A Managed Security Service Provider’s Day on the Front Lines of the Cybersecurity Battlefield
Updated: Sep 18, 2020
Did you ever wonder what it’s like to work on the front lines of the cybersecurity battlefield …. what the war room looks like … how battle cries and alarms are sounded … how troops are mobilized and dispatched to take on enemies at the gates and on the walls?
In my last post, I discussed the differences between Managed Service Providers (MSP) and a Managed Security Service Provider (MSSP). I hope that I’ve made a compelling case for why your company or organization may need both. In this post, I do a deeper dive to take you behind the scenes of a typical day in the life of a MSSP Cybersecurity Analyst to bring those differences to life in a vivid way.
Inside the Managed Security Service Provider Control Center … an Alarm Goes Off
Imagine, if you will, a team of contracted Tier 1 SOC Analysts sitting at their workstation, surrounded by monitors tracking internal and external movements within your IT network, when an alarm goes off that’s an indication of mischief.
Immediately, the Analyst will log the alarm, use their training to do an assessment of the criticality of the alarm using a 15-step checklist to determine if a quick and aggressive response and remediation is warranted. To provide some perspective, DataSure24 sees about 150 alerts per day per Analyst over the entire scope of clients we are monitoring.
Within 10 minutes, the alarm will be deemed either harmless or harmful, and if the latter, escalated immediately to our Tier 2 SOC Analyst. If it’s relatively harmless, the incident is still tracked but not treated with same urgency.
Later that Morning at the Desk of the Tier 2 SOC Analyst
On an average month, we see about 18,000 alarms and of those, about one out of every 100 of alarms gets escalated to a Tier 2 SOC Analyst.
Within minutes, that Analyst will initiate a significantly deeper investigation, using our proprietary predictive algorithms, research, team discussions, and instinct to identify the exact nature of the intrusion and best possible responses.
Companies that use an MSSP will generally have a previously developed Cybersecurity Response and Remediation Planning which is then put into play. That plan is executed coolly, professionally and swiftly by the SOC 2 Analysists in conjunction with the client’s IT team. On average, once an alarm has been escalated to a Tier 2 Analyst, the time from assessment to response and remediation is less than an hour.
A Managed Security Service Provider’s Response to a Zero Day Attack
Three to five times a year, every company may experience a Zero Day Attack launched by hackers and cybercriminals.
The term “zero-day” refers to a newly discovered software vulnerability. Because the developer has just learned of the flaw, it also means an official patch or update to fix the issue hasn’t been released.
So, “zero-day” refers to the fact that the developers have “zero days” to fix the problem that has just been exposed — and perhaps already exploited by hackers.
Once the vulnerability becomes publicly known, the vendor has to work quickly to fix the issue to protect its users.
But the software vendor may fail to release a patch before hackers manage to exploit the security hole. That’s known as a zero-day attack.
If a zero-day attack is detected via monitoring by a Tier 1 Analyst, escalation takes on a sense of greater urgency and requires greater speed before what may be a small breech turns into a major headache, resource drain, financial loss, and reputation damage. While neither a Tier 1 or Tier 2 Analyst can patch the weakness, they can put a pre-determined Incident Response Plan into effect, and work with the client’s IT team to isolate, protect or even shut down critical servers and other hardware.
As you might imagine, it’s a bit more hectic and stressful both in our Mission Control room and at the client’s site when zero-day attacks occur, but teamwork and professionalism generally go a long way to short circuit an attack of this type before a software patch is applied. The human element in place, always monitoring, can be the difference between a catastrophe and a ‘dodged a bullet’ scenario.
Later That Day, It’s Time to Catch Up on a Few Reports and Do a Vulnerability Scan or Two
A day in the life of a DataSure24 Tier 1 or 2 SOC analyst is a lot more than just sitting around, drinking coffee and waiting for an alarm to ping!
They’re also preparing and delivering monthly reports to clients showcasing alarms caught and resolved, actions taken regarding elevated alarms and responses, zero-day attack incidents, and news or updates from the world of cybersecurity that merit a watchful eye.
There are also specialists hard at work doing contracted vulnerability scanning work, trying to identify and exploit security weaknesses, including phishing employees to determine their levels of awareness and compliance with company IT security policies. Generally, these network vulnerability scans reveal hundreds of vulnerabilities, most of which are easily resolved, but it some cases a significant vulnerability will be discovered or a trend indicating a security lapse identified. At that point, Network Vulnerability Analysts and other members of the MSSP team will develop a plan and identify resources that should be directed to executing remediation strategies, policies or actions.
Our team is always looking for ways to improve ourselves, from upgrading our technologies to continued and consistent training in our specialized environment. Staying globally aware of Cybersecurity current events is a linchpin of our daily routine.
Meanwhile, On Your Calendar of Daily Activities
I hope that this brief overview into the life of a Cybersecurity Analysts provides the additional insight and guidance you need to make an investment in MSSP services happen. At a minimum, 24/7/365 cybersecurity monitoring has become a “must” and a necessary part of doing business.
I am available for a no cost or obligation discussion of the pros, cons and costs of MSSP services, including a deeper dive on how these services work can with your current IT department or MSP.
Complete and submit a contact form. Let’s put something on your calendar.