Cloud Security, MSSP

Why MSSPs Must Use Tools Built for Their Needs

Adobe Stock

Adobe Stock

Guest blog courtesy of LimaCharlie.

MSSPs need to use tools built for them, or risk being left behind by solutions vendors that treat them as second-class citizens.

At LimaCharlie, we saw a dramatic example of this when testing our new Endpoint Protection (EPP) extension for the SecOps Cloud Platform (SCP):

Microsoft Defender for Endpoint alerts appeared in the SCP in near real-time as expected. However, within Microsoft’s own product, there was a five-minute to a six-hour lag on those same alerts.

This isn’t an isolated phenomenon, as most service providers are no doubt aware. It tracks with what we and others have seen in the Microsoft ecosystem and in many other tools and platforms as well. Unexplainable lags, incomplete telemetry data, and constant compatibility issues are all daily pain points for security service providers.

In this post, we’re going to look at why this is the case—and what MSSPs can do to start getting better outcomes.

Not designed for security: The problem of general IT

The first part of the “why” is something everyone in our industry faces:

The fact that the vast majority of the software and systems in the environments we defend weren’t designed to meet our needs.

In a way, that makes perfect sense. Global IT is a $5 trillion market. Cybersecurity is just a fraction of that. Most tech is simply built and optimized for someone else (business users, software developers, cloud engineers, etc.) and not for security teams.

But unfortunately, that has some pretty negative consequences for cybersecurity. Log data propagates through systems far more slowly than incident responders would like. Telemetry arrives in the SIEM, but with important data missing. The unabridged log may only appear hours or even days later.

To address these gaps, cybersecurity teams have turned to specialized point solutions or, increasingly, all-in-one security platforms.

But here’s where things get doubly tricky for MSSPs—because most security tools aren’t built for them either.

Not for MSSPs: The state of the cybersecurity tool market

As cybersecurity is to general tech, so the managed security services space is to the wider cybersecurity industry: a smaller subset of a much larger market and, therefore, an afterthought to many vendors.

For managed services businesses, this dynamic manifests in a number of ways, none of them good.

The core of the problem is that many security tools used by MSSPs are aimed primarily at enterprise users—and sold by vendors whose culture and business practices align poorly with the needs of service providers.

This has serious drawbacks for MSSPs:

  • Many security tools require manual configuration and changes. That’s cumbersome but somewhat tolerable in an enterprise environment. Fixed minimums and long-term contracts make it hard to scale tool usage up or down quickly and cost-effectively: an impediment to taking on new clients or adjusting to changing business needs.
  • Solutions often lack the flexibility MSSPs need. One-size-fits-all might be OK for a single organization. But that will never work for MSSPs, who must constantly customize and refine their toolset to optimize security for the diverse sectors and client types they serve.
  • The pricing model of most security vendors is also a poor fit for MSSPs. Fixed minimums and long-term contracts make it hard to scale tool usage up or down quickly and cost-effectively: an impediment to taking on new clients or adjusting to changing business needs.
  • The glacial pace of a typical cybersecurity vendor’s sales process makes it hard to deploy tools rapidly when the need arises. For example, consider a service provider called into an urgent IR engagement. The IR team may be ready to begin—but if a specialized tool is required, someone first has to speak with a vendor’s sales group, agree on pricing and licensing, sign a contract, etc. Tick tock.
  • Many cybersecurity platform vendors now have managed services divisions as well. Buying mission-critical infrastructure from your direct competitor is, to put it mildly, a high-risk proposition.

    • Takeaways for MSSPs: LimaCharlie’s EPP as a case in point

    That’s the bad news. The good news is that an increasing number of cybersecurity infrastructure providers are focused on MSSPs. And service providers that use tools built for their needs can give themselves a huge competitive advantage.

    The SCP’s EPP extension is a case in point. EPP helps MSSPs get more out of their free instances of Microsoft Defender Antivirus (previously Windows Defender):

    • Defender Alerts give teams wire-speed access to Windows Defender telemetry data—in many cases faster than what is possible using native Microsoft tools.
    • Defender Check lets teams query Windows machines to determine if an active Defender instance is present, easily identifying unprotected workstations.
    • Remote AV Scan allows defenders to launch Defender AV scans on Windows endpoints, either ad hoc or using the SCP’s automation capabilities to schedule regular scans.
    • Exclusion Controls can be used to instruct Defender to ignore specific files, folders, processes, and file types to provide tailored, real-time protection and scanning.

      • Just as importantly, EPP is part of a larger, public cloud-like security platform for MSSPs: the LimaCharlie SecOps Cloud Platform. This offers service providers some significant advantages:

      • Endpoints can be managed through a single, unified interface.
      • Modern, scalable SecOps is enabled by infrastructure-as-code controls, multi-tenancy, role-based access controls, and extensive automation capabilities.
      • The platform’s public-cloud delivery model is almost always a better fit for the business and operational requirements of service providers, with on-demand access, open APIs, metered billing, and no mandatory long-term contracts or minimum fees.

        • The lesson for MSSPs is clear. It’s true that most IT and cybersecurity tools are not built with service providers as their primary audience. But an increasing number of specialized tools are.

        MSSPs should seek every opportunity to leverage solutions designed for security service providers and delivered by a neutral vendor of infrastructure instead of a competitor.

        Such tools can help MSSPs differentiate their service offerings, scale their operations without limitations, and succeed in a highly competitive security services marketplace.

        Ready to see what purpose-built MSSP tooling can do for your business? Learn more about the SecOps Cloud Platform.

        An In-Depth Guide to Cloud Security

        Get essential knowledge and practical strategies to fortify your cloud security.

        Related

        Related Events

        Related Terms

        Cloud ComputingGreynet

        You can skip this ad in 5 seconds