Leveraging a new MSSP/MDR SOC contract to build an intelligence practice
Article by ThreatQuotient APJC regional director Anthony Stitt.
Cyber threat intelligence (CTI) is now being used by organisations of all sizes across industries and geographies. 85% of respondents to the 2021 SANS CTI Survey report they are producing or consuming intelligence, with the remaining 15% planning to.
Notably, for the first time, the number of respondents without plans to consume or produce intelligence was 0%, down from 5.5% in 2020. But there is still much work to be done.
Months on from the SolarWinds Orion security breach...:
- 63% of organisations surveyed remain highly concerned about data security
- 60% of those directly impacted are still trying to determine if they were breached
- 16% of organisations are wondering if they were even impacted.
Few organisations have matured their security operations (SecOps) to the point where they have integrated a complete CTI practice.
Many organisations rely on managed security service providers (MSSPs) or managed detection and response (MDR) for the detection component of their SecOps, setting up processes and serving as tier-1 and tier-2 SOC analysts.
SOC contracts are generally signed for a minimum three-year period. While these contracts may specify the need for continuous enhancement, it can be difficult to make significant changes and update SLAs once the contract is in place.
This limitation has become problematic given the past year of disruptions. Almost 20% of survey respondents told SANS the pandemic has changed how they use threat intelligence due to a rise in phishing, ransomware attacks and work-from-home threats.
The recent rise of worldwide supply chain attacks has been a game-changer for defenders. Strategic shifts to mature SecOps by implementing a CTI practice are difficult to achieve whilst outside a contract renewal window. That’s why customers must think ahead about their SecOps maturity needs and work with their MSSP/MDR at contract renewal to synchronise SecOps process evolutions.
Here are the keys to global project success when leveraging a SOC MSSP/MDR contract process.
Don’t let the window close: moving from reactive to anticipatory
Disruptions are a fact of life, and threat actors will continue to take advantage of them. A CTI platform allows for an anticipatory approach by profiling both the attack and attackers who rapidly change their tools, techniques, and procedures (TTPs) to evade defensive technologies.
With intelligence-based workflows, security operators can use these insights into adversaries to enrich internal surveillance, focusing on threats and minimising noise or false positives.
Security teams can strengthen defences by automatically sending relevant threat intelligence directly to the sensor grid, SIEM, logs, and ticketing systems, to proactively protect the organisation from future threats. In such a set-up, the customer SecOps teams create detection policies in real-time and actively collaborate with the MSSP/MDR to perform crisis management when a new threat appears.
CTI serves and is fed by all four functions of your SecOps
Security operations consist of four main functions: the defence team, risk management, the SOC for detection, and the incident response team.
With a CTI platform, teams can leverage threat intelligence across these functions to understand your adversaries and their tactics, techniques, and procedures.
As tools and teams gather additional threat data, they can feed that information into the CTI platform to create an organisational memory — meaning intelligence is automatically re-evaluated and reprioritised based on this new information. This enables CTI practice to continue improving by leveraging information that helps accelerate the right actions and allows real threat data-driven orchestration across all SecOps tools.
A CTI practice requires some modifications to all four functions, including the SOC MSSP/MDR contract
When introducing a CTI practice into the core of security operations, every function must adapt to work with a CTI platform to benefit from collaboration and communication (SIEM, SOAR, EDR, etc.).
Some service providers can accelerate the process because they offer a CTI capability as part of their practice. However, for others, more work needs to be done to their processes and SLAs to ensure successful onboarding of a CTI platform.
Either way, modifications are more straightforward when initiated at contract time. Otherwise, the risk of missing out on the full value of a CTI practice grows.
The CTI practice can be activated when you’re ready
MSSP/MDR’s that already have a CTI practice offering can provide a CTI platform, and over time, transfer the skills to run the CTI practice to the team. If a service provider continues to run the CTI practice on behalf of the organisation, the threat memory will remain on the organisation’s site for reuse.
This is the implementation model seen most in the past 12 months, but it’s early days and service providers are working together with their customer SecOps teams to optimise the path forward. If the MSSP/MDR doesn’t have a CTI practice offering, look for a CTI platform that leverages a flexible data model and supports open intelligence sharing standards to ensure connectivity and communication. The goal is to be ‘CTI practice ready’.
The escalation of cyber-attacks over the last few months has shown there’s no time to waste in maturing SecOps programs. A reactive security posture is not a viable option. Instead, teams must leverage threat intelligence throughout their security operations to understand adversaries, strengthen defences, and accelerate detection and response by turning SecOps into an anticipatory program.
It is important to work with the SOC MSSP/MDR partner at contract time to remain in control of the timeline and avoid being forced to wait another three years for the next contract negotiation cycle to gain the full value of a CTI practice and platform.