Cybersecurity False Positives Are Plaguing MSSP Profits by Bob Noel, Director of Strategic Relationships and Marketing, Plixer

According to Market Research Engine, the Managed Security Service Provider (MSSP) market will grow at a compound annual growth rate of 14.5 percent, reaching $45B by 2022. This growth is driven by the fact that many enterprises lack in-house cybersecurity expertise and that executive management often believes that outsourcing security is the most cost-effective way to reduce risk. Hiring an MSSP gives many organizations access to security tools and expertise that they may not be able to afford or support on their own. For MSSPs, this lack of cybersecurity market expertise is good for revenue, but profitability is a direct function of their incident response efficiency. High rates of cybersecurity false positives, requiring security analysts to invest a lot of time investigating, are plaguing MSSP profits.

A High Number of False Positives

MSSPs operate large-scale security operation centers (SOCs) to aggregate customer data. SOCs typically leverage and monitor technologies such as firewalls, SIEM, anti-virus, intrusion detection/prevention (IDS/IPS), etc. These technologies focus on risk reduction by preventing security-related incidents and alerting staff. The challenge for MSSPs is that these technologies are notorious for generating a high number of false positives.

False Positives Hurt Profitability

Once MSSPs have invested in the technology required to operate a multi-tenant SOC, acquiring more clients should reduce their per-customer technology-related costs. If there were no factors to consider other than the cost of technology, more customers would mean more profit. This is not what is happening, however. In reality, as MSSPs gain more customers, the number of false positive events to investigate rises dramatically, increasing their overhead and hurting profitability. To counteract this, MSSPs need to include network traffic analytics (NTA) as one of their SOC technologies. NTA provides easy access to historical forensic data and fast reporting, reducing the time it takes a SOC analyst to investigate incidents.

Detection Alone Is Not Enough

Security events can be detected in several different ways. A security product may send an alarm to an analyst, or an end user may report a problem — this is often the case in ransomware attacks. Due to the increasing sophistication of bad actors, many organizations are evaluating or implementing products that offer machine learning and artificial intelligence (AI). Machine learning and AI are emerging technologies attempting to improve threat detection through algorithms that can learn and predict. These technologies are still in their early stages, and a significant human effort goes into the initial implementation, but they show promise to improve threat hunting over time.

There are many different mechanisms for how detection occurs, but it’s important to realize that detection alone is not enough. Notification is only the first step of an incident response process. Detecting an event, whether real, or a false positive, kicks off an investigative process to determine the incident validity, how dangerous it is, what happened, and what must be done to return to normal. To answer these questions, analysts must investigate the data they have available.

Most security platforms generate and export data in the form of syslogs. Syslogs are valuable and are essentially notifications that something occurred. In isolation, however, they lack broader context into the event. NTA provides an important complementary pool of data to syslogs because it delivers that context. It delivers a summary of every flow or conversation that occurred across the network and can stitch together information such as the username, application, URL/URI, SSL details, DNS, latency, jitter, timestamp, geolocation, device details, including operating system, and many other data points associated with a given incident. The database within NTA platforms provides all this information and give MSSP analysts the ability to query the data for rapid root cause analysis. As analysts face large volumes of alarms, the speed by which they can navigate, filter, and report upon data directly affects their efficiency and ultimately the profitability of the organization.

A Sustainable Business Model for MSSPs

MSSPs offer a valuable service to their customers. Delivering this service requires a combination of technologies focused on prevention, detection and rapid incident response, and a staff of skilled analysts. To have a viable business model, MSSPs must offer better services to their customers at a price that is at most equal to what it would cost companies to do it themselves. The scale of multi-tenancy SOCs help reduce overhead, but high volumes of false positives drive expensive efforts in analyst investigations. The key differentiator and driver of cost efficiencies lies in effective incident response processes.

About the Author

Bob Noel holds the position of Director Marketing and Strategic Partnerships at Plixer. Bob has 20 years of experience in networking and associated technologies, having spent several years in senior level roles with industry leaders such as Cisco, Cabletron, Extreme Networks, and Plexxi. Bob has spoken all across the world and is highly sought after for his knowledge in the areas of next generation data centers, network security, virtualization, networking architectures, and the new dynamics and challenges introduced by Software Defined Networking. His background expands senior sales, engineering, training, and a number of marketing positions. Bob is currently located at Plixer’s headquarters located in Kennebunk, Maine.