Bad actors are relentless in their attempts to infiltrate networks. Despite the most rigorous efforts by internal teams and managed security service providers (MSSPs), the result is breaches happen.
When that occurs, it’s important your MSSP is equipped to support you by being able to pivot from normal operations to emergency mode on your behalf to quickly and thoroughly facilitate and possibly handle the response.
This article covers the areas you should address to be sure your MSSP is equipped to support you in the case of a breach, whether they directly handle the incident response with you or hand it off to a third party.
Your managed security provider knowing your environment and how you do business is the first step to dealing with a breach.
Knowing your organization's business and security goals empower your MSSP to quickly pivot into incident response (IR) mode in the event your systems are breached. The security operations center (SOC) team should be able to answer questions from the IR team and provide access to logs and software to run queries.
Special Note: MSSPs whose services rely on black box technology force you to rely heavily on the MSS vendor. Be sure you have a clear idea of how to access your data in the event of a breach so you know you can (and how to) access your logs.
Related Reading: Employing MSSP Using Agnostic vs. Proprietary Technology
A third party acquainting itself with your organization takes time. Your MSSP should take the extra steps required to get to know your environment before you even sign on for services as part of its onboarding processes, and continually throughout the life of the partnership. This allows your vendor to build better alarms and alerts for you, and to tune your solution to block out the “noise” created by harmless traffic. This allows the MSSP to concentrate on the potential threats you and your team would normally have to handle yourselves.
Be sure your managed security vendor:
Practicing different attack scenarios is important in the planning of how your MSSP will handle the incident response (IR), either by themselves or by handing it off seamlessly to another party, if a breach occurs.
There are a few options for testing your IR preparedness. These include paper tests, attack simulations, and tabletop exercises. While each method has its pros and cons, a table-top exercise balances ensuring coverage and relevancy to your organization without requiring fewer resources such as internal expertise and expense.
Your table-top exercises should include key members of your MSSP team so that everybody involved understands the handoff of an incident from detection to response.
A good table-top exercise is customized to your organization so that it provides rigor and relevance in exploring ways to deal with an incident. It’s ideal for your team and the provider to be in the same room to run through incident scenarios. This allows the expert in charge to better assess the validity of what they're hearing and tune in to and more deeply probe areas that might be pain points for your organization.
For these reasons, it’s best to engage an MSSP that provides customized table-top exercise services. Questions you should ask to assess your MSSP’s ability to fulfill your needs include:
You should be testing several times a year. If you are using an MSSP with a black box solution, be sure you can access your data regularly.
When a breach occurs, rapid response is critical. Ideally, detection and quarantine of an attack occur before the hacker achieves “breakout”. This is the point where the hacker has successfully pivoted to other areas of the network and has gained multiple levels of persistence and command and control.
The longer an incident goes undetected and uncontained, the greater the foothold the attacker can establish within an organization. This causes the response to be more difficult and expensive to eradicate the bad guy.
Many factors create urgency regarding a breach, including the following:
Being able to collect data quickly allows you to get to a quicker root cause analysis to figure out exactly what happened.
Knowing the details of your service-level agreement (SLA) ahead of time helps to ensure your MSSP is equipped to support you in the case of a breach quickly and thoroughly. Whether your MSSP will handle the incident response or hand it off to a third party, it's important to understand how long it will take to move through the process from breach detection to getting boots on the ground and taking action to eradicate the threat.
If your managed security provider also handles the incident response, be sure your contract includes defined SLAs for IR to be certain once activity turns from operational to response, your provider is adequately staffed to immediately react.
If your MSSP is not equipped to handle an all-out incident response engagement, make sure you are partnering with another party and establishing SLAs and a responsible, accountable, consulted informed (RACI) matrix between all parties.
Proactively ask your MSSP how they measure SLA internally and ask for examples. Be specific by asking questions like:
Having these conversations beforehand as opposed to in the middle of the incident when stress is high and time list limited is important. Proactive planning will make the engagement run smoother and give a higher chance to contain the adversary quicker.
In the relentless fight to ward off bad actors, time is of the essence. Knowing the details of how well your MSSP is equipped to support you in case of a breach by getting the answers to these questions will help you both to pivot from normal operations to emergency mode to quickly and thoroughly handle response.
You may have hired them to lock out the bad guys, but all you got was locked into their big expensive solution. With Avertium’s managed security services, you get more rigor, more relevance, and more responsiveness. Contact us today.