Managed security service tools–the top 9 things you need to know
With projected business security spend growing to $170.4B by 2022 (Gartner), offering managed security services is a great way to build your security practice and become a trusted security advisor with your customers. In this blog we interviewed Brian Rauls, a technical marketing engineer with Ingram Micro’s Cybersecurity business unit. Read on to learn more about managed security services and how Ingram Micro can enable your go to market in this category.
Q: Security Operations Center as a service (SOCaaS) and managed detection and response (MDR) tools seem to be gaining a lot of traction lately. Can you help explain why?
A: The biggest driver is a lack of staffing in the security industry. There is currently a negative unemployment rate in security, and it’s hard to gain professionals—especially when you’re a small to medium-sized business that is competing with the same people that enterprise want at higher salary ranges. Using SOCaaS or MDR tools helps ensure you’re protected and augments current security measures without adding additional headcount.
Q: Can you explain high-level how these managed security services work?
A: They’re all a little different. Every provider has similarities and differences, and they need to be thoroughly researched as to what is included to ensure your needs are being met (this is where the Ingram Micro Security experts can help). Generally, they include managed SIEM solutions for log correlation with APIs, parsing, normalization and analytics.
A general workflow is like this: The API connection pulls in logs from your appliances and other associated inputs, normalizes and parses, brings into rule engine, compares against set policies, and if certain measures are met it will quarantine, block and send the situation to the analyst for human review. The SOCaaS or MDR tool will provide a single pane of glass dashboard with your alerts, which provide actionable alerts for the company to apply remediation.
Q: How does MDR and SOCaaS differ from some of the other similar technologies out there such as SIEMaaS and managed EDR?
A: The big difference is that SOCaaS and MDR are more holistic. Think of it like you’re bringing your stack and they’re going to manage that for you (log correlation, traffic, data, etc). When you consider SIEMaaS it’s more siloed—those tools will just do log correlation and not look at the rest of your stack. Similar to managed EDR, it’s more like a point solution where it will only manage the endpoint and nothing else in the network; it’s more of a narrow focus.
Q: Do SOCaaS and MDR vendors manage and configure devices?
A: These tools do not directly manage or configure devices, however, they do provide remediation recommendations. These tools do not provide “hands on the keyboard” configuration due to liability of making changes to appliances, but they do recommend updates. Most vendors have a team that will guide you through changes if necessary, as well as additional security posture guidance throughout the year which SIEM/EDR generally do not provide.
Q: Do MDR/SOCaaS tools also help manage SaaS and IaaS vendor offerings?
A: Yes, some are more robust than others and offer more API hooks that they can work from. Review the tools to make sure your cloud and infrastructure platforms are within the selected tool’s parameters.
Q: Can you explain how these solutions pull in data from different sources?
A: The general answer is through APIs. Some solutions include both physical and virtual sensors, and some have agents on endpoints for outside of the network which change the visibility level.
Q: Can these solutions help with compliance requirements?
A: Yes, every one of these solutions will help you become compliant with whatever frameworks or governance structures you need to follow (NIST, ISO, GDPR, HIPAA, PCI, etc.). Generally, they cover about a third of the controls within a framework. No one service will ensure compliancy across the board, but these solutions are a huge help.
Q: Is incident response part of these offerings?
A: First, let’s define incident response because everyone’s definition is different. Incident response can be more on the “pre-boom” (before incident) or “post-boom” (after incident) side. As far as remediation services, most services provide alert handoffs, and there are even a few that will do post-forensics and full remediation. Ingram Micro’s Digital Transformation Solutions group also provides incident response help if needed as well.
Q: How are these solutions priced?
A: The most popular pricing models are per user, per device per user and log ingestion. We recommend the per device per user model vs. log ingestion. This ensures that you are fully covered (no logs are left to chance) and provides a more predictable monthly cost.
SOCaaS and MDR solutions can be complex, but Ingram Micro’s Cybersecurity Delta Force is here to help you determine what’s best for the environment in question. Leverage our team to help work through available options that meet your needs and maximize security posture.
Managed Security Services 101
Get an introduction from Brian Rauls, sr. technical marketing engineer at Ingram Micro, on managed security services and how they protect businesses.
Managed Security Services 201
Take a deeper dive into the transformation of managed service providers (MSPs) into managed security service providers (MSSPs) with Brian Rauls, sr. technical marketing engineer at Ingram Micro.
Managed Security Services Specialists