Our team was recently at Black Hat USA in Las Vegas, Nevada, where we were able to meet with tons of MSSPs and take in the latest trends from the industry at large.
We heard what MSSPs are saying about SOAR (security orchestration, automation, and response), where their vendors are letting them down, and what features they’d like to see. We also saw what other vendors brought to Black Hat and how that might affect MSSPs.
So, in no particular order, here are a few things that we learned at Black Hat USA 2023.
The AI Use Cases for MSSPs are Still Being Defined
This year, artificial intelligence has been a story that has exploded well beyond technology media to capture massive attention. So, what were vendors at Black Hat saying about AI that could help MSSPs? In our world of security automation, there were lots of vendors talking about AI, of course, but how it will provide value to MSSPs remains to be seen.
The AI we saw on offer from security automation vendors generally fell into a couple of a categories. One is using generative AI to automatically create things like reports and incident summaries, which could no doubt be useful for MSSPs, but similar features exist without the trendy “generative AI” tag. The other category is using machine learning to track common responses to alert types so that the system can recommend actions to users. This has been around in some form for many years, but the utility of it is limited. If a response is consistent enough for AI to confidently recommend it, MSSPs should already have playbooks and logic in place to automate those actions.
MSSPs Need High-Availability Alert Ingestion and Proper Error Handling
Something we heard in multiple one-on-ones with leaders at MSSPs was that high-availability alert ingestion was a priority when assessing tools. If SOAR, XDR, or another tool is meant to be the heart of an MSSPs’ SOC, it cannot afford to stop ingesting events, especially if the tool does not make it obvious that an error has happened. The MSSPs we spoke to were looking for tools that could promise the highest possibility availability during ingestion and provide real-time alerts of ingestion errors.
Reports of the Death of SOAR Have Been Greatly Exaggerated
One vendor’s message for the event was that SOAR is dead! It was a somewhat tongue-in-cheek marketing campaign of course, but there is always a kernel of truth behind something like that. So, why would someone say SOAR is dead? Well, as we heard from many prospects at Black Hat, traditional SOAR has not always lived up to its promises, and MSSPs have lost patience.
MSSPs with traditional SOAR tools told us they were struggling with things like scalability, the difficulty of creating workflows and integrations, and the reactive nature of SOAR. These are all common complaints against traditional SOAR vendors, and its why a little bit of pressure to evolve can only be good, even if we think SOAR will be alive and well for a long time.
About D3 Smart SOAR for MSSPs
D3 Security supports MSSPs around the world and goes far beyond the limitations of traditional SOAR with our Smart SOAR platform. D3 Security supports full multi-tenancy, so you can keep client sites, data, and playbooks completely segregated. Importantly, we’re vendor-agnostic and independent, so no matter what tools your clients use, our unlimited integrations will meet their needs. D3’s Event Pipeline can automate the alert-handling capacity of dozens of analysts, while reducing alert volume by 90% or more. Watch our case study video with High Wire Networks to see how a successful MSSP uses Smart SOAR.