Challenges for MSSPs wanting to take on threat intelligence

The market adoption of advanced threat intelligence capabilities is accelerating as managed security service providers (MSSP) partner up with threat intelligence vendors to enrich their existing service portfolios.

MSSPs recognize the value that threat intelligence generates for their customers: reducing risk by adding context to threats so that they can be better understood and more effectively mitigated. Beyond that, they often as route to incremental revenue opportunity as well as further differentiating from the competition by becoming a true trusted advisor. MSSPs that evolve through threat intelligence adoption are best equipped to sustain those enterprise customers who wish to derive a complete set of managed security services from a single provider rather than multiple specialists.

Many MSSPs see the opportunity of selling threat intelligence to their customers, but must first grapple with the challenge of selecting and implementing the right technology, and then offering the optimum service.

For the purposes of this blog, we’ll focus on the core tasks and evaluation criteria that MSSPs can adopt in their threat intelligence vendor selection processes.


Can you scrutinize sector-specific expertise?

Threat intelligence vendors gather their intelligence in different ways. Some sources will be common among the threat intelligence vendor community but many others will be niche to the needs of specific industry sectors. A discriminating choice of intelligence sources that map against the threat categories most common to each given industry is therefore critical for MSSPs to be as relevant as possible to their customers’ needs, particularly if existing customers are concentrated in particular verticals. For example:

  • For retailers and e-commerce firms, the optimum intelligence will be biased toward collecting data from the black-market trade in stolen credit card details, such as via underground forums on the deep or dark web. Other vectors pertinent to the industry include phishing, cybersquatting and hacktivism.
  • If the MSSP helps utilities/manufacturing, the onus is more likely to be on looking for leaked data.
  • In insurance and financial services, fraud perpetrated through compromised credentials is a significant vector, as are DDoS attacks, ransomware and third-party exposure.

And while MSSPs and their customers may feel confident that other measures are in place to physically combat various forms of generic commodity attack (e.g. an emerging form of malware) – the addition of threat intelligence to their cyber arsenal gives them an extra dimension: new visibility into the likelihood and existence of specific, targeted threats that are unique to their organization and sector (e.g. increased hacktivism activity against mortgage lenders).

TAKEAWAY: Select a threat intelligence vendor able to demonstrate a large and comprehensive set of intelligence sources relevant to your target sectors (e.g. botnet, command and control, targeted malware, credit card theft, rogue mobile apps, hacktivism, data leakage, phishing, cybersquatting, brand abuse).


What form do the intelligence outputs take?

How your chosen threat intelligence vendor disseminates intelligence has knock-on effects to your operations and your customers’ service experience.

MRTI (machine-readable threat intelligence) is the first-level of threat intelligence and is commonly employed as an ongoing data feed to an organization’s SOC team. For example, Blueliv’s MRTI feed arms clients with ultra-fresh data around Bot IPs, attacking and TOR IPs, malware and hacktivist activities. Dynamic data streams allow analysts to identify IOCs and manage threats effectively. Crucially, it is very simple to set up and offers fast, frictionless integration with SIEMs, firewalls, IPs and other security products, because of translation from human to machine-readable formats and rapid dispersion to cloud and onsite security infrastructure. These customizable feeds plug in using APIs developed by Blueliv for this purpose.

The value of a good, well-tuned MRTI feed is not to be underestimated, but does not fully reflect the full capability of an advanced threat intelligence platform.

Above and beyond MRTI feeds sits a more dynamic threat intelligence platform approach that combines automated data gathering and categorization with human insights and contextual analysis to validate and provide truly actionable threat intelligence.

TAKEAWAY: Most threat intelligence vendors provide MRTI feeds that customers plug into, but this can be a sluggish process that integrates poorly with existing infrastructure and – even then – still requires further data analysis. At the very least, you need a full-spectrum MRTI feed that allows customers to get set up quickly and easily – accelerating time to revenue and lessening support costs. For differentiation, look for threat intelligence that performs real-time contextual analysis to deliver truly actionable information.


Is this going to easily integrate with existing processes and complementary services?

An effective, MSSP-ready threat intelligence platform must complement other security vendors’ firewall, IPs and monitoring products, etc. to add contextual intelligence and turn it into actionable protection in real time. This can be supported via standardized cybersecurity information-sharing techniques (e.g. STIX, TAXII) to automate intelligence sharing with other devices. An available set of APIs and SDKs can further ease the integration of the threat intelligence platform with internal SOCs for greater security synergy i.e. supporting other MSSP cyber services for attack detection and mitigation. As with any other strategic vendor arrangement, MSSPs should also take care to ensure that the partnership will be adequately supported with appropriate onboarding, training and help should questions arise.

TAKEAWAY: Threat intelligence that stands alone from your other strategic services will never recoup its potential value. Look for integration that overcomes all technical obstacles as well as supporting your own business needs.


What if the end customer only wants specific aspects of threat intelligence rather than the complete package?

Threat intelligence solutions worthy of the name should offer universal threat coverage, but this needn’t mean acquisition be constrained to an all-or-nothing choice. Modular threat intelligence enables MSSPs and their customers with a buffet-style choice of capabilities to suit their needs as they evolve.

This is also the optimum model for supporting each end-customer as they grow – enabling the MSSP to package and sell the underlying threat intelligence platform as a security-as-a-service offering to clients who have their own SOCs and want to manage the solution themselves, as well as to those who rely entirely on the MSSP to effectively outsource their security operations.

TAKEAWAY: Choose a threat intelligence vendor with modularity so that you can harness a flexible foundation for enabling new business. The vendor should also have a great training and accreditation program in place to optimize sales enablement and guide pre- and post-sales support.


How can the service scale?

MSSPs may differ in size, but they all want to grow in line with predictable costs and a non-disruptive infrastructure model. For rolling out threat intelligence, once again the question of modularity comes into the equation here, enabling different elements of the full suite to flex in response to customer demand in specific areas.

The ultimate flexibility comes from a cloud-based threat intelligence platform that allows new client accounts to be activated quickly at endless scale, without having to purchase, deploy, manage, support, or upgrade physical equipment, leading to faster time to revenue and ROI.  For example, we’ve developed a unique MSSP ATM to calculate your credit balance, so you’ll need a minimum amount of Blueliv interaction to accurately scope and size requirements.

MSSPs really must scrutinize the issue of flexibility very carefully so that their individual customers can be easily sized and provided with the right modules, within an easy to calculate, predictable, transparent cost structure. Blueliv, for example, is sufficiently straightforward for MSSPs to self-serve many aspects of ordering and provisioning, with granular billing on a customer-by-customer basis. Blueliv also operates a utility-based model that allows all an MSSP’s end-customers to be aggregated onto a single license – further reducing costs.

TAKEAWAY: Look for a flexible, cloud-based, multi-tenant threat intelligence platform you can leverage on a pay-as-you-grow licensing model, that enables you to onboard each new customer in minutes.



The evolution of the threat intelligence market is expected to continue apace in the coming years, with various analysts forecasting CAGR of almost 20% to 2023 and a total value of up to €12.9 billion. MSSPs want a slice of the action but choosing a vendor can be a minefield. Proceeding with caution to locate a partner with the greatest market relevance, modularity, scale, support and integration will be essential to guaranteeing success.

Interested in adding threat intelligence to your MSS portfolio? Click through to our dedicated MSSP site and talk to an expert today.

The post Challenges for MSSPs wanting to take on threat intelligence appeared first on Blueliv.

*** This is a Security Bloggers Network syndicated blog from Blueliv authored by Xavier Coll. Read the original post at: