Radical Transparency: Killing Managed Security Services’ Black-Box Approach

Enterprises have been turning to managed security services for years and are losing faith with the “black box” approach that has become the industry standard. Organizations are requesting answers to what should be simple questions such as, What rules applied to my events? When did analysis begin? Who worked on my alerts? And, What happened to the alerts that were not forwarded?

There needs to be a shift toward “radical transparency” that provides openness to the monitoring processes and builds credibility in managed security services. We need to throw out the black-box approach and start showing customers details around their security events, triage decisions and analyst notes that can help them better operate and secure their business.

The best way for managed security services providers and customers to get to this level of transparency involves a cultural shift so that customers have access to the same analytic rules, audit logs and metrics as the managed security service provider analysts.

Trends Driving Managed Security Services

Today, enterprise security teams are drowning in alerts. A study by the Ponemon Institute highlights this:

  • 19% of alerts are deemed reliable and only 4% are actually investigated
  • 44% of security operations managers see more than 5,000 alerts per day
  • 62% have an excess of alerts and false positives, and are overwhelmed

What makes this situation even worse is the shortage of cybersecurity talent in the industry today. A recent report predicts that there will be 3.5 million cybersecurity job openings by 2021. And in a very competitive labor market, it is very expensive for enterprises to find, attract and retain cybersecurity and SOC experts.

As enterprises are flooded with alerts and challenged to hire enough security experts, they have been turning to managed security services, driving significant growth in this sector. According to one report, the managed security services market is predicted to reach $58 billion by 2024. The reason for the growth is clear—managed security services give enterprises access to both top talent and the latest tools, along with experience and expertise in protecting enterprises across a wide range of industries. It’s a great way to mitigate risk.

Legacy MSSPs

In the early years, managed security services providers (MSSPs) initially attempted using security information and event management (SIEM) as a platform to create security alerts. However, this led to analysts simply forwarding raw security events to customers with no analysis or insights. This approach emphasized the speed of notification (e.g., forwarding events to the customer in less than 5 minutes) rather than the quality of the investigation.

As MSSPs tuned their platforms to focus on quickly forwarding high-priority alerts, the actual result was reduced effectiveness because they were missing attacks due to eliminating lower-priority security events. More importantly, it simply shifted the burden of investigation and analysis back to the customer, so they were essentially doing on their own what they originally intended to outsource—while still having to pay for it!

MDRs – Still Trapped Inside the Black Box

Managed detection and response (MDR) services took the legacy MSSP approach a step forward by investigating security events and providing the analysis needed to properly respond. However, many MDRs still operate in the traditional black-box approach: Customers only see what is escalated to them without any context or explanation.

If we are being honest, real analysis is subjective, requires human judgment and takes time, which should raise concerns from customers about how MDR providers are measuring and improving the quality and efficacy of alert investigation.

Full Transparency: A Radical Concept for Security

A system with full transparency reinforces trust and credibility and is what customers have come to expect and demand from companies in other industries. Think of an itemized receipt for an expensive dinner, or calls being recorded “for quality assurance and training purposes.” This level of transparency gives customers the details they need to decide whether they are getting true value for what they are paying or to know that the company is actively trying to make their service and support better.

Along these lines—and in stark contrast to the black-box approach—I argue that customers should be able to see and access everything from their MDR provider—audit logs, automation processes, playbooks, etc. Having full access to everything the MDR platform knows about the customer, analytic playbooks and what the SOC analysts are doing gives the customer a level of intelligence and insight that can improve their operations and their business.

And, I would take this transparency a step further. Because of the subjective nature of human analysis, there is also a need to ensure the quality and consistency of security analysis. Using machine learning, it’s possible to automate the sampling of alerts for review and scoring, with the scores being based on the speed, accuracy and consistency of analysis.

With that data, MDRs can then adjust the number of alerts reviewed per analyst based on their ongoing scores. The highest scoring analysts will have less alerts reviewed, while ones with lower scores will see an increase in alert reviews that provide opportunities for coaching and training.

Customer Benefits and Security’s Transparent Future 

In all, by focusing on the continuous improvement of security analysis with a full, transparent view of the customer—from audit logs to SOC analyst scores—you can build customer trust by allowing them to independently assess the quality of the investigations. This mitigates human error with a consistent and predictable review of alerts. For MDR providers, the process also gives continuous feedback to SOC analysts and drives improvement in the training process and retention.

While this approach might be “new” and “radical” now, it will quickly become a customer expectation and a required standard for MDR providers in the near future.

Rob Davis

Avatar photo

Rob Davis

Rob Davis is a founder and CEO of Critical Start, a Dallas-based provider of cybersecurity solutions. A Certified Information Systems Security Professional (CISSP), Rob has more than 20 years’ experience in the information security industry.

rob-davis has 1 posts and counting.See all posts by rob-davis