In our previous blogs, we’ve described the potential for MSSPs to evolve using cutting-edge, next-generation security orchestration, automation, and response (SOAR). They can increase their margins through new capabilities and improved efficiency. They can even add response services to their offerings to keep pace with the rise of MDRs.
As we’ve shown in these blogs, SOAR clearly has the ability to raise the ceiling for what MSSPs can achieve operationally and economically. However, not every MSSP is in the position to take on a full-scale SOAR implementation. Smaller MSSPs, MSSPs with less mature operations, and MSSPs that don’t have capital to invest in major projects have different needs than those on which our previous blogs have focused. These MSSPs need to leverage SOAR in a way that is streamlined, affordable, and able to provide immediate ROI.
The good news is that this is doable. There is low-hanging fruit that SOAR can help MSSPs of any size and maturity reach without requiring long implementations, major upfront costs, or steep learning curves.
Automated Alert Triage and Enrichment
To minimize the scope of a SOAR deployment while seeing quick time-to-value (TTV), MSSPs should focus on one of their biggest time-sinks: alert monitoring and triage. Fortunately, this is what SOAR does best, so basic enrichment and triage workflows can be implemented very easily. For example, using integrations with a SIEM, EDR, firewall, threat intelligence platform, and Active Directory, an MSSP could set up a global triage playbook that automated several important tasks, including entity extraction, event correlation, open-source intelligence (OSINT) analysis, and whitelist/blacklist checks. This baseline level of automation alone can reduce time spent on triage by 90%.
For some MSSPs, this first level of triage is all they need. But if you are responsible for investigating alerts that are deemed to be significant, a second-level workflow can also be automated. Using the same basic set of integrations, this playbook will automate tasks including endpoint analysis, user analysis, and network analysis to assess the threat and present the analyst with all the information they need. All this can be done with out-of-the-box playbooks with minimal configuration, and tools can be swapped out to match each client’s environment.
Automated Notifications and Reporting
Another candidate for fast and easy automation through a limited-scope SOAR deployment is reporting. While not requiring the huge amounts of hours that alert-handling does, notifying clients of events and writing reports on significant incidents can still take up a lot of time.
If you are ingesting alerts into SOAR, you have everything you need to create a simple automation rule that notifies the client of events that meet predetermined criteria. With all the security data flowing through the SOAR platform, detailed incident reports can also be automatically assembled, with no need to manually gather data across logs and tools.
Automated Tracking
As much as your analysts would prefer to focus on security, running a successful MSSP requires a lot more. That includes tracking SLAs to make sure you’re always meeting agreed-upon timelines with each client, and tracking your billable hours to make sure you’re getting paid for all the work your team does.
Tracking of SLAs and billable hours are two more things that can be easily automated through a limited-scope SOAR deployment. Keeping your clients happy and your team focused on what they do best will pay off in the short and long term.
What Does this Mean for the Bottom Line?
MSSPs can improve their services with automation, but in order for automation to be prioritized by decision-makers, it also needs to improve profit margins. And it does. Let’s do some back-of-the-napkin calculations to get an approximate idea of how much MSSPs can save by automating the tasks we’ve talked about so far.
We estimate that basic automation of alert triage can save 15 minutes or more per alert. If your MSSP handles 400 alerts per day for clients, that means automated triage alone can save you $1 million per year, assuming an analyst salary of $90,000.
For alerts that are confirmed incidents and require further investigation, we estimate that automation saves upwards of 45 minutes per incident. So, if 10% of those 400 alerts need investigation, that’s another $360,000 of savings.
That’s without factoring in the other things we’ve covered, such as automated reporting. The fact is, automation is a clear path to better business outcomes for MSSPs. By focusing on limited-scope implementations, those outcomes are possible for any organization.
Seize the Opportunities of Automation at any Scale
D3 Security supports MSSPs in every corner of the globe and enables high-value services with our next-generation SOAR platform. D3 Security’s SOAR platform supports full multi-tenancy, so you can keep client sites, data, and playbooks completely segregated. Importantly, we’re vendor-neutral, so no matter what tools your clients use, our 500+ integrations will meet their needs. Our new offering for MSSPs, D3 Chronos, is a streamlined SOAR package that is designed to start paying for itself within two weeks while increasing your capacity 10x through automation.
Blog courtesy of D3 Security. Read more D3 Security guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.
