How to become a top MSSP

What are the most common issues around MDR?
We’re sometimes asked why we are so selective about the data that we use for detection, as we focus on a few key sources. This includes our own EDR and Windows authentication logs, while we keep other data, such as firewall logs, solely for forensic investigation.

This approach can be surprising for customers, who are used to feeding all security logs through a SIEM – but we have good reasons! Firstly, not all data is created equal and we know from experience that attack detection requires rich detail – something which is readily available from the endpoint but not from a firewall log. It can be tempting to think that more data must always mean better detection, but it’s not the case; if it’s the wrong data then you end up with more false positives, more processing costs and a weaker service.

Secondly, service providers like us need a consistent approach for all customers, otherwise delivery just gets too complicated as you scale. Using log data for detection would mean having a different approach for every customer, since no two customers have the same set of log sources.

How long does it take the service to become effective after onboarding?
Because of our focus on the ‘right’ data and detecting activity that’s malicious, rather than merely anomalous, the answer is that we’re effective straight away and the service requires very little customization for the detection to become effective. This is a far cry from more traditional detection approaches, where it can take many months of tuning before a monitoring service is actually adding any value.

What is the most important factor in becoming an efficient provider?
Focus and simplicity are key. Focus on the right services, technologies and data to deliver the outcomes that your customers need. Some of the worst mistakes a service provider can make include trying to do too many different things or doing the same things in too many different ways.

Having repeatable, reliable and efficient operations relies on minimizing complexity and the number of processes to optimize. It’s often tempting to agree to exceptions or special processes for certain customers, but reliable delivery then relies on your people remembering all of these exceptions, which is hard to ensure.

Of course, it’s also important to be a good partner to your customers and not say ‘no’ every time they ask for something, but this needs to be balanced against what’s actually realistic to deliver.

How does WithSecure’s MDR capability relate to the MSSP offering we have with our partners?
WithSecure’s Countercept is a premium 24×7 Managed Detection and Response service. It combines the best of our Elements technology with highly-skilled threat hunters and processes which have been honed over many years of defending enterprise customers. This combination ensures the detection and remediation of sophisticated attacks, while taking the burden of day-to-day investigations away from customers.

When compared with partner MSSP services, Countercept tends to serve larger and more complex organizations, provides greater investigative expertise and goes further with remediation. Countercept also includes Security Insights – reports generated by Security Engineers to highlight where customers can improve their security posture while reducing the likelihood and impact of any future attacks against them.  Over the years we’ve found that merely being great at detection and response is not enough – MDR providers need complementary service elements like Security Insights to deliver continuous value for their customers in the long term.

How does WithSecure’s Elements package enhance its own Countercept offering?
Elements EDR is the main technology behind the Countercept service and the first tool our threat hunters turn to for visibility, detection capability and response functionality. Therefore, it is a critical and core aspect of Countercept.

At WithSecure, how do we ensure that we’re always adopting best practices?
Our researchers and threat hunters are active members of the security community, regularly attending and presenting at conferences to ensure that their knowledge is up to date. We also benefit from having a strong offensive security capability in the company – our red team and blue team work together to share knowledge about the latest techniques for offence and defence, which continuously improves both offerings.

Finally, can you name three critical aspects that MDR is preparing for in the future?

1. More coverage for customers who operate in the cloud. Countercept is a finely-tuned machine for defending on-premises environments and at WithSecure, we want to match its effectiveness when defending cloud environments, too – something we don’t think has been cracked by any service provider even though there’s plenty of cloud security technology out there.
2. Even greater scale. Countercept is still growing rapidly and we know that even though the service is mature and efficient, we’ll never be able to stop improving. A lot of the scalability for us will come from technology enablement – automating away more and more manual effort so that our people’s expertise goes further.
3. Working alongside our other managed services, such as Attack Surface Management (ASM). Today, we have two very effective services that provide different sorts of cyber security outcomes – ASM discovering and minimizing external attack surface and Countercept detecting and responding to network intrusions. Both services will become even more effective as we combine the data they operate on and the tooling they use.

Discover more about our MSSP partner program here: Managed Service Providers | Cyber Security | WithSecure™

Sign up to gain unique MSSP insight and expertise right here: The Key to Operational Efficiency as an MSSP | WithSecure™

Learn more from our experts via our comprehensive partner training programs: Partner training | WithSecure™