This article is based on a panel discussion at ChannelPro’s August 2021 Cybersecurity Online Summit.
WHEN IT COMES to cybersecurity, it’s increasingly difficult for an MSP to go it alone. Partnering with a managed security provider is a viable way to shore up protection for customers without investing in expensive solutions or personnel.
“”We’re past the question of, should we be doing this?”” says Joshua Liberman, president and founder of Net Sciences, an MSP in Albuquerque, N.M. “”You need to be doing this for sure, unless you have confidence that you can build out a SOC, and that is a bigger challenge than ever.””
According to Robert Boles, founder and president of BLOKWORX, a managed security service provider (MSSP) in Larkspur, Calif., the rationale for MSPs outsourcing security is similar to why SMBs outsource IT. MSPs can “”leverage a partner who has those standard operating procedures and all of that expertise already in house, as well as not having to make the significant financial investment in operating and maintaining tools like SIEM and SOAR and a 24/7 security operations center.”” That allows MSPs to focus on what they do best, he notes.
For successful relationships, MSPs need to choose their cybersecurity partners wisely, however, and then follow best practices for working with them.
What to Outsource?
To determine what to outsource, Boles says to identify gaps in your expertise and then find solutions to fill those gaps.
Liberman says he made some “”practical choices,”” recognizing that he didn’t have the resources to run a 24/7 NOC or SOC. Net Sciences uses one partner to manage log reading and response services through the firewalls. “”They alert, they do auto blocking. Once they detect a real persistent threat of some sort, any kind of APT, we get reports, but they actually interact and do this in near real time, 24/7.”” He uses a different MSSP for endpoint log reading and response services. “”We really wouldn’t be able to identify the true issues or respond quickly enough. They can also do things like lockdown traffic flow from that endpoint to their SOC, so they can remediate it at the endpoint or just keep it off the network entirely.””
MSPs also must decide whether to partner with a single provider or take a best-of-breed approach like Liberman. “”The downside to that is that’s two different vendors, not one, two different consoles, two different things to manage,”” he acknowledges.
Boles cautions against partnering with multiple SOC providers because no one provider will have complete visibility.
Liberman doesn’t disagree, but argues that some overlap in security tools and services not only safeguards against missing a critical event but also provides a safety net should a security partner get acquired.
Choosing a Security Partner
When selecting a security partner, don’t choose solely on lowest cost, but look first and foremost for a provider that is compatible with your culture and core values, advises Boles. “”If your core values are such that defending the client is your highest priority, your process and your selection is going to be a little bit different than someone who’s just looking for the lowest cost so they can have maximum profitability.””
While margin is important and price is always a factor, he says, “”the value of your partnership is when the poop hits the fan, and the more aligned your core values are, the more aligned everybody’s going to be in responding to what the event is.””
Also, be sure the security provider supports and monitors what’s in your stack. “”If I have WatchGuard, I probably want to partner with a SOC who will monitor WatchGuard,”” Boles says, as an example.
Liberman recommends building a decision tree. The first question is, best of breed or single-source vendor? “”If you’re going to do the latter, your decisions are far less complicated, and you’re really narrowed down in the SMB world to a few of them. If you’re going to do the former and weave together your own solutions, you need to find a way to visualize this.””
Then thoroughly vet potential partners, Liberman advises. That includes asking peers as well as meeting in person with the provider. “”You’re choosing a partner here to do the single most important thing to do. … That’s always a personal experience for me. I don’t do it on the phone, or even by Zoom. I meet these folks, which is clearly harder than it used to be.””
Determining a partner’s financial stability is the most difficult part, he adds. “”Are they really stable? A true SOC, SIEM, SOAR is a very serious investment. And the question is, will they continue to deliver on their promises? Will they grow as I’ll have to do and still deliver the services and the support and the responsiveness that you need?””
Best Practices for Working with a Security Partner
When working with a security partner, Boles says, both the MSP and MSSP must maintain objectivity and minimize emotion. “”When emotions get involved in cyber, that’s somewhat of a vulnerability because we’re not really thinking clearly on factual data … and that introduces risk.””
Another best practice is to trust and complete the onboarding process, he says. “”When we onboard partners, it’s very thorough,”” he explains. “”We go through a process of script auditing and script control, where we actually create white- and blacklists for scripts. And I can’t count how frequently partners just don’t complete the process.”” Following the plan to the end, or as Boles puts it, “”participating in your own rescue,”” is the best way to protect your customers and yourself, he says.
MSPs can’t be hands off once they bring in a security partner either, because defending the client is a shared responsibility, Boles says. For instance, if the MSSP is protecting 200 machines, but then the MSP retires one, onboards another, and fails to either install the agent or inform the MSSP, “”We’re not going to know because in our dashboard, we’re still going to see 200 machines. We’re just going to see one that’s inactive.””
That’s why it’s critical to define partner responsibilities, Boles says, and establish good communication. “”I can’t underscore how important it is to communicate and to adhere to, ‘Hey, we’re all in the boat together, from a security perspective.’ The bad guys only have to win once. They only have to find one gap.””
Ultimately, though, the buck stops with the MSP, Liberman stresses. “”You hold the burden. … Everybody you use to do that job is your problem. You’re holding the contract with your customer. And even outside of that, ethically speaking, morally speaking, it’s your commitment.””