As security professionals, we like to imagine ourselves diving through the air to stop that ransomware-infected thumb drive going into the unsuspecting user’s USB port. Or stopping the Stuxnet virus before the nukes launch, sending us into WWIII.
The truth is, a lot of the time, things are rather quiet for us. We’ve built our walls, and for the most part, no one is getting in. So how do we keep our clients engaged when there is no threat to report? How do we remind them we’re here looking out for them when all is quiet on the Western Front?
As a Managed Security Service Provider (MSSP) partnering with AlienVault, we create high-quality touchpoints. Bits and pieces of value to prove our worth and provide our clients with tangible, useful information. I’ll share a few such touchpoints that have proven valuable to our clients.
Use your SIEM to find misconfigurations
I had a client express concern recently over a massive spike in “deny” entries in his firewall logs. Due to external networks and segmentation, a lot of his company traffic hit the firewall, and consequently preventable misconfigurations were causing unnecessary network traffic.
We enabled a rule to show firewall blocks coming from inside his network. The rule was simple enough to set up. We were looking for a deny from a single IP and then 10 more occurrences from the same IP to and from “HOME_NET”:
Within minutes our SIEM produced a circle the size of Jupiter, representing thousands of alarms fired. After a day we racked up 38,000 alarms! From there I could produce a report showing the top offenders, enabling our client to work with his team to remediate the issues. Happy client.
Run reports you have created for other clients
One of our clients likes to see a report from AlienVault that shows the IP addresses of known bad actors, otherwise known as the Open Threat Exchange (OTX) report. I send it weekly, and he will then shun the top 5 or 10 at the firewall level. I have since shared this report and idea to block the top offenders with other clients, who have gladly jumped onboard with the weekly regimen.
Here is a sample of the report showing 15-16K SIEM events coming from the same IP(s) and known malicious actors:
Good information, right? Yes, let’s kick 220.127.116.11 to the curb!
Another report we get great response from shows new assets in our SIEM. I can select a radio button to “show assets added last week” and then download that and send to my client. This is of course good information from a security standpoint as well as asset inventory and general housekeeping. Lastly, automate your reports to keep your name in the client’s inbox!
Follow up on security incidents
We often end an email regarding a security incident with something along the lines of, “we’ll keep an eye on things and reach out if we see any new activity.” This is good and you should do just that, but you should formalize the process and produce an incident report. Clients like this and it doesn’t have to be a novel. Just basic facts:
- Date and time of the incident
- Description of the events
- Systems involved
- Remediation steps
Other ideas for MSSP touchpoints
- Share your expertise with a monthly newsletter on current trends in the wild
- Offer to schedule vulnerability scans to meet compliance regulations
- Schedule a monthly call to review the month’s security events
- Send an email to simply state things are looking good ask if they need anything?
Don’t let your clients only hear from you in times of crisis and security incidents. You won’t talk to them as often as you should and they will begin to associate you and your company with bad news!