Bad actors are relentless in their attempts to infiltrate networks. Despite the most rigorous efforts by internal teams and managed security service providers (MSSPs), the result is breaches happen.

When that occurs, it’s important your MSSP is equipped to support you by being able to pivot from normal operations to emergency mode on your behalf to quickly and thoroughly facilitate and possibly handle the response.

This article covers the areas you should address to be sure your MSSP is equipped to support you in the case of a breach, whether they directly handle the incident response with you or hand it off to a third party.

How well does your MSSP know your business?

Your managed security provider knowing your environment and how you do business is the first step to dealing with a breach.

Knowing your organization's business and security goals empower your MSSP to quickly pivot into incident response (IR) mode in the event your systems are breached. The security operations center (SOC) team should be able to answer questions from the IR team and provide access to logs and software to run queries.

Special Note: MSSPs whose services rely on black box technology force you to rely heavily on the MSS vendor. Be sure you have a clear idea of how to access your data in the event of a breach so you know you can (and how to) access your logs.

Related Reading: Employing MSSP Using Agnostic vs. Proprietary Technology

Proactively protect against a breach

A third party acquainting itself with your organization takes time. Your MSSP should take the extra steps required to get to know your environment before you even sign on for services as part of its onboarding processes, and continually throughout the life of the partnership. This allows your vendor to build better alarms and alerts for you, and to tune your solution to block out the “noise” created by harmless traffic. This allows the MSSP to concentrate on the potential threats you and your team would normally have to handle yourselves.

Be sure your managed security vendor:

• Provides you ready-made templates and questionnaires to complete to help them to get to know your business quickly and thoroughly
• Continues to hone your monitoring environment through regular touchpoints.
• Follows processes to capture your information to populate its wiki so this data can be shared with the entire team for consistency and speed-of-service. Confirm this information is reflected in your customized runbooks to match how you prefer to respond and react to different types of alarms.
• Conducts a baseline security assessment as part of the onboarding process to map your security maturity to a trusted framework (NIST CSF, ISO, COBIT, etc.) and then execute periodic reviews to ensure the MSSP is improving that maturity over time.
• Assigns you a technical account manager (TAM) whose sole purpose is to be an extension of your team and learn your environment from a people, process, and technology standpoint. Your TAM should stay abreast of changes your internal team is planning for your network environments like planned network changes, firewall replacement, and any AD migrations. Knowing your planned changes will allow your MSSP to minimize the time of lost visibility.

Does your MSSP have a testing, training, and exercise strategy?

Practicing different attack scenarios is important in the planning of how your MSSP will handle the incident response (IR), either by themselves or by handing it off seamlessly to another party, if a breach occurs.

There are a few options for testing your IR preparedness. These include paper tests, attack simulations, and tabletop exercises. While each method has its pros and cons, a table-top exercise balances ensuring coverage and relevancy to your organization without requiring extensive resources such as internal expertise and expense.

Your table-top exercises should include key members of your MSSP team so that everybody involved understands the handoff of an incident from detection to response.

A good table-top exercise is customized to your organization so that it provides rigor and relevance in exploring ways to deal with an incident. It’s ideal for your team and the provider to be in the same room to run through incident scenarios. This allows the expert in charge to better assess the validity of what they're hearing and tune in to and more deeply probe areas that might be pain points for your organization.

For these reasons, it’s best to engage an MSSP that provides customized table-top exercise services. Questions you should ask to assess your MSSP’s ability to fulfill your needs include:

• Are you equipped to provide customized table-top exercises?
• If not, what template scenarios do you already offer so that I can make sure they are relevant to me?
• Will you be present for executing the exercise, or will this occur over the phone?

You should be testing several times a year. If you are using an MSSP with a black box solution, be sure you can access your data regularly.

What is your service level agreement with your MSSP?

When a breach occurs, rapid response is critical. Ideally, detection and quarantine of an attack occur before the hacker achieves “breakout”. This is the point where the hacker has successfully pivoted to other areas of the network and has gained multiple levels of persistence and command and control.

The longer an incident goes undetected and uncontained, the greater the foothold the attacker can establish within an organization. This causes the response to be more difficult and expensive to eradicate the bad guy.

Many factors create urgency regarding a breach, including the following:

• Systems continue to operate; logs are rolling off the system, information in memory may be lost as systems reboot.
• Threat actors often provide a timeline for escalating data exposure, making it critical to head off their demands.  
• Businesses normally have 72 hours to contact the FBI’s Internet Crime Complaint Center (IC3) for the organization to attempt to stop ransomware payment on a transfer demanded through business email compromise.

Being able to collect data quickly allows you to get to a quicker root cause analysis to figure out exactly what happened.

Knowing the details of your service-level agreement (SLA) ahead of time helps to ensure your MSSP is equipped to support you in the case of a breach quickly and thoroughly. Whether your MSSP will handle the incident response or hand it off to a third party, it's important to understand how long it will take to move through the process from breach detection to getting boots on the ground and taking action to eradicate the threat.

If your managed security provider also handles the incident response, be sure your contract includes defined SLAs for IR to be certain once activity turns from operational to response, your provider is adequately staffed to immediately react.

If your MSSP is not equipped to handle an all-out incident response engagement, make sure you are partnering with another party and establishing SLAs and a responsible, accountable, consulted informed (RACI) matrix between all parties. 

Proactively ask your MSSP how they measure SLA internally and ask for examples. Be specific by asking questions like:

• What processes do you have in place?
• Do you have KPIs that drive your operations?
• How long will it take to get security information from their systems upon request during an incident?
• How long do you keep data in Hot, Warm, and Cold Storage?

Having these conversations beforehand as opposed to in the middle of the incident when stress is high and time list limited is important. Proactive planning will make the engagement run smoother and give a higher chance to contain the adversary quicker.

In the relentless fight to ward off bad actors, time is of the essence. Knowing the details of how well your MSSP is equipped to support you in case of a breach by getting the answers to these questions will help you both to pivot from normal operations to emergency mode to quickly and thoroughly handle response.

You may have hired them to lock out the bad guys, but all you got was locked into their big expensive solution. With Avertium’s managed security services, you get more rigor, more relevance, and more responsiveness. Contact us today.