, thousands of new phishing campaigns, and countless other novel tactics and strategies used by hackers – not to mention the billions of previously known malware signatures and TTPs – and the enormity of MSSPs task starts to come into focus. Throw the ever-changing IT landscape into the mix, and the matter becomes even more convoluted.

In theory, MSSPs can do some of the intelligence gathering themselves. Many of the most common sources they’ll look at include, but aren’t limited to:

  • Phishing URLs: Webpages that are known or heavily suspected to be designed with the sole purpose of stealing login credentials. This data is pulled from a number of sources, such as suspicious email threads aggregated by email providers.
  • Malicious C2 servers: Command-and-control servers that are passing instructions along to malware and other malicious programs. Identifying these servers requires various domain name analysis techniques.
  • Infection records: Newly identified malware strains and their signatures.
  • Newly registered domains: Lists of newly registered domains.
  • Compromised credentials: Leaked or pilfered personal data and account credentials pulled from a wide variety of sources – bank accounts, social media, streaming services, SaaS accounts, etc.

But gathering intelligence is only phase one. The complete list of processes involved in threat prevention, detection, and response looks something like this:

  1. Gather all of your threat data in real time on an ongoing basis.
  2. Perform further analysis to refine its context.
  3. Actually apply it to each client’s unique IT environment in the form of fully contextualized, finished, and usable intelligence.
  4. Figure out exactly how to act on that intelligence.

Every minute spent on these preliminary threat-hunting and detection tasks is a minute less to actually take the necessary actions that help identify and preclude the most urgent threats.

MSSPs don’t have time for that.

The solution? They procure threat intelligence from other companies that specialize in collecting and contextualizing it.

What To Consider When Shopping for Threat Intelligence

First and foremost, it’s crucial to always look for finished threat intelligence. This is not the same as buying bushels of raw data, or paying for access to intelligence feeds that have not been refined and contextualized. Finished intelligence provides clear insight into the motivation, capabilities, and potential impact of threats.

Keep in mind that not all vendors offer finished threat intelligence. For MSSPs, unfinished threat intelligence is a deal-breaker.

Integration is also an important component of threat intelligence. It goes without saying that MSSPs will pull log data from other resources such as firewalls, intrusion detection systems, and spam gateways, and use SIEM or big data solutions to analyze that information.

To maximize the value of existing SOC resources, it’s crucial that MSSPs ensure any threat intelligence they purchase or pay for access to can integrate with those existing systems.

It’s also prudent to inquire about the sources and collection methods used by the threat-intelligence vendor. At LookingGlass, for example, our Global Attack Surface Management Platform – scoutPRIME® – collects, normalizes, and indexes more than 88 sources of threat data. We’d be happy to talk more about those sources, and our process for refining that information.

When all is said and done, threat detection and response is only going to become more complicated, and that’s as true for the average small or medium-sized business as it is for the MSSPs serving them.

Now more than ever, good guys need to have the upper hand.

And they can find it in the form of high-quality, actionable threat intelligence.