How MSSPs can capitalise on compliance

By Innes Muir, Regional Manager, MSSPs, UK, EIRE and RoW, at Logpoint.

  • Monday, 10th June 2024 Posted 5 months ago in by Phil Alsop

There’s a raft of new regulations sweeping in that will force businesses to comply with much stricter mandates on their cybersecurity provisioning and breach disclosure. The second Network and Information Security Directive (NIS2) comes into effect from October 2024 and is much wider in scope, encompassing organisations providing both ‘essential’ and ‘important’ products or services, while those operating or providing third party IT services to businesses in the financial sector will need to comply with the Digital Operational Resilience Act (DORA) from January 2025. Both will impact any UK organisations that work or do business in the EU.

In the case of NIS2, organisations will see disclosure obligations become much more stringent with enforcement in the form of punitive fines and measures. Incident reporting processes must be in place to allow the reporting of ‘significant’ incidents that result in the disruption of service or losses which must be disclosed within 24 hours. This initial early warning should be followed by a full incident notification within 72 hours and a final report is required within a month following the initial notification. 

Failing to adequately disclose can see the business incur fines comparable to those under GDPR i.e. €10 million or 2% of global annual revenue, whichever is greater, for essential entities, or €7 million or 1.4% of global annual revenue for important entities. What’s more board, level executives and senior management can be held personally accountable and potentially face penalties relating to liability or a temporary ban from holding a similar position in the future. 

DORA and NIS2

DORA takes precedence over NIS2 if the organisation finds itself in scope of both. Incidents deemed ‘major’ must again be declared in the form of an initial notification, an interim report and a final report but ‘significant’ incidents or threats can be disclosed on a voluntary basis. The penalties incurred for non-compliance will be at the discretion of the competent authority overseeing its enforcement in that jurisdiction but are likely to be comparable as provision is made to publicly state the nature of the incident and the identities of those implicated. 

Central to both is the concept of cyber resilience through more effective detection and information sharing with respect to cyber threats and vulnerabilities. The idea is that collective defence will be far more effective than a piecemeal approach and that by anticipating worst case scenarios and improving detection and mitigation capabilities, organisations will be better prepared and will be faster to react. It’s becoming increasingly apparent that such a concerted effort is needed in the face of growing geopolitical tensions and nation-state attacks. These regulations will effectively create a minimum level of security across the board when it comes to risk management, security controls and incident handling. 

While MSSPs won’t be able to help organisations become compliant per se, these regulations undoubtedly present them with an opportunity to assist with the implementation of processes and controls to aid and abet compliance. Many organisations will struggle to find the necessary resource inhouse, particularly given the acute skills shortages in cybersecurity, presenting the MSSP with the ideal opportunity to offer Managed Detection and Response (MDR). 

MDR combines threat detection technology with human intelligence to analyse, locate and resolve incidents more effectively. It sees the MDR team amalgamate telemetry alongside data drawn from disparate sources to provide a comprehensive view of the customer’s cyber environment which, when used with machine learning, can adapt to changing situations. But the human element can really set the service apart, allowing the MSSP to integrate itself into the business and provide collaborative support.

The MSSP on the front line

For those that outsource some or all of their Threat Detection and Incident Response (TDIR), the MSSP will effectively be on the front line and will be fundamental in observing the regulations. Their ability to react to emerging threats at speed, qualify the severity of the incident and initiate response will be vital so it’s important to consider how to fulfil all of those as efficiently as possible because time will be of the essence in determining whether an incident is deemed significant or major. 

Using complementary technologies with a modern Security Incident and Event Management (SIEM) platform can help in this regard by allowing incidents and events to be validated and acted upon automatically. Key technologies include behaviour analytics, which looks for suspicious activity outside the realms of the user behaviour that is expected on the network. Its anomaly detection sees these events correlated with other anomalies to build up a bigger picture of what’s going on. 

Security Orchestration Automation and Response (SOAR) is another example. Based on the MITRE ATT&CK framework, this sees incidents classified and responded to automatically using threat-specific playbooks. Automated responses then kick in, driving down Mean Time to Detection (MTTD) and Mean Time to Response (MTTR) and limiting the impact of the incident. 

However, while the SIEM is at the heart of detection and threat hunting, it can be challenging for the MSSP who needs to be able to customise how the SIEM performs for each end-user organisation. Many MSSPs have attempted to create their own portals in an attempt to manage this but it can be cumbersome and unwieldy. In contrast, a purpose-built layer over the SIEM/SOAR/UEBA service offering can enable the MSSP to benefit from orchestrating TDIR across the client base while still being able to segregate information and push out individual configurations. Using a multi-tenancy console therefore centralises and simplifies management while still allowing deep dive investigations.

Using the SIEM for compliance

Providing these SIEM managed services can be a lucrative revenue stream for MSSPs but it also makes it much easier to ensure compliance. It creates a centralised view of the customer’s IT infrastructure, enabling the MSSP to quickly and automatically respond in the event of a compliance violation and to determine the root cause of the breach. This will be fundamental to meet the 24 and 72 hour reporting windows required by the authorities.

Moreover, regulatory specific dashboards are now available that are specific to the category requirements contained in the legislation. For example, when it comes to access it’s possible to use a SIEM dashboard to see who has logged on to the network internally or externally or where there have been failed logons to old accounts. Or perhaps the analyst wants to see who has been assigned admin rights and if this has changed over the last week. Any query can then be turned into an alert, with a playbook initiated if it is realised.

Finally, prebuilt regulatory report templates can be used to ensure the right information is collected on a regular basis. These can then be used to prove to auditors the organisation is meeting its obligations as well as for management review. The latter is likely to be particularly important going forwards, as the C-suite need to prove due diligence.

In conclusion, MSSPs can help their customers observe the requirements and improve their security posture and resilience but to do so economically they will need to centralise operations and adopt such mechanisms. Those that do so are likely to reap real rewards, with compliance set to become a major driver for managed security services.

By Kashif Nazir, Technical Manager at Cloudhouse.
By Terry Storrar, Managing Director at Leaseweb UK.
By Manuel Sanchez, Information Security and Compliance Specialist, iManage.
By Peter Hayles, Product Marketing Manager at Western Digital.
By Richard Eglon, CMO, Nebula Global Services.
Anita Mavridis, VP of Product at Zivver, and Sue Musumeci, Director of Quality & Clinical Informatics at Chronic Care Staffing, explore practical...
By Graham Jarvis, Freelance Business and Technology Journalist, Lead Journalist – Business and Technology, Trudy Darwin Communications.
By Krishna Sai, Senior VP of Technology and Engineering.