In our work with MSSPs, we’ve heard time and time again that client communication remains one of the largest timewasters in their day-to-day. It’s disorganized, there’s poor tracking during shift handovers, and responses from clients aren’t synchronized with automated playbook actions.
Based on these inputs from our MSSP partners, we’ve determined there is a simple technology solution. Read on to learn how it works and what the benefits are.
The Usual Scenario
See if this sounds familiar. You work for an MSSP that serves many clients. Communication is an ad hoc process, using ticketing tools and emails. For each incident that requires a client’s review or approval, your SOC team has to follow up with them manually, wait to see their response, and then take the next step to handle the incident.
When you’re handing off work to the next shift, or picking up where your colleague left off with a client a few days before, this process can get messy. It’s also time-consuming and leads to slower remediation of incidents. Every SOC analyst at an MSSP wishes that chasing down clients for approvals wasn’t part of their job.
What’s Different in a Synchronized Environment?
In working with MSSPs, what we’ve learned makes the biggest difference is to have an environment that clients can access, which is synchronized with the MSSP’s case management and automation capabilities. Analysts can send specific incidents to this environment and clients can log in to respond to tickets, make changes, and leave comments.
Rather than clients having to keep track of emails and messages to know what tickets are a top priority, they can review them in the secured environment and add their input. Any replies can be automatically reflected in the case management platform.
When considering what features would be most useful in this type of environment, our MSSP partners told us it would be useful for things like:
- Changes in severity. If a client escalates or de-prioritizes an incident, it could be reflected in the analyst's queue.
- Changes to status. If a client closes or re-opens a ticket, that could be reflected in the analyst's queue as well.
- Changes to the incident owner. The analyst would know if the client has assigned the ticket to themselves for follow up.
- Comments. The analyst could add comments and details about the ticket for clients to view and vice-versa.
- Approval. The client can approve or deny requests to move tickets forward.
Can This Be Achieved with a Ticketing Platform Alone?
Some of the functionality we’re describing can be done by a ticketing platform like Jira, but what those platforms lack is the ability to synchronize with automation that the MSSP is running. For example, if the client approves the isolation of an endpoint, that approval still has to be seen by an MSSP analyst who then executes the action.
Unless the MSSP has written custom scripts to monitor the ticket and run the appropriate endpoint action, the process is still manual, and therefore not fully synchronized.
Instead, if an MSSP uses an environment for client interaction that is synchronized with their SecOps platform, client approvals can directly trigger automated actions. This eliminates dwell time and reduces manual work.
Benefits of a Synchronized Environment
The MSSPs we work with saw major potential benefits to having a ticket management solution that bi-directionally synched with their case management and automation capabilities. In fact, some had plans to build the necessary software themselves. To summarize, the potential benefits include:
- No more back and forth email communication, which means no more time wasted on follow-ups, and no more information lost between team members.
- Faster resolution of incidents because of automated workflows. These automations could include SLA time tracking, notifications to incident owners about changes to the incident, and remediation actions in the client’s environment.
- Simpler communication and more professional interaction with their clients.
About D3 Smart SOAR for MSSPs
D3 Security supports MSSPs around the world and enables high-value services with our Smart SOAR platform. D3 Security supports full multi-tenancy, so you can keep client sites, data, and playbooks completely segregated. Importantly, we’re vendor-agnostic and independent, so no matter what tools your clients use, our unlimited integrations will meet their needs.
D3’s Event Pipeline can automate the alert-handling capacity of dozens of analysts, while reducing alert volume by 90% or more. Watch our case study video with Trifork Security to see how a successful MSSP uses Smart SOAR.