With the average cost of a data breach amounting to $4.45 million in 2023, and the expanding attack surface, it is very difficult for most modern SOCs to absorb the growing complexity of security operations. The costs of implementing new tools as well as building and retaining a team of cybersecurity experts who know the environment have become a challenge for today’s distributed organisations. 
We have extensive knowledge and experience in the industry and always having the client at the forefront of what we do. As a result, we have outlined the top signs that indicate it may be time to ‘break up’ with your current MSSP.

1. Lack of a Proactive Service and Poor Communication

Are you constantly wanting more from your MSSP?

Having a service provider with world-class, around-the-clock security monitoring and alerting, incident response and remediation capabilities is crucial, but communication goes both ways. A great security partner should be reaching out to make sure that their services are meeting your needs. They should be providing you with important high-level alerts in a fast and efficient manner, keeping you up to date with what is happening in your network, and discussing any potential areas of risk that you should be aware of. Your MSSP should have a detailed strategy which includes your security goals and objectives. Often, MSSPs can spend too much time reacting to threats/ tasks that proactivity can suffer.

Communication with your MSSP should be accessible and constant. They should schedule routine calls and make time for calls outside of scheduled meetings to discuss your needs and concerns. When it comes to reducing cyber risk, the most effective MSSPs are those that build strong relationships with their customers.

2. Poor Engineering Capabilities

There’s a perfect fit for every company, but when it becomes unclear what you’re getting and from whom, you can end up with the wrong fit.

A great MSSP offers a variety of services that can be tailored to meet your unique needs. That includes security engineering. Your MSSP must be able to communicate the health status of your log/data sources in a manner that is suitable to you. One of the most important elements of having a security operations centre is ensuring that your security tools are properly tuned, sending healthy logs to your SOC and that you have visibility over your entire estate. That clear visibility is crucial for your organisation. Why? Because many cybercriminals employ sophisticated methods of lateral movement and disabling security tools when they get deeper access into your environment. An example of that is ZLoader for its defense evasion capabilities, like disabling security and antivirus tools and selling access-as-a-service to other affiliate groups, such as ransomware operators (Cl0p, DarkSide etc.)

3. Too many alerts and false positives

Organisations can become overwhelmed by the volume of alerts generated by their security provider. This can lead to the client getting overwhelmed and potentially missing legitimate attacks against their network. Partnering with a MSSP should help you reduce alert overload and make the most of the information provided by the security solutions in place. More importantly, you should be getting answers to questions like What happened? When did it happen? How did it happen? What’s the risk? What should we do next? Not only that, but your MSSP should give you strategic recommendations that reduce overall risk in your environment. This will enable you to maximise the impact of your security deployment and rapidly respond to legitimate cyber threats.

A high degree of false positives is another area of concern for many organisations who outsource their SOC to an MSSP. Let’s face it: false positives make you waste your time and money. Recent research shows that almost 45% of the incidents that MSSPs send to their customers are false positives. The problem compounds when the MSSPs don’t do anything about it. So, what should they do? Firstly, they need to give you transparency around what the false positive rate is. Then, they need to work on a plan to reduce that rate. That’s done by creating and constantly reviewing security procedures, defining and regularly reviewing security rules, and tuning rules to specific environment thresholds. An important element of reducing false positives is also applying context.
When SOC analysts are investigating offences within your environment, context is king. They should combine external threat intelligence with internal knowledge of your systems and data (knowing critical assets, user behaviour, geo-location context etc.) to correlate the events and investigate the legitimacy of the alerts. After they have deemed events as malicious, they should raise incident tickets. They should also seek feedback from you. This allows the analysts to determine whether the corresponding alerts should be reported in the future.

4. Poor quality of service & reports

Quality of service is one of the most important elements of an MSSP offering. Why? Because if your MSSP is not heavily focused on quality, that means they are not interested in learning how to be better and in turn offer a great service. Quality is comprised of many elements including communication, transparency, focus on metrics and KPIs, and proper reporting. Have you ever found yourself frustrated with the standard reports that your service provider is sending you? You may be unhappy with how you have to export or manipulate data in an Excel spreadsheet or sort through the data using googling formulas, only to find that a single mistake can ruin your whole report. As a client, you need to have access to reporting and business intelligence tools.

Often services providers do not leverage the knowledge they’ve gained from having clients in a variety of industries. A skilled services provider uses this information to build out unique use cases and correlation rules that a company’s in-house security would not be able to do on their own.

So, what kind of reports should you be expecting? Outside of the usual incident reports that you get on a (probably) daily basis, you should expect the following reports as well:

– Log sources reports

– Threat Intelligence reports (These reports are crucial because they explain what’s happening in the industry, what your organisation should be worried about and how you can keep an eye on the most updated vulnerabilities that may affect your business)

– Monthly assessment reports

– Quarterly Business Review reports (the QBR reports should go a step further and provide you with context around your security posture, the threat landscape, the health status of your security environment and tips on how to reduce your cyber risk. More importantly, they should help you communicate these to your board. If your MSSP is not holding QBRs with you, that could be a red flag!)

5. Lack of Transparency

You may see many MSSPs offering 6-month free trials or promising only a minor investment upfront, only to be slammed with huge bills once this time lapses. Transparency with your clients is key and there are plenty of places to look out for this – start with the companies’ website, do they have case studies/ testimonials from previous clients? Ask the questions up front, are they being honest and transparent?

We have also come across instances of MSSPs telling clients that they have used up their support hours for the month/quarter – it is vital that your security provider is fitting your needs and not just out to charge you whenever additional, unforeseen incidents arise.

Don’t forget about innovation

Cybersecurity is all about innovation. If your MSSP are set in what they are currently doing well, by not innovating, they will be left behind.

The risk is too great, and the danger is too real.

Your MSSP should be constantly proposing new solutions that fit your business needs and strategy. They should always analyse your company considering your business needs and come up with new ways of protecting you from imminent cyber threats.

We know break ups can be hard

More and more organisations are now considering Managed Detection and Response (MDR) to augment their security teams. To help security leaders decide whether MDR is right for you, reach out to Smarttech247 today. With our MDR platform, VisionX, our customer achieved a 319% ROI in less than 6 months – Read the full TEI report here.