Delivering Carefree IT: Demonstrating the Value of an MSP for Clients’ Security Needs
Cisco
A life in cybersecurity is full of adjustments, adaptations, and updates. It’s a never-ending story, and a company’s security team has to be flexible enough to allow for the changes required at any given time. And when you’re a managed service provider (MSP), you also have to be flexible enough to balance these changes with individual customer needs.
Six months ago, Open Line adjusted our security process to address internal needs and simultaneously respond to our customers’ desire for transparency in security services.
Too Long to Take Action
Open Line is a fully certified MSP in the Netherlands, specializing in working with Healthcare, Government, and Housing Corporations. We have almost 300 employees, and Deloitte repeatedly ranks us as one of the best-managed medium-sized Dutch companies. When I joined the company as the Security and Privacy Officer in 2020, I told our general director and CEO that I intended to elevate Open Line’s security to a higher level and integrate our privacy and security efforts.
One of our adaptations in the security sphere is the evolution from blacklisting to whitelisting. In the past, we used anti-virus software that blacklisted anything that didn’t fit specific parameters. But the list of blocked activities got too long, so we transitioned to the whitelisting tactic, which flags any activity that deviates from normal behavior. The system blocks that activity and we can investigate it further. Whitelisting is one of the more popular threat detection response services we offer to our customers.
But as these suspicious events piled up, we uncovered a new problem: Our engineers had to sift through too many events to find the incidents that required immediate action. When whitelisting, it’s not unusual to get a false positive, where behavior is out of the ordinary yet benign. False positives lead to a backlog of events that need review, but few need anything else beyond that. We tried to automatically divert some of these events for specific customers to support team inboxes, but those mailboxes quickly filled, and attention to follow-up dropped.
At the same time, our engineers missed some important events because it took too long to find them. They spent so much time searching that they couldn’t spend time being proactive on other security concerns.
Reduced Reaction Time with SecureX Orchestration and ServiceNow
Open Line has long been a Cisco partner (we even received the 2021 Security Partner of the Year award), and I told Cisco about our difficulties with our incident handling process. They suggested we leverage Cisco SecureX, an extended detection and response (XDR) solution, to connect the security incidents on Cisco Secure Endpoint, Cisco Umbrella, and Microsoft Threat Protection with our existing workflow platform, ServiceNow.
Working closely with the Cisco DevNet team and Cisco Security Developer Advocate Christopher van der Made, we developed the workflows inside the SecureX Orchestration. When certain high-priority Secure Endpoint, Umbrella, and Microsoft Threat Protection events occur—such as when a computer becomes compromised—it automatically creates a ServiceNow incident to inform the service desk (and subsequently the SoC). The ServiceNow incident contains all the relevant information regarding the source event and a direct link to start an investigation in SecureX Threat Response. Filtering ensures only relevant events make it through to ServiceNow, reducing noise, and allowing our security analysts to focus on events that actually matter. Now, our engineers work off a single pane of glass: they can use SecureX, Secure Endpoint, Umbrella, and Microsoft Threat Protection in the background via ServiceNow.
This entire solution is built inside of the SecureX Orchestration:
- SecureX orchestration provides a no-to-low code approach for building automated workflows using drag-and-drop blocks.
- These workflows can interact with various types of resources and systems, whether they’re from Cisco or a third party.
- This repository contains workflows that can be imported into the SecureX orchestration and are easy to set up, without having to know code syntax.
Even though we built this workflow using a low-code orchestrator, it can also be built in Python or any programming language that supports API calls.
Using SecureX to manage events within our normal incident handling process means engineers don’t have to search for actionable items on multiple platforms. Instead, SecureX identifies the events that require immediate attention, and engineers receive alerts for those events through ServiceNow. This action has streamlined our incident management process, making it more effective and efficient. Not only have we eliminated the search for the most important events, but we have embedded the process in the operators’ existing way of working, which further reduces our reaction time.
We have also improved the quality of our responses. People are sometimes afraid to do the wrong thing when responding to a security incident. Before we adopted SecureX, some people were uncertain about taking the right steps to mitigate a threat. But Secure Endpoint categorizes incidents into one of 300 different incident types, 40 of which we prioritize for an operator to review. We have described the first course of action for each of these incident types, and if the incident needs further escalation, we forward it to the security team. It means that everyone now knows what to do, and it gives some peace of mind to the entire team.
Showing Clients the Value of an MSP
The benefits of this partnership aren’t limited to internal processes. Today’s clients want more transparency from their MSP. ISO certification is no longer enough. Clients face compliance pressures and have to prove to their auditor or accountant that they are in control of security—that means MSPs have to demonstrate that we are in control of the environment. With the combination of SecureX and ServiceNow, we can provide that proof to clients through a monthly service report. The report includes a list of security events that required action and the actions we took to resolve the issue.
Automated detailed reporting proves that we are in control of our environment, but it also demonstrates our activity and the value of our service. Many people think of cybersecurity as insurance: there just in case the unthinkable happens but plays no meaningful role daily. But our reporting shows the opposite. We are constantly taking action against threats and defending clients every day.
But clients don’t have to wait for the monthly report. If a client wants to look into their IT and security status, they can go directly to our ServiceNow platform. There, they can check in and obtain all relevant information in real time.
As Open Line continues to implement Cisco Zero Trust solutions for our clients, my dream is to forward all events within all of these solutions to SecureX. SIEM/SoC handles many events, but since we have the incident framework within SecureX, some of the SIEM/SoC functionality could be pushed down to the individual solutions underneath, further streamlining the incident handling process.
Elevating Security Operations and Client Awareness
Looking back, I wish I had introduced this solution sooner. We spent a lot of time building consensus around adoption, but having seen the benefits, I would’ve moved it directly into our production environment after testing the interface. The benefits speak for themselves—response times have decreased, the reaction quality has increased, and our engineers are more efficient. It’s also led to a better user experience for our clients, who can obtain all relevant information in real time. They have greater visibility into their environment and our worth as a MSP.
MSPs can’t operate alone. We have to consider the balance between the maturity of our operation and the maturity of our customers. Secure Endpoint elevates the maturity of our product, and the interface with SecureX and ServiceNow raises the maturity of our customers by creating awareness of security concerns.
Our mantra as MSPs should be to enable the carefree use of IT. No business can ever be 100% secure—that’s why we have to respond to security threats—but we can’t blame individual users for clicking on a sophisticated phishing email. The power of an MSP is in creating an environment where users can operate freely without the pressures of managing security incidents on their own. This project has increased the visibility of our work, and both Open Line and our clients are more confident in our ongoing fight against security threats.