The year 2022 seemed to be a tipping point for MSSPs and SOAR. While adoption of automation among managed service providers has been growing for several years, there was a noticeable acceleration in the past 12 months. These days, when we talk to MSSP leadership about SOAR, they’re already paying attention and they usually have plans to implement security automation sooner rather than later.
This was also our first year writing guest posts for MSSP Alert, which has allowed us to communicate directly with leaders in the MSSP industry and see what messages resonate most with them. So, as we move into the new year, we wanted to take a quick look back at some of our most popular articles from 2022. All the original articles are linked below, as well as some more-recent content that expands on the same ideas.
Four Ways MSSPs are Improving their Margins with Next-Generation SOAR
Our first guest post on MSSP Alert was one of our most popular, explaining how the new generation of SOAR technology was driving business outcomes for MSSPs. If you want to learn more about this topic, we recently produced a case study video with VerSprite about how they are achieving some of the things described in the article.
Here’s an excerpt from the article:
NextGen SOAR Enables Higher-Value Capabilities
MSSPs use SOAR as a differentiator that expands the range of services they can provide, and the revenue they can bring in. Even if you are simply monitoring alerts for your clients, SOAR enables you to integrate with all of your clients’ alert sources as well as threat intelligence sources. So you can drive alerting from more sources and offer more comprehensive triage, correlation, and enrichment.
For MSSPs that have wanted to reimagine their offerings and stay ahead of the increasingly competitive field, SOAR’s response capabilities also enable MDR-like functions. With SOAR, you can handle the entire incident lifecycle if necessary — such as enriching alerts with intelligence and orchestrating response actions — even if you don’t have direct access to your client’s tools. Instead of simply alerting their clients of threats, MSSPs that use SOAR are able to resolve threats themselves, allowing them to ‘close the loop’ and maximize the value they provide.
The possibilities for ambitious MSSPs are expansive. We have seen MSSPs use SOAR to offer threat hunting services, by collecting IOCs from incidents in the SOAR tool and running playbooks that orchestrate searches for those IOCs across the tech stack. With next-generation SOAR tools, you can also grow revenue through desirable add-ons like MITRE ATT&CK TTP correlation and reporting.
How MSSPs can Beat MDRs at their Own Game
In May, we published another popular post, this time about a topic that all MSSPs should be concerned about: MDR. This article had an optimistic message, however, describing the ways MSSPs can leverage SOAR to keep up with the MDR firms they compete with. We recently expanded on some of the features described in this article in a post on our own blog.
Here’s an excerpt from the guest post:
The Opportunity for MSSPs
MSSPs are faced with a choice: keep providing the same services, and risk seeing their client base shrink, or take steps to evolve. Armed with SOAR, MSSPs have the opportunity to present clients with an alternative to the EDR/XDR-based services that major MDRs are promoting. Using SOAR to upgrade your services has several advantages, including:
- No vendor lock-in. Adding a vendor-centric solution like XDR isn’t the answer for MSSPs. That will limit you to the clients who use that vendors’ tools. With SOAR, your clients can use whatever tools they want.
- End-to-end, fully configurable playbooks. Not just simple automated actions.
- Go beyond EDR and NDR. With SOAR integrations, you can ingest data from, and orchestrate actions across, cloud systems, SIEM, email servers, and more.
- Efficient use of limited resources. With automation, adding new services isn’t an impossible task for MSSPs. You don’t need to add more staff or learn several new tools. SOAR provides a single interface from which to orchestrate detection and response.
Improving Analyst-to-Customer Ratio with Next-Generation SOAR
In the summer, another popular post covered one of the pain points for MSSPs that just never seems to go away: the difficulty of hiring and retaining skilled security analysts. In the article, we suggested some novel ways that SOAR can help MSSPs serve more customers without adding more analysts. For more about the cybersecurity skills gap, check out this blog.
Here’s a section from the guest post:
Support Collaboration Between Distributed SOC Teams
The global cybersecurity talent pool is vast, but it’s not easy for SOCs to access it. With Next Generation SOAR, cybersecurity practitioners from around the world can be virtually present in a single unified incident response platform. It offers the flexibility to support diverse SOC models, including a managed SOC and a globally distributed incident response team.
Analysts can work in tandem on investigations, submit notes, interviews, and other time-stamped artifacts to document and manage a case as its scope grows and evolves. Each artifact is tracked every step of the way in a chain-of-custody component.
Next Generation SOAR also provides a secure and flexible instant messaging and email interface so that SOC resources don’t have switch tabs and windows, and instead work on a single pane of glass. It offers built-in integrations with leading messaging and IT service platforms. All of this ensures that you can work together, whether they’re at work, at home, or on a beach resort, the SOC is always running at peak efficiency
Four New Ways to Generate Revenue in 2023
And for the last article from 2022 that we wanted to highlight, let’s go back a few months to October. In this post, we covered how MSSPs generate revenue through SOAR in ways that might not be obvious to everyone. Some of the use cases we covered are explored in depth in our whitepaper about SOAR playbooks that go beyond the SOC.
Here’s an excerpt from the guest post:
For large companies, onboarding and offboarding employees can be a time-consuming task, and when not done properly, can put their reputation and information security at risk. By integrating SOAR with tools like Active Directory, Okta, and CyberArk, MSSPs can automate user management for their clients.
Whether the trigger comes in via an emailed list of new employees, a Jira ticket, or a command from an integrated tool, an automated onboarding playbook can orchestrate adding a new user and auto-populating their fields in the identity management system. If the request came from a ticketing system, the playbook can then update the ticket and notify the relevant employees.
Deactivating a user follows a similar process, ensuring that access to sensitive systems is immediately revoked. While user management is technically an IT task, it is inseparable from a company’s security. We expect it will become much more common as a managed, automated service in the coming year.
The Ideal SOAR Solution for MSSPs in 2023
D3 Security supports MSSPs in every corner of the globe and enables high-value services with our NextGen SOAR platform. D3 Security supports full multi-tenancy, so you can keep client sites, data, and playbooks completely segregated. Importantly, we’re vendor-agnostic and independent, so no matter what tools your clients use, our 500+ integrations will meet their needs. The NextGen SOAR Event Pipeline can automate the alert-handling capacity of dozens of analysts, while reducing alert volume by 90% or more.