For security intelligence, sharing of environment status and workflow (including accurate asset details) will help enhance the effectiveness of a managed security services provider (MSSP) in analyzing the potential impacts of security events. It is important that organizations maintain an efficient ticket workflow and closely manage the availability and accuracy of their asset details to ensure the MSSP can access them.
Share and Share Alike for Security Intelligence
It is crucial to be able to regularly update an MSSP’s information about your assets. The more an MSSP knows about your environment, the more effective it can be when tuning the environment and analyzing specific security events. For example, if an MSSP notices an attack is targeting a certain vulnerability in a specific asset type, it would significantly improve its analysis if it had access to an up-to-date asset inventory.
As for how to share asset details, your organization can work with the MSSP to determine which tools it has available for managing critical assets. Many MSSPs provide access to tools that enable enterprises to upload asset information and third-party vulnerability scan data as well as manually enter and edit critical server and device information.
Your organization’s network and host asset data can be used in real-time correlation with threat and vulnerability data for advanced, target-specific security risk and mitigation. For example, defining an asset’s criticality, sensitivity and regulatory status can facilitate insight regarding risk profiles.
Some MSSPs can associate risk profile information with source and destination IPs, events and vulnerability data, thereby providing organizations with a consolidated view of the threat, its potential success and the associated risks. This type of information allows organizations to make informed decisions regarding how to respond to security events, leading to better risk management.
It is important to understand that the MSSP’s ability to research a security event is dependent on its knowledge of your organization’s environment and risk policy. At a certain point, your organization must apply that knowledge to resolve or close a ticket and to take appropriate remediation actions. You should be aware that ultimate ticket resolution (as indicated by the closure of a ticket) is the organization’s responsibility internally.
Taking a Closer Look at the Ticket Management Process
A clearly defined ticket-handling process is key to enabling a closed-loop cycle. Ticket-handling procedures should include all types of tickets and should be mapped to roles and responsibilities across parties and functional areas within your organization to enable appropriate ticket assignment.
The following are some simple questions to ask:
- What do you do with tickets and alerts? What is the workflow?
- Do you have clear plan of ownership for various ticket types?
- Who owns the activity to research a security alert ticket?
- What are the remediation actions, and who owns them, if warranted?
- Is there a need for integration of MSSP ticket data into your internal ticketing system?
If you have engaged an MSSP to perform event monitoring, MSSP analysts should monitor your organization’s security events and then perform an initial event analysis. The MSSP should analyze event data to minimize false positives and to identify, classify and prioritize events that require your attention. For events that require escalation, the MSSP should generate an incident/offense ticket and/or notify your appropriate security contacts.
Optimum value from the use of an MSSP in your security intelligence operations program requires the effective execution of activities and updates on your side to keep the provider informed. Your MSSP relies on up-to-date data from you to appropriately handle current and future security events for your organization. Put simply, an integrated security program is just better security.
This article is Part 3 of a four-part article series. In Part 4, I will highlight additional key focus areas necessary to maximize value in the MSSP relationship and summarize the overall series.