When managed security services have been in operation for a long time, they always receive various questions and requests from customers. Some of these questions and requests are completely out of the blue, while others are relevant and change-inducing. Regardless of the issue, managed security service providers should listen to their customers and accept their feedback, whether it is positive or negative.
While it's impossible to delve into all the requests that managed security services have received over the years, some are representative and can be useful when asking your own MSSP.
1. Can you generate monthly reports that list metrics that measure the value of your services?
Metrics are important. Nice charts help visualize to management the return on investment (ROI) they are getting, but it can be very different (and difficult) for different clients to determine how to measure value. The service offering should be able to provide statistical information on the number of high-fidelity cases raised, mean time to detection (MTTD) data, and potentially mean time to repair (MTTR) data, depending on the deliverable. Having the ability to generate such reports on your own, or being able to request a managed service to generate such reports, will help advance the maturity of your company's controls and will allow your company to see the value you get from a managed security service.
2. How can our teams work more closely together during a security incident?
Honestly, this is a good question. Managed services should be like an extension of your own team. Working closely together during an incident, or even in response to a specific security alert, can create a stronger bond between the two entities. Learning from experienced professionals can also help enhance your own company's skill set. Any time there is an opportunity to train a client on a specific capability, the service provider will not pass it up. When trained well, clients can become more independent and successful.
3. Why didn't you detect the malware we executed on the lab equipment?
Let's be honest: catching everything that is impossible. Even with all applicable security solutions and monitoring measures in place, something can still sneak in through the cracks. However, managed security providers do need to be at the top of the industry: that's what you're paying them to be worth. They may miss something, but it is necessary for you to let them know this so they can plug the gaps in their processing or detection rules and improve the security services they provide.
4. What security recommendations do you have based on the level of threat activity observed in our environment?
It's one thing to provide managed detection and response services to customers. But providing feedback on how clients can improve their own internal controls is a quantum leap. A managed services company can take a look at your entire security posture, including the frequency of threat intrusions, the path to entry, etc. If patterns or trends like a spike in phishing-related attacks are observed, it's probably time to roll out more formal security awareness training to your employees or add a few more layers of control to your email gateway. The benefits of these comments are numerous, and it's a good idea to ask these kinds of questions.
5. It's 2 a.m. and we've had a security incident; can you join us for a phone discussion?
Service level agreements (SLAs) deserve to be fully understood. As for managed service offerings, they are usually on duty 24/7, but not all are. When events do occur, you should know what level of support is available in your own time zone during off hours. Perhaps only one analyst can join the discussion, and not the team's incident manager. It is highly recommended that these expectations be set in advance.
Over the years, the five questions above have helped MSSPs improve the quality of their services and attract customers through a value-added experience. Managed services should want and be willing to improve and adapt. Don't get me wrong, setting reasonable expectations is also important, but if there is an opportunity for improvement, it's better for both parties.