Turning Managed Security Metrics Into Action

By: Matt Sweeney on January 25th, 2018

Print/Save as PDF

Turning Managed Security Metrics Into Action

Shared Security Services

Managed security services providers (MSSPs) often struggle with distinguishing themselves in a crowded marketplace, convincing clients of the value of their services, and transitioning into the role of trusted advisor by demonstrating their expertise. At every stage of the process, from onboarding to contract renewal, MSSPs need to handle each of their clients with professionalism and care in order to generate a stream of recurring revenue.

When MSSPs try to provide services to their customers at scale, they generally face two major pain points. To begin with, MSSPs need to address their customers' most pressing demands first in order to keep them satisfied, and to do this well for many different clients. Second, MSSPs should not only put out fires for their customers, but also create actionable recommendations for them that will build a high-quality relationship with them over time.


On Demand Webinar: Rethinking Cyber Security Metrics

Watch Now


Reports that provide valuable, tangible insights about a customer's business and IT operations are worth their weight in gold. As an MSSP, the key to success at scale is figuring out how to convert the metrics and data that you collect into valuable advice for your clients.

What Managed Security Metrics Should You Start From?

At the highest level, risk is really the place where three factors intersect: threats, vulnerabilities and impacts. In addition to measuring risk, companies also need to be aware of the network activity that indicates how these factors are changing, as well as the business assets that are affected.

Having a standard set of managed security metrics that incorporate business impact is the first step in managing communication with clients. In FourV's GreySpark analytics platform, for example, users can measure and analyze a standard set of metrics as well as more advanced constructions. The standard metrics that GreySpark tracks are:

  • New Activity: The defense or vulnerability events that are different from those seen in the previous time window (configured by the user).
  • Persistence: The defense events that reoccur in the current time window, and the vulnerability detections that continue to exist.
  • Severity Profile: The average normalized severity level of all defense or vulnerability events.
  • Asset Activity: The number of assets involved in generating defense or vulnerability events.
  • Sensor Activity: The number of security sensors involved in generating defense or vulnerability events.

The six metrics above are the building blocks of any GreySpark deployment. When used in combination with other information, they form a bridge between raw data and the customer's business and IT security operations.

Incorporating Business Impact into Your Managed Security Metrics

Every one of your clients has assets that they need to protect and a set of vulnerabilities or threats associated with those assets. The metrics that you collect in the first stage will help you rank the actions that you should be taking in order to defend those assets. At the end of this process, you should have compiled a detailed list of priorities discussing the specifics of all the remediation activities that you need to do.

Questions about business impact and the criticality of different assets can only be properly answered when you look at everything in context. For example, standard vulnerability scoring systems will mark events in a number of different tiers, from critical to major to minor. In many cases, however, even "critical" events are not always critically important, but simply assigned that label according to the rules of the scoring system. If you have even 100 hosts on a network, you could easily generate hundreds of "critical" issues per month that need to be waded through before generating a report.

Instead, start with an understanding of your client's most important assets. For instance, you may want to prioritize your client's servers that directly interface with their customers. As such, the most important activities will be making sure that the servers stay up and running and that any vulnerabilities are swiftly patched or resolved.

Being able to perform this prioritization is important for you to do your job as an MSSPs as well. The threats that your client faces are assembled from different queues of data: the queue of alerts from a defense perspective, and also the queue of events and detections from a vulnerability perspective. Properly configuring this queue to identify the most relevant and pressing issues helps you better manage your client's most critical assets.

For an MSSP, having this list of priorities is valuable for two reasons. First, it improves the performance of your security operations center (SOC). The SOC needs to make sure that it is taking care of the most important things first and that any newly critical issues are also brought to their attention. Second, building this list of priorities is a significant step in building trust with your clients. By providing these insights, you are moving closer to the role of a trusted advisor rather than being a black box that generates reports every now and then. Constantly giving your clients good information that helps them improve their IT security will help you retain customers, upsell and cross-sell your services, and scale your business.

How to Turn Managed Security Metrics into Action

The most important thing when going from metrics to the desired actionable output is obtaining the information about the business impact of your client's various assets. Of course, determining the level of criticality for each asset is a substantial challenge, especially in a dynamic network environment where the situation may constantly be in flux.

Treating events individually makes it exponentially more difficult to rank and order items and to get the big picture about what is going on in the client's network. Being able to correlate information about your client's defense activities, vulnerabilities and impacts is key. This does not necessarily mean doing the job of a SIEM, but rather finding connections between related activities occurring on your client's network. By treating these connected concerns as a single entity and fitting it into your list of priorities, you can save yourself valuable time and effort.

What many MSSPs need is a system that can fulfill this vision and help them out from an operational perspective, connecting events in graphs and revealing trends in the data. How much effort is involved in setting up such a system? The short answer is that it depends how you want to go about it. Building it yourself will be far from a quick, straightforward process, but tools such as GreySpark provide an easy and cost-effective way to get the benefits of such a system without having to go it alone.

Final Thoughts

Cyber security has become a highly data-driven industry in recent years. Although this has great potential for companies looking to better defend themselves from attack, it also means that you can easily run the risk of getting lost in all the numbers and figures without extracting any actual value.

Instead of allowing data to drive your business, let the data drive the priorities that you handle for your customers. Data should be the means to the end of better serving your clients, rather than an end in itself.

In order to be an effective MSSP, you need to communicate well with your customers and run an efficient operation. This means bringing together measures of defense, vulnerability and impact so that you can create a concise, actionable report for your clients.

key-risk-indicators-webinar