Security Experts:

Tips to Help MSSPs Choose a Threat Intelligence Partner

As small and medium-sized businesses (SMBs) increasingly recognize that a reactive security posture is no longer sufficient for protecting their networks, managed security service providers (MSSPs) that cater to SMBs face both an immense opportunity and a considerable challenge.

The opportunity is for MSSPs to harness the growing demand among SMBs for proactive security services by augmenting their offering portfolios with threat intelligence. Indeed, an integrative and well-executed threat intelligence program can arm MSSPs with the visibility and context they need in order to preempt attacks on their clients’ networks and ultimately help them attain a stronger, more proactive security posture.

While building such a program in-house simply isn’t realistic for most MSSPs given the extensive resources required, those wishing to offer threat intelligence to clients can still do so through an external vendor. The challenge is that choosing which vendor to partner with can be exceptionally difficult for MSSPs due to the oversaturation and complexity of the threat intelligence market. Here are three tips that can help:

1. Collection strategy due diligence is imperative

As I discussed in one of my previous columns, collection strategy is both the biggest differentiator and most important factor to consider when evaluating a threat intelligence vendor. This is largely because a vendor can only provide intelligence on the threats and adversaries visible within the data sources its collection strategy covers. 

The key takeaway here for MSSPs is to do your due diligence on the collection strategies of prospective threat intelligence partners. Keep in mind that the best partner is one that provides extensive visibility into the types of threats and adversaries your clients face.

An MSSP that works primarily with retailers, for example, may want to consider partnering with a vendor whose collection strategy includes underground card shops, illicit forums frequented by fraudsters, and other types of data sources relevant to the various types of fraud—such as payment card, account takeover, and refund fraud—prevalent in the retail industry.

2. Don’t overlook the importance of finished intelligence

MSSPs less familiar with the threat intelligence space may initially feel overwhelmed with the seemingly countless different ways in which vendors describe the intelligence they offer. But there is one type of intelligence that is uniquely valuable and worth seeking in a partner: finished intelligence. This refers to intelligence derived from relevant data that has been contextualized, analyzed, and packaged in a consumable, understandable format alongside all necessary details. In other words, finished intelligence is actionable.

For MSSPs seeking to help their clients attain a more proactive security posture, finished intelligence can add context to disparate data feeds and indicators, provide insight into the motivations and capabilities of threats and adversaries, and help inform the correct course of action needed to mitigate the risks posed by those threats and adversaries. Unfortunately not all vendors offer finished intelligence, but given these benefits, MSSPs should strongly consider partnering with one that does.

3. Consider your existing services and technologies 

Most MSSPs rely to some degree on technologies including firewalls, security event and information management (SEIM) systems, and orchestration platforms to service their clients. Integrating threat intelligence, as well as the data from which it is gleaned, into these technologies can bring additional context and efficiency to the use cases they support—from log monitoring and vulnerability management, to incident response and threat hunting. Naturally, this requires a threat intelligence partner with suitable integrations and/or an API, both of which are crucial for MSSPs to seek out and evaluate when considering prospective partners.

Although these three tips are only a few of many other important considerations when selecting a threat intelligence partner, they are a good starting point. Above all else, MSSPs should keep in mind that since they are often a lifeline to their clients, any partnerships they establish to better support these clients—regardless of business benefits—should always be approached  thoughtfully.  

view counter
Josh Lefkowitz is the CEO of Flashpoint, which delivers Business Risk Intelligence (BRI) to empower organizations worldwide with meaningful intelligence and information that combats threats and adversaries. Lefkowitz has worked extensively with authorities to track and analyze terrorist groups. He has also served as a consultant to the FBI's senior management team and worked for a top tier, global investment bank. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.