The Intelligent MSSP

ElevenPaths    15 June, 2017
During years, Managed Security Services (MSS) have been the most effective strategy to tackle the increasing and changing threat landscape. Otherwise, some disruptive factors are compelling a new approach for corporate information security. Specifically, we refer to technology factors, such as the blurring of the organization’s boundaries or the explosive growth advanced threats, operational factors like the increasing complexity of the organizations processes and business ones, for instance, the compulsory requirement of implementing an efficient risk management to invest the precise budget in security, no more, no less.
How to address these requirements keeping in control the complexity of a Managed Security Service?
This article identifies which are the compelling factors and proposes a layer-framework for MSS that ensure the right coordination among technology, operation and business to protect the organizations of the future.

Gartner defines Managed Security Services (MSS) as “the remote monitoring or management of IT security functions delivered via shared services from remote security operations centres (SOCs), not through personnel on-site”. Most players in the security business consider MSS as the most efficient approach to manage the corporate security for any kind of organization, and consequently, it is increasingly common, organizations turn to MSS Provider (MSSP) to delegate day-to-day security management, monitoring and remediation, so they can focus on their business core. Thereby, everybody agree security outsourcing implies cost savings, expert management and productivity improvement.

Compelling factors by pushing the MSS evolution

Over the past few months, analyst, security providers and customers have warned about some compelling issues that are forcing a redefinition of Managed Security Services and, subsequently, a reconfiguration of the market players. Three categories comprise these factors, namely: technological, operational and business. Within technological category, the blurring of the organization’s defence perimeter, the explosive growth in advanced threats all over the World and the fact that attackers are changing their elusion tactics just as quickly as corporations implement fences are the most relevant components. Regarding operational issues, the main handicap to address is the increasing complexity of the organizations processes (IT and OT). Finally, business factors, the most recent, are perfectly summarize in the principle of business continuity above everything. There is no doubt; day-to-day reality has proved there is a necessity of evolving to keep ensuring successful protection.

The Four-Layer-Framework for MSS

The Four-Layer-Framework aims to isolate –for the sake of simplification– the Managed Security Service into four intervention areas, through which to achieve a straightforward understanding of the customer needs and future challenges, facilitate the incorporation of the newest protection technologies and analytic processing, standardize the operation process from SOCs and put into service a security for the business. From bottom to the top, these are the layers:

  • Operational layer: process, people and tools in charge of the operation and automated response. We refer what some analyst have come to call the Intelligence-driven Security Operational Centre (ISOC). ISOC includes the capabilities of the previous ones –device management, security monitoring– and the distinctiveness of itself –data-driven security, adaptive response, forensic, post-analysis for threat intelligence and dynamic risk management. This operational layer and specifically the SOCs should fulfil the current recommendation directives from relevant advisory firms. We refer, for instance: operate as a program rather than a single project; full collaboration in all phases; information tools adequate for the job, providing full visibility and control; implement standardize and applicable processes and to conclude, and maybe the most important, an experienced team with the adequate skills and a low-rotation level.
  • Technology layer: this level comprises the technology pieces that are in charge of the specific security prevention and protection, from on premise firewalls to security services such as Clean Pipes over Next Generation Firewall or CASBs. The originality of the proposal is to represent them as isolated elements that requires from the backbone capabilities to be part of a MSS offering. The main backbone capabilities included in the layer are the interaction modules, which act like a collector to transmit events to the rest of the levels and an actuator with the responsibility to trigger the response in form of policy management.
  • Analytic Layer: this layer is associated to the brain of the whole system, the element in charge of the massive event processing which allows the data-driven security. We refer to the big data analytics platform to uncover hidden attacks patterns and carry out advanced threat management and response. Additionally, analytic layer includes some backbone capabilities such as cross calculation of KPIs for general security status, real-time risk management meter, event collection and storage and threat intelligence prosumer.
  • Delivery Layer: level on top concerns how clients consume the managed security, with direct implication in customer service perception. This layer comprises unified visibility and control and the real-time risk management and compliance. We compact everything under the layer of Business Security. Not only does security a technology issue or an exclusive area for IT departments, but also it is becoming a relevant factor of the business performance of the organizations. There is a great consensus about the need of increasing implication of business areas and boards in security matter, and for them is not valid a technology language but a business language. This layer makes understandable and actionable the security information for business and C-level. Then, some important element is the integral security portal and the included dashboards, with the precise granularity to satisfy the different organizational roles, security as a glance, real time risk level and SLAs performance for boards or specific day-to-day incident and threat intelligence information for experts security analyst.
According to these principles, we have built SandaS, the Telefonica´s MSS platform, including an specific components to provide the backbone functionalities in each layer.

SandaS RA (Automatic Response) is the module that makes possible the response from the Telefonica’s SOCs all over the world. It is in charge to trigger the mitigation and to facilitate the security experts to resolve incidents. SandaS RA is deployed in each SOC and includes contextual categorization of alarms, integration with ticketing services and customer ticketing, automatic response over security equipment and notification services.
SandaS CA (Alerts Collector) is in charge to collect and normalize alerts from security equipment –on-premise or cloud-, SIEMs and security protection services, as well as to gather the raw events to feed our Data Management platform.
SandaS PA (Analytic Processing) represents the brain of SandaS. It performs two main functionalities. On one side, the generation of real time security KPIs according temporal evolution and other configurable filters. This is a very strenuous work since SandaS PA have to cross-process millions of events in milliseconds, which is only possible with a refine architecture design. On the other hand, the analysis –based on machine learning and other advanced correlation mechanism– over raw events for multiple sources to uncover advanced threats that have gone unnoticed to the protection services. Additionally, SandaS PA includes mechanism to interact with IoCs sources, as well as generate IoCs from the analyzed threat activity.
SandaS Portal, the piece through customers consume MSS and perceive the benefit provided for the platform. It includes security status and performance dashboards, risk management and compliance tools and other useful mechanism to interact with the rest of the layers.


A MSS is a complex ecosystem, where different technologies, providers, professionals and operational models live together; sometimes without getting on well. Thereby, it is compulsory a backbone element to conduct the orchestra in the interpretation of the stunning symphony. In our understanding, this is the role of the MSS provider, being able to coordinate the multiple players of each layer and to standardize an interaction with the rest of ones in the upper or lower layers. How to get this objective? In our understanding, we think it is about people, process and tools. Nothing new, or maybe yes.

Francisco Oteiza Lacalle
Global Product Manager in Managed Security

Leave a Reply

Your email address will not be published.