The Tech Stack Needed to Start an MSSP Practice: Firewall, SIEM, EDR and NDR

Recently I was wandering around Reddit in the usual cybersecurity / AI / network security communities and landed on a question from a couple months ago that essentially asked: “If you were to start a managed security service provider practice, or MSSP, what would that practice look like?”

The member asked further about the wide gamut of needs in building a service-based business: how to build the internal teams, should you outsource parts of the operations, and what software is needed.

The general response to this question from fellow members was that you can’t do it from scratch--that most MSSPs have evolved from MSPs transitioning (with lots of customers) to offering security services due to the groundwork that must be done as far as getting the right tools in place, learning and customizing the tools, prepping your environment, and defining scope and boundaries. So the MSP has a big head start.

Nonetheless, many MSSPs did start on the security side and have built nice businesses. So I wanted to expand on my colleague’s recent blog about why MSPs should consider focusing on cybersecurity and go into the high-level path on how to build the tech stack for your new MSSP practice.

But first, what is an MSSP?

Techopedia defines an MSSP as a type of service provider that provisions remote software/hardware-based information or network security services to an organization. MSSPs host, deploy and manage a security infrastructure while simultaneously providing information security (IS) services to one or more clients.

They can provide a suite of IS services including virus scanning, spam blocking, hardware and software firewall integration and management and overall security management. To do so, they connect with enterprise IT infrastructures through the Internet or a virtual private network (VPN) and have access to the enterprise's key security and operational IT components, while the client accesses the MSSP platform to analyze and review the overall security architecture state.

They perform routine security scans, penetration and vulnerability testing and other security management processes on behalf of the organization using their own security resources, like antivirus, malware detection and firewall software. However, an organization may utilize in-house security resources, outsourcing only its security management and business processes to an MSSP.

The Security Triangle Tech Stack

No MSSP can guarantee 100% protection from attack, downtime, or other cybersecurity issues -- and if one has, go looking elsewhere. Any security professional can tell you that a “100% guarantee” is a foolproof sign of dishonesty in the ever-changing landscape of network security.

However, if an MSP is looking to transition into an MSSP service, and want to offer the most comprehensive protection possible, they need to offer the 4 pieces of a strong security program as a foundation (and other elements over time):

1. Firewalls
2. Security Information & Event Management (SIEM)
3. Network Detection & Response (NDR)
4. Endpoint Detection & Response (EDR)

Firewalls

Firewalls are fundamental and a basic building block to a tech stack for an MSSP to protect their client’s network traffic and flow of sensitive data. They provide perimeter network security by monitoring incoming and outgoing network traffic and use rules to permit or block packets.

Many times, firewalls are required for compliance regulations like HIPAA, PCI DSS and GDPR.

Comprehensive firewall management requires expertise and constant vigilance. They aren’t tools that you take out of the box, setup, point, click, and forget. Firewall technology requires operation, administration, monitoring, reporting and analysis and maintenance.

For some companies, they are able to employ internal IT team members to manage firewalls. For others, on the other end of the spectrum, they need MSSPs to help establish, maintain and modify firewall rules, monitor their network, and provide feedback, reports and analysis.

Firewall Pros:

Good for blocking known external threats and looking at north/south traffic.

Firewall Cons:

Not good for detecting unknown threats.
Not good for detecting threats originating inside the network.

Security Information & Event Management (SIEM)

SIEMs combine SIM (security information management) and SEM (security event management) functions into one security management system. A SIEM is a way to keep track of log files which, according to one of our recent blogs on wire data, track “events that occur on an operating system or other software, or messages between different users of a communication software platform.”

If you want to operate an MSSP, you will consider using a SIEM like Splunk, FireEye, SolarWinds, QRadar, LogRhythm, but there are issues with relying solely on log data for behavior identification and may want to consider complimenting their your log files / SIEM with wire data analysis to get a full-truth picture of your client’s network traffic. (Up next, we cover Network Detection & Response.)

What are the considerations for an MSSP when relying only on a SIEM?

Log aggregation means slower time to value than with wire data. Time to deploy a SIEM is several days or weeks and must be constantly configured and managed. It could take hours or even days to correlate all the events to determine the path of attack or relational failure. Logs cost CPU and memory of the devices that generate them. When you install a SIEM as a primary point of information, you accept 10-20% cost of the resources you are wanting to monitor - with added risk of outages when saturation occurs.

Networks aren’t built to facilitate a debug on everything, but for visibility we take from the operations of an organization when we increase logging for security and compliance needs. You also accept a solution for post-mortem identification. Lastly, a bad actor can change the logs in your SIEM when they infiltrate your network, so a SIEM should not be your single point of failure.

Network Detection and Response (NDR)

Having a tool for both detection and response gives you an automated network defense force that continuously scans for signs of malicious activity on a network and sends counterattack responses to dismantle it plus heal any damage that may have been done. This is different from network performance monitoring (NPM) which analyze the network (bandwidth, speed, routing, etc) and may report suspicious activity but does not respond or eliminate threats.

Using AI and machine learning technology, NDRs have the ability to understand a network’s baseline or “normal” behavior and have the huge advantage of being able to spot and catch threats that are laying dormant on a network before attack to avoid detection. Depending on the NDR solution, it may hunt for malware, zero-day attacks, unauthorized use of business-critical applications, and more.

NDR Pros:

Detect emerging, targeted and unknown threats as they traverse your network.
Monitor the timing and movement of attackers across your network north/south and east/west.
Reconstruct entire network sessions to support forensic investigations.

NDR Cons:

Sensor footprint can be heavy if you are storing full PCAP and doing file extraction.

Endpoint Detection and Response (EDR)

EDR solutions are used to collect, record, and store large volumes of data from endpoint activities or computer hardware devices and in turn uses that data to detect and respond to potential outside threats. EDR provides the visibility required beyond traditional antivirus.

SearchSecurity outlines that while not every EDR platform share the same exact capabilities most tend to include capabilities such as:

The unification of endpoint data.
Increased visibility throughout a whole IT environment.
The ability to monitor endpoints, either online or offline.
The ability to detect malware and store endpoint events.
The ability to respond to an event in real-time.
Integration with additional security tools.
The use of blacklists and whitelists.

By using all 4 technologies combined in this “Security Triangle Tech Stack” you can still not guarantee a 100% secure digital perimeter against modern cyber attacks and threats to clients looking for the best MSSP services. Eventually, a threat will enter your client’s network and priority will move from protection to detection and remediation.

There are many pieces to the security puzzle. Every piece you put in place is one step closer to having a finished picture - and these 4 building blocks are a great place to start for an early-stage MSSP.

By Ryan Merrill, Director of Strategic Partnerships at MixMode