I am having some strange epiphanies as I go knee-deep into SIEM engineering. While the MSSPs have existed in all flavors and sizes, there seems to be a broad consensus that they simply can’t mimic the capabilities of an in-house security operations function – especially when it comes to gaining context, visibility and speed.
I think this is a classic misconception stemming from a skewed understanding of the MSSP’s underlying business and engineering priorities.
It must be kept in mind that the remit of an MSSP is slightly divergent from a pure-play enterprise security function. First, the MSSP platforms are tied more tightly with the compliance requirements above anything else. It naturally divides the cost and attention between incident response and governance.
Second, the engineering challenges for an MSSP far outweigh anything which even a best-of-breed security response function would encounter. To gain uniformity and agnosticism over its diverse monitoring environment, an MSSP has to wade through tons of event taxonomies, vendor integrations, contractual obligations and so many other operating parameters.
While an enterprise security function engineers for situational awareness, an MSSP engineers for both situational awareness and situational consistency. That said, there is nothing stopping an MSSP from pursuing excellence in its detection capabilities, given the rules of the game are better appreciated.
Anton Chuvakin – a pioneer of security correlation, and formerly one of Gartner’s best-known experts on SIEM and now a strategist at Google Chronicle – wrote an amazing blog on the long prevalent glass ceiling of SIEMs. The article is so good that I shed a solitary tear while reading it!
Of course, we still haven’t solved the problem of standardizing event taxonomies. If not engineered correctly, SIEMs often become these one-way streets which make the modelling and monetization of security telemetry close to impossible.
Think, for a second, why would a man like Chuvakin sitting at the helm of a limitless data analytics behemoth like Chronicle be talking about SIEMs?
The answer is simple: the playing field is still level for the MSSPs to make a dent. Analytical edge has to be balanced with business and operational clarity.
In his four-part series on detection, Chuvakin further emphasizes that “no amount of storage is going to make an organization safer if said organization cannot slice and dice or otherwise get at the stored data.”
Absolutely. What this really means is that your security data lake (ingestion, pre-processing, normalization and enrichment) should be mutually exclusive from data modelling (event correlation and analytics). What this also means is that the secret to an MSSP’s technical edge lies within the platform architecture.
One more parameter that the MSSPs need to add to its business plan is the data model. It’s the wellspring of monetization in a world driven by SaaS, analytics and telemetry-economies-of-scale.
Sure, MITRE ATT&CK provides you a nice ontology which could also be morphed into business use-cases – but as former DARPA hacker and L0pht member Mudge pointed out, it’s just the beginning.
The Holy Grail for an MSSP is an extensible and interoperable stack which irons out the wrinkles in event normalization to arrive at a universal taxonomy, ontology and knowledge repository. It’s the road to SaaS nirvana.