In previous articles, we’ve explained how MSSPs can pick the "low-hanging fruit" of automation, and how SOAR can help improve analyst-to-customer ratios. These articles covered how there are major gains to be found in both profit and quality of services through different levels of automation. In this article, we’ll illustrate the benefits of targeted automation — particularly valuable for small or mid-sized MSSPs — through a hypothetical case study.
In this case study, we’ll show how a small MSSP could save as much as $1 million per year with a strategic approach to automation that minimizes overhead and time-to-value.
How Can You Double Your Client Base When You’re Already Overwhelmed?
Let’s say our imagined MSSP has seven analysts serving 30 clients, with plans to double their client base as soon as possible. They have an annual revenue of approximately $1.2 million USD.
They are experiencing stagnated growth because their analysts are struggling to keep up with an unending stream of low-fidelity alerts from their clients. Adding new clients wouldn’t just mean hiring more analysts; it would also require more administrative work to track billable hours and SLAs.
They don’t want to commit to deploying a full SOAR platform because they think it will cost too much and require too much time to implement and maintain. They’re swamped enough as is.
Automate the Most Time-Consuming Tasks
A targeted use of automation is the solution we would prescribe this MSSP. Given their specific problems, they can focus on alert-handling and basic investigation, which are the processes that have been taking up so much of their time.
In addition, they need full multi-tenancy and automation that extends to administrative work, like SLA tracking and reporting. They can’t double their capacity if that’s going to double their paperwork and administrative time too.
With just two playbooks, they can automate exactly what they need, without getting bogged down in an overly complicated project. First, they need an alert-level playbook that integrates with the subset of tools that generate the most alerts in their clients’ environments — e.g. EDR, network security, and identity management. This playbook will triage every incoming alert by extracting artifacts (e.g. usernames, IPs, and device IDs), checking them against global lists, and making the decisions to dismiss or escalate the alert.
The second playbook they need is an incident-level playbook to investigate escalated alerts. In this playbook, incidents are enriched with threat intelligence and related incidents are retrieved from the incident database. The results are summarized in an automated report for the analyst, so they can decide to dismiss the incident or notify the client with an automatically generated incident report.
Kickstart Your Growth with Improved Efficiency
Now let’s do some back-of-the-napkin calculations on how much our hypothetical MSSP could save with this type of targeted automation.
We estimate that the alert-level playbook we described would turn a 15-minute process into one that takes just seven seconds. And the incident-level playbook cuts a 45-minute process down to 11 seconds. Even adding in five minutes for the analyst to review the results, that’s still a time-savings of almost 90% for the second playbook alone.
So, based on these estimates, if the MSSP is ingesting 300 alerts per day, that means they’re saving around 75 hours of labor per day, from the alert-level playbook alone. At a conservative estimate of analyst salaries, that’s an annual saving of $810,000.
Then, if 10% of those alerts are escalated to incidents, 30 incidents are going into the second playbook. Based on our estimate that includes five minutes of manual review on each incident, the MSSP is still saving around 20 hours per day. That’s $270,000 in salaries per year.
Between the two playbooks, that’s over $1 million in annual savings, just from this targeted use of automation. For our hypothetical MSSP, that means they’ll have the capacity to double their client base with minimal increase in headcount or budget.
That’s why we think it’s not an exaggeration to say that even a small MSSP can save $1 million per year by being strategic in how they use automation. This type of security automation is a game-changer for MSSPs who have previously written off SOAR because they think it will be too expensive or require too much time to get up and running.
Achieve Business Outcomes with Security Automation at Any Scale
D3 Security supports MSSPs in every corner of the globe and enables high-value services with our next-generation SOAR platform. D3 Security’s SOAR platform supports full multi-tenancy, so you can keep client sites, data, and playbooks completely segregated. Importantly, we’re vendor-neutral, so no matter what tools your clients use, our 500+ integrations will meet their needs. Our new offering for MSSPs, D3 Chronos, is a streamlined SOAR package that is designed to start paying for itself within two weeks while increasing your capacity 10x through automation.