Today’s Managed Security Service Providers (MSSPs) are trying to grow their business quickly, improving margins and onboarding customers with high-quality tool sets that scale with the business. This means reducing cost, improving onboarding time and building the next generation of Managed Detection and Response (MDR) to deal with threats that are increasing in volume and sophistication.
Using cloud-native services is essential to handle fluctuating requirements in today’s modern MSSP customers, who are adopting more cloud services than ever before. To run an efficient business, MSSPs must leverage automation to enable the Security Operations Center (SOC) to triage and respond to threats as quickly as possible.
Security Information and Event Management (SIEM) is the centerpiece of any SOC, and with this leading Canadian MSSP providing MDR services, this was the case.
Integrating and correlating diverse sets of data is a requirement. Meeting the needs of today’s diverse organizations requires that Logz.io Cloud SIEM include the flexibility provided by an Application Programming Interface (API) centric solution. Additional requirements from this Canadian MSSP include multitenancy, and being able to allocate quota and usage across customers with the click of a button, or an API call. Logz.io provides all of these capabilities in today’s SOCs.
By combining Tines’ namesake SOAR along with Logz.io Cloud SIEM within the SOC, it enabled the MSSP to centrally collect alerts from the SIEM utilizing Tines to build automated workflows.
Within most SOC teams there are tiers of engineers, where a junior analyst may initially triage and resolve an issue, while a more senior engineer may have to investigate a new or complex threat. Tines facilitates auto-closing, assigning, or escalating cases to various engineers, updating or closing tickets automatically, among others. These playbooks are critical when creating a repeatable and well-defined process, which MSSPs need to operate efficiently at scale.
Similarly, when there is an active incident identified by the MSSP, Tines is used to collect relevant logs in an automated manner. For example, if there is an incident identified with a specific Internet Protocol (IP), Tines can query and collect all relevant events that include that IP Address. Other use cases include querying Logz.io Cloud SIEM identifying relevant data when there are multiple failed logins that generate an alert that Tines receives from Logz.io.
The need for automation to be robust, flexible, and easily programmable is why modern SOCs are moving away from bundled SOAR solutions in favor of best-in-breed, no-code solutions like Tines.
It is critical that security teams make the right decision at the right time. This can only happen when the data from your other tools is accessible and time-consuming, manual workflows are automated by those on the front line.
With increased visibility, control, and bandwidth, security teams can go deeper when necessary and respond to today’s threats faster and at scale.