4 SOCaaS and MDR Insights for the New Decade
It can be said with a very high degree of certainty that security breaches will continue to challenge organisations well into the foreseeable future. It’s a constant battle for resources, manpower, technologies and tools that allow for swift identification of suspect files and activities, between millions of data packets, real-time sessions and billions of entry and exit points from a given network. Even organisations with the highest security investment lack the full set of skills needed to monitor their networks effectively.
Managed Detection and Response is a rather newly defined space and is still confused at times with other managed services. In its true form MDR is pretty much as described: The task of detecting and investigating threats and suspicious activities is assumed by an outside provider that specializes in this activity, and handles remediation from a different location. The focus and attention to details can probably not be supplied in-house with the same intensity, especially not at the price point that MDR providers reach with scaling their expertise.
A SOCaaS/xDR platform with regards to MDR or SOCaaS service is meant to increase the visibility a customer has about the breaches in their organisation. This should be done with the best customer experience as possible, which means:
- Augmentation of their monitoring and response capabilities without the need to change internal team’s processes
- Collaboration options between analysts and customers
- Clear and immediate communication with a clear means of communication
- Timely notification about events and updates
- Detailed metrics & KPIs to follow trends, see the ROI of the service and improve their coverage in cooperation with the MSSP
4 Insights from Collaboration with MSS Clients
Some trends we detected during our cooperation with MSS partners (for MDR or SOCaaS) and Service Delivery Managers, some of which will shape this niche and Cyber Technology in general in the next few years:
1) Ticketing System Integration: No More a Neglected Feature
Downstream process integration is critical for SOCaaS and MDR solutions and client Ticketing/Service desk systems play a key role in this function. Ticketing platforms such as Jira, Service Now, BMC Remedy etc., that are supported by two-way integration allow for efficient workflows.
An example of how this will manifest in real-time:
- A client’s security team consists of 2-7 members
- The MSSP/MDR Provider reports an incident to the client and this action automatically generates a report to client’s internal ticketing system
What they gain is:
- Immediate notification
- Collaboration with their internal team without the need of using the SOCaaS/xDR platform
- Tracking of all relevant team activity in one place/UI
Then they can treat the ticket and automatically send it to the SOCaaS/xDR platform and the entire communication with SOC analysts goes on without the need to login into the Managed Security platform.
2) Mobile Apps and Mobile-Friendly SOCaaS/xDR Platforms: A Fact
Incidents do not happen only during work hours! Sometimes clients should be notified about an incident and act immediately even if they don’t have access to a pc. For this reason, they request to have detailed email notifications about the reported incident and if needed they would like to respond on a mobile interface and still see the full description of the incident, decide on its importance/urgency and then communicate with SOC analysts for response and remediation. So mobile adaptability guides our product design, and we expect the traditionally stricter environment of cyber platforms and interfaces to become more mobile ready and mobile friendly.
3) Advanced and Detailed Metrics and Stats: Customizable or Irrelevant
Clients tend to become both more flexible and more independent with reporting. When a security professional needs to report to their manager, they would prefer to skip communication with Service Delivery Managers, and instead be able to retrieve all the info they need at a given time from the platform.
Just like they do on many apps for other services, they would like to select a metric, choose the visualization, create their dashboard and then share it with their team or export it as a report.
It allows users to create stats that are objectified to the needs of a specific company or role within a company. This is the next evolutionary stage after out of the box metrics.
4) MSS teams can Work as Analysts Too, and it’s Good for All Sides
Sometimes MSS staff have the capacity to work as analysts/incident responders and may have their own internal incident management process. For this reason, a SOCaaS/xDR platform for MSSPs should give the option to clients to work as analysts and collaborate with MSSP analysts flawlessly and efficiently. The expertise will stay at the edges and even become more specific, but knowledge sharing tools and carefully designed flows can create a much more collaborative reality eventually allowing faster response times at a network scale, and this will be noticeable in the next few years.