Good move by Secureworks partnering with Microsoft. I wrote a blog just a few days ago about how cloud providers are blurring the lines in cybersecurity services delivery, especially in managed security services.
Cloud providers must offer cybersecurity services within their infrastructure because security analysts are overwhelmed with alerts, and many organizations simply do not have the necessary technical acumen to detect and respond (see research chart below). Both AWS and Microsoft offer visibility into logs and incident investigative tools, but cloud providers only have visibility into their native architecture, not the internet in the wild; and while services proactively hunt the adversary, Amazon GuardDuty, for example, only does so in AWS accounts and workloads. It is in this gap where an MSSP provides the connective tissue for ongoing monitoring, alerting, detection, and response.
In this announcement, managed security service provider (MSSP) Secureworks states it will partner with Microsoft to help mutual customers detect advanced cyber threats and to ultimately increase response time to more effectively reduce risk of breach. Secureworks’ SaaS application, Red Cloak Threat Detection & Response (TDR), will ingest raw telemetry from the Microsoft Defender Advanced Threat Protection (ATP) platform, further augmenting the threat data that fuels the MSSP’s advanced analytics.
MSSPs are vendor- and cloud-agnostic by definition. Threat hunting occurs across the MSSP community of clients, creating in essence a potential treasure trove of crowdsourced threat insights to help the collective. The trick is to have the bandwidth and skill to analyze this trove and to augment that skill with machine learning (ML). Secureworks has over 20 years of experience with hunting the adversary both with human skill and with ML. Red Cloak TDR uses a host of detectors that rely on a variety of machine learning, deep learning, and behavioral techniques. Customers can engage the Red Cloak TDR SaaS application in house or as a managed service, which offers additional support for threat hunting and incident response.
Cloud provider cybersecurity services are critical tools as organizations become more fully vested in the public cloud. Until infrastructure-as-a-service (IaaS) vendors like Microsoft and AWS become agnostic to which infrastructure the client is running, which may be a longshot, bolstering the beleaguered security analyst’s threat visibility and analytic bandwidth is necessary. This, among other reasons (which I'll get to in future blogs), is why fundamentally MSSPs still matter.