Using Playbooks To Enable Cyber Security Services for MSPs
The Challenge of Building Cyber Security Services

Cyber security is an increasingly important part of business. If you’re an MSP, your clients rely on you to maintain a secure environment, that is, clients largely outsource responsibility for cyber security to their service provider.

But cyber security is challenging. The threat landscape in the cyber world is constantly evolving, with new forms of attacks and threats emerging daily. Cyber security is also highly technical having developed it’s own language and jargon well beyond the scope of traditional information technology. Cyber resources are scarce and expensive. 

The challenge for MSP’s is how to maintain a secure environment to their clients and have the resources in-house to respond to incidents if-and-when they occur. At the same time, MSP’s need to maintain and grow service portfolios that continue to contribute to the company’s bottom line.

It is a juggling act, and not one that is going away anytime soon.

To address this, many MSPs partner with dedicated MSSPs to provide specific cyber security services to their clients. Whilst this is viable in the short term, it results in the MSP losing valuable services revenue by off-loading cyber security to a third party. 

More importantly, cyber security doesn’t exist in isolation. It is an integral part of almost every facet of IT infrastructure. Third party MSSPs may be able to identify and interpret cyber events, but response and remediation requires a broader understanding of the IT environment that only MSPs have. Dealing with cyber events involves traditional MSP activity such as patching, network analysis, the ability to isolate machines, user education, multi-factor authentication, application whitelisting and the list goes on from here …

Cyber security, as a discipline, sits much more comfortably with MSP’s but the challenge to upskill in existing staff to deliver cyber security makes this a difficult proposition. The challenge for MSPs is how to navigate the transition to include comprehensive cyber security services into your service portfolio.

The Fundamentals of Implementing Cyber Security

Cutting through the complexity, effective cyber security comprises 3 fundamental steps:

1. The ability to identify cyber security issues.

2. Understanding what risk posed by cyber events in your environment.

3. How to remediate and recover from events when they do occur.

Identifying cyber events is reasonably well addressed with modern tools; systems such as firewalls, IDS systems, event logging, endpoint agents all provide a great level of detail with regards potentially malicious activity. Understanding risk in the context of your environment is more complex but also somewhat addressed through tools such as vulnerability management and EDR. 

By contrast, remediating or recovering from cyber events is usually undertaken by humans. That is, specialised cyber security experts that can understand, interpret, and take action on events as they occur. The reliance on scarce or non-existent specialised cyber security resources to understand and provide remediation often constrains MSPs from developing cyber security services for their clients.

The Problem with Cyber Security Tools

Most cyber security tools fall short of achieving the 3 objectives above. Cyber tools are typically built for cyber security experts and present information in a highly technical format inaccessible to generalist IT engineers. That is, most cyber tools identify the threat, they may even present an assessment of the risk in the context of your environment. What they typically ‘don’t’ do is provide a playbook for response and remediation.

To illustrate, let’s look at a real life cyber security event. The IDS/IPS system throws an event such as:

Name: Possible SSDP Amplification Scan in Progress
Severity: Warning
Type: Attempted Denial of Service

Curiously this is only rated as a ‘Warning’ not ‘Critical’, and to me at least this sounds like a pretty serious event that probably needs some action. The problem is that I have no idea of what a ‘Possible SSDP Amplification Scan’ is, I have no idea what devices this may affect and more importantly I have no idea what to do about it.

Worse still, most security tools provide no further information about events or how to deal with them.

Using Playbooks to Enhance Cyber Security Services

Byte25 have been working with MSPs to solve this fundamental issue. That is the issue of how to respond when issues occur. We call this the Byte25 Playbook.

The Byte25 Playbook provides a concise, easy to understand explanation of what each event means, a simple explanation of how to identify whether specific events are an issue in your environment, and most importantly and set of instructions of what to do to remediate and recover from events when they occur.

The screenshot below shows part of the Playbook entry for the SSDP Amplification Scan in Progress event mentioned. The Playbook entry provides a plain language description of the event, a detailled explanation of how th eevent was identified and where potential vulnerabilities may lie and more importantly, steps to deal with and remediate the event should it be a risk in your environment.

Providing playbooks for all critical security events significantly improves the time needed to respond to events as well as educating your existing help desk staff in cyber security.

The Byte25 Playbook allows MSP’s to leverage their existing staff to respond to cyber security events that previously would have required dedicated and expensive cyber security resources. Over time, your existing staff become more cyber literate allowing an even higher level of service.

This keeps your customers safer and more importantly allows you generate additional revenue streams through the implementation of cyber security services without having to invest in additional cyber security headcount or outsource to third party MSSP’s.

Talk to Byte25 today to see how the Byte25 Playbooks can help to develop cyber services for your MSP.