How External Intelligence Can Bring Value to MSSPs
Increasingly sophisticated cyberthreats and the cybersecurity skills shortage have given rise to managed security service providers (MSSPs) as a more cost-efficient alternative to running an in-house security operations center (SOC). Moreover, since MSSPs are able to aggregate and correlate data across all clients’ networks, applications and end-point devices, the scale and scope of their telemetry enables them to find more meaningful correlations within their metadata and flag potential security events with greater accuracy.
That being said, MSSPs that only collect and analyze data gleaned from their clients’ network environments without supplementing these data sets with external intelligence are ignoring a critical blind spot: the cybercrime underground, where threats bubble before coming to fruition.
By establishing partnerships that deliver access to external intelligence, MSSPs can enhance their outsourced offerings to more effectively address the following challenges:
Compromised credentials: A classic example of how MSSPs can leverage external intelligence to better serve their clients is the identification of compromised credentials. While having unique credentials for every account is a core tenet of security hygiene, it’s all too common to reuse username/password combinations across multiple accounts. This opens the door for credential stuffing attacks — large-scale, automated attempts to access additional user accounts using compromised username/password combinations.
Suppose you’re an analyst at a large MSSP and a hacker compromises a major e-commerce website, obtains a large volume of compromised username/password combinations, and advertises them for sale on an illicit online marketplace. Without access to external data sets for compromised credentials floating around the cybercrime underground, you would have no way of knowing if your clients’ customers’ credentials were exposed, leaving the door wide open for account takeover (ATO) fraud.
By establishing a partnership with a company that offers compromised credential monitoring (CCM), MSSPs can quickly flag compromised credentials that match the username of a client’s account holder and issue a forced password reset, preventing that individual from falling victim to additional acts of fraud.
Emerging cybercrime trends: MSSPs’ use of external intelligence should also go above and beyond raw data sourced from covert cybercrime communities to include timely, relevant finished intelligence reports. Adversaries are always adapting their tactics, techniques and procedures (TTPs) to work their way around existing cyber-defense measures, so keeping analysts up to date on the latest cybercrime trends can enable them to pick up on threats that would have otherwise remained under the radar.
MSSP’s SOC analysts also benefit from access to in-depth malware reports that supplement indicators of compromise (IOCs) with functional details about how the malware works, an assessment of the risk it presents, and recommended mitigations. Threat-actor profiles are another useful resource, providing valuable background information on the most influential adversaries, including their history, preferred TTPs, known ties to other cybercriminals and the scope of their underground presence.
Risk-based vulnerability patching: Misguided patching decisions are all too common, wasting time and resources while doing nothing to enhance the security posture. As I’ve previously discussed in-depth, hundreds of vulnerabilities are disclosed each month, but since patch administration is costly and time intensive, security teams should prioritize select vulnerabilities that pose the greatest risk.
A strong indicator that a vulnerability is likely to be weaponized is whether it’s actively being discussed by cybercriminals. As such, MSSP SOC analysts cannot accurately gauge which cyberthreats are most relevant to their clients without access to reports and dashboards offering insight into which vulnerabilities have piqued the interest of adversaries.
Choose Intelligence Partners Wisely
Well-thought-out partnerships that deliver access to compromised credential monitoring, finished intelligence reports and insight into trending vulnerabilities can greatly enhance an MSSP’s position within an increasingly competitive marketplace. But to be effective, such a partnership must deliver external intelligence in a manner that’s user-friendly, easily consumable and designed with MSSPs in mind.
MSSPs should carefully evaluate potential intelligence partners in terms of the quality and scope of the services they provide, as well as their readiness to execute a successful partnership. In doing so, MSSPs can gain an edge over competitors by monitoring clients’ network environments with unparalleled nuance and foresight.
As senior director, head of worldwide channels and partnerships at Flashpoint, Ayesha Prakash leverages her extensive experience driving business development and marketing efforts in the IT sector to build Flashpoint’s global channel program. Follow her on Twitter @yoursocialnerd and @FlashpointIntel.