Managed Security Service Providers (MSSPs) face unique challenges in security orchestration due to their multi-tenant environments and the need to manage a wide array of security tools. Essential features for security orchestration solutions include centralized operations, triage and case management, automation capabilities, and multi-tenancy support. MSSPs should seek solutions that facilitate integration with various technologies and streamline reporting and collaboration with customers to enhance their security operations.

1. MSSP Security
Orchestration Shopping
List

2. Introduction
To say that MSSPs have a security orchestration challenge is the
understatement of the century. But not just any security orchestration
platform can satisfy the multi-tenant requirements of MSSPs.
Managed security services providers (MSSPs) can teach a master class on
today’s threat landscape.

3. MSSPs and SOC
With dozens of client environments to monitor, MSSPs get a broad view of
what it takes to detect, manage and respond to cyberthreats of all kinds. And
don’t get us started about all the false positives to be addressed day in and day
out.
MSSPs are also in the unique position of needing to understand how to fully
leverage the vast landscape of security tools. Whereas an enterprise security
operations team (SOC) would need the capabilities to manage one SIEM, for
example, an MSSP needs to be prepared to manage a variety of client-selected
technologies.

4. SIEM & WAF
From SIEMs and web application firewalls (WAF) to intrusion detection
systems (IDS) and anti-malware solutions, MSSPs must be ready to manage
them all.
Below is a quick look at what you should be looking for when exploring
security orchestration solutions if you, or someone you love, is part of an
MSSP.

5. Security Orchestration Table
Security orchestration should provide a centralized security operations
platform as the nucleus of its security management. A single console provides
MSSPs with a centralized, detailed view of multiple customers. Within the
scope of security orchestration are core features and functionality that should
be considered table stakes for any organization.

6. Triage and Case Management
Triage
Streamline alert management and the triage process by eliminating noise,
grouping related alerts, and integrating multiple data sources to provide and
enrich insight across grouped alerts.
Case Management
Manage the entire SOC through a complete view presented in a single pane of
glass, which analysts can use as their primary workbench.

7. Playbook Library & Case Visualization
Playbook Library
Accelerate time to value with an out-of-the-box playbook knowledge base that
drives the full range of playbook requirements and provides a balance between
automation and analyst interaction.
Case Visualization
Visual representation of each case provides an intuitive understanding of
complex cases and threats in a fraction of the usual time required.

8. Reporting & Case Reduction
Reporting
One-click reporting of activity and KPI measurements to customers.
Automation of reporting and distribution process.
Case Reduction & Clustering
Reduces caseload via graph contextualization, clustering of contextually
relevant cases, and automated case prioritization.

9. Cyber Ontology

10. Reporting & Case Reduction
Automation
Automate cumbersome manual processes with a machine-speed response.
Typical processes ripe for security automation include data normalization,
alert filtration and consolidation and case enrichment.
Playbook and Workflow Authoring
Playbook design capability to create and implement analyst-customized
workflows (without scripting).

11. Additional MSSP Requirements
● Be sure to look for solutions that go beyond core security orchestration
functionality to include these capabilities, tailored to the needs of MSSPs:
● Adapt workflows for similar use-cases to specific customers
● Integrate SLA expectations with KPI performance measurement and
reporting
● Provide customer visibility through automated reporting and distributed
dashboards
● Collaboration between MSSP security professionals and customer
resources
● Health monitoring across MSSP customer base

12. Multi Tenancy
Multi-tenancy (at the environmental level, and in terms of data, permissions,
dashboard, reporting, and unique customer playbooks) is crucial for any
MSSP who wishes to reap the full value of security orchestration across its
customer base and to give teams the proverbial single pane of glass access and
vision.

13. MSSP
Multi-Tenancy

14. Integration
Given the infinite possible configurations, a security orchestration solution
must have the capability to integrate with any environment. Out-of-the-box
integrations offer an important solution, as well as an architecture that
supports easily expanded integrations with the endless data sets MSSPs will
encounter. For example, multiple SIEMs and non-standard alert sources,
including e-mails.

15. MSSP
Techstack

16. Let’s Go Shopping
For a deeper look and a full security orchestration shopping list, download
our MSSP buyer’s guide for security orchestration and automation.