For security intelligence, sharing of environment status and workflow (including accurate asset details) will help enhance the effectiveness of a managed security services provider (MSSP) in analyzing the potential impacts of security events. It is important that organizations maintain an efficient ticket workflow and closely manage the availability and accuracy of their asset details to ensure the MSSP can access them.

Share and Share Alike for Security Intelligence

It is crucial to be able to regularly update an MSSP’s information about your assets. The more an MSSP knows about your environment, the more effective it can be when tuning the environment and analyzing specific security events. For example, if an MSSP notices an attack is targeting a certain vulnerability in a specific asset type, it would significantly improve its analysis if it had access to an up-to-date asset inventory.

As for how to share asset details, your organization can work with the MSSP to determine which tools it has available for managing critical assets. Many MSSPs provide access to tools that enable enterprises to upload asset information and third-party vulnerability scan data as well as manually enter and edit critical server and device information.

Your organization’s network and host asset data can be used in real-time correlation with threat and vulnerability data for advanced, target-specific security risk and mitigation. For example, defining an asset’s criticality, sensitivity and regulatory status can facilitate insight regarding risk profiles.

Some MSSPs can associate risk profile information with source and destination IPs, events and vulnerability data, thereby providing organizations with a consolidated view of the threat, its potential success and the associated risks. This type of information allows organizations to make informed decisions regarding how to respond to security events, leading to better risk management.

It is important to understand that the MSSP’s ability to research a security event is dependent on its knowledge of your organization’s environment and risk policy. At a certain point, your organization must apply that knowledge to resolve or close a ticket and to take appropriate remediation actions. You should be aware that ultimate ticket resolution (as indicated by the closure of a ticket) is the organization’s responsibility internally.

Taking a Closer Look at the Ticket Management Process

A clearly defined ticket-handling process is key to enabling a closed-loop cycle. Ticket-handling procedures should include all types of tickets and should be mapped to roles and responsibilities across parties and functional areas within your organization to enable appropriate ticket assignment.

The following are some simple questions to ask:

  • What do you do with tickets and alerts? What is the workflow?
  • Do you have clear plan of ownership for various ticket types?
  • Who owns the activity to research a security alert ticket?
  • What are the remediation actions, and who owns them, if warranted?
  • Is there a need for integration of MSSP ticket data into your internal ticketing system?

If you have engaged an MSSP to perform event monitoring, MSSP analysts should monitor your organization’s security events and then perform an initial event analysis. The MSSP should analyze event data to minimize false positives and to identify, classify and prioritize events that require your attention. For events that require escalation, the MSSP should generate an incident/offense ticket and/or notify your appropriate security contacts.

Optimum value from the use of an MSSP in your security intelligence operations program requires the effective execution of activities and updates on your side to keep the provider informed. Your MSSP relies on up-to-date data from you to appropriately handle current and future security events for your organization. Put simply, an integrated security program is just better security.

This article is Part 3 of a four-part article series. In Part 4, I will highlight additional key focus areas necessary to maximize value in the MSSP relationship and summarize the overall series.

More from Security Services

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today