How MSSPs Can Utilize SOAR to Provide Better MDR Services to Their Clients

Back to all articles

MDR services

I spent several years working for a global Managed Security Service Provider (MSSP). I started off as a security analyst and worked my way up the ranks to become a security engineer, where I was responsible for updating and maintaining numerous clients’ security programs. When I first started with the MSSP, it was very much like all security programs at the time. A lot of the alerting had to do with static signature patterns, and we really weren’t in the new era of using artificial intelligence and machine learning to find out further intelligence. It gradually got to a point where attacks were becoming so sophisticated that the static signature analysis was no longer going to cut it. Just like with everything technology and security related, it evolved quickly.

Emerging Trends

The continued advancement in sophistication of these new attacks required us to move from the static signature and pattern matching previously used, to needing to be able to fully understand the patterns and behaviour of our attackers, as well as the tactics and techniques they were using. Just as our detection mechanisms were forced to change, so were the strategies we were using to provide detection and response services to our clients. These strategies are what we know today as Managed Detection and Response (MDR) services.

MDR is an offering which provides a combination of technology and skill to deliver advanced services such as threat intelligence, threat hunting, security monitoring and alerting, incident analysis and incident response, all in one combined service offering. It took traditional MSSP service offerings and applied advanced security tactics, such as user and entity behaviour analytics, to provide deeper detection capabilities to be able to offer remediation functions that were previously not available to our clients in the past. As you can imagine, this more in-depth service offering had numerous benefits which could almost immediately be recognized by our clients.

What Are The Benefits?

One of the first and perhaps the most important benefits is the ability to better utilize and allocate an organization’s staff. MDR services provide a helping hand to organizations usually who are experiencing a staffing shortage, which I am sure a lot are, and they can take the detection and remediation tasks directly off the organization’s plate. Using advanced detection technologies, the false positive rate will begin to decrease and only the advanced incidents with a higher priority will be raised for analysis.

These technologies also have the ability to not only detect, but to act and quickly respond to a potential security incident. This will allow for security staff to concentrate on executing more important security projects, such as vulnerability remediation, new policy and procedure creation and updates, and asset management, all of which will help improve their overall security posture and maturity level.

Another benefit MDR services have is the ability to accelerate the detection and remediation of both known and unknown threats to an environment. MDR services go far beyond the static pattern signature matching which used to comprise the entire security market. With the use of machine learning and artificial intelligence, these services can now uncover malicious behaviours, whether they have been previously observed or not. With dwell times numbering in the hundreds of days, the ability to detect or uncover these actors can mean the difference between a single incident or a full blown breach.

And finally, MDR services can provide full visibility into an organization's environment by having the ability to ingest a wide variety of event sources. This benefit is absolutely crucial to being able to put together a full picture of an attack. It will actually ensure there’s no piece left uncovered and that an attacker won’t actually retain its control over the entire environment. However, as with anything, providing these services does not come without its challenges. One reason why an organization may decide to work with an MSSP is because they’re experiencing staff shortage, or the staff that they do have may not have a full understanding of how a detection and response strategy should be executed.


Historically, the approach to security has always been one of a preventative stance, which has begun to shift from preventative to detection and response. This is not saying that preventative measures are no longer necessary or unimportant, but it highlights that preventative measures are only one piece of the larger puzzle. Organizations will look to it as a piece for professional guidance on how to make this shift. Unfortunately, bridging this gap can be a very difficult task because I am sure, as everybody knows, all organizations are different, and how an instance should be responded to may be just as different as the organization itself.

Another unintentional challenge organizations and MSSPs alike are seeing today is due to the flood of new and advance security product lines being introduced to the market. Because attacks are becoming more sophisticated, they’re being forced to come up with more sophisticated means in detecting these threats. This flood of new devices has essentially created a product segmentation in their internal environments, which can really create gaps in detection and response efforts. As the use of multiple tools requires the use of several dashboards and process flows to work together, to be able to gather all of the data and evidence necessary to properly investigate an incident, this can take up valuable time and may actually lead to overlooking or missing vital information. Simplifying this into one single intuitive platform could definitely help analysts piece together the evidence necessary to make a solid determination on how to handle a potential incident.

And finally, another challenge commonly faced by MSSPs, including from my own experience, is how the MSSP actually provides its services to clients. Managed detection and response services are usually offered as a separate service offering outside of the security operations center, incident response, and even auditing teams, that typical MSSPs can provide to clients. If not approached carefully, this can really complicate response efforts.

I remember when I was a security engineer, one of my clients was experiencing an incident, and we had to get hold of our incident responders. There was a lot of data that I worked with day in and day out, that my incident responders needed. Incident responders don’t always have access to the actual data they need, so they were heavily relying on me to be able to pull it for them. At the time I didn’t really have any incident response experience, so being able to think like an incident responder was a challenge. I was pulling the information I thought was necessary to help with the investigation, but often they needed something different which I had not thought of. In this situation it caused some manual delay in getting the correct information needed to quickly be able to triage the incident.

The Solution

Lucky for all of us, the cybersecurity industry is made up of problem solvers. As managed detection and response has started to become more widely adopted and its challenges and benefits have become more commonplace, today we have sought to overcome these challenges and to further strengthen its benefits. As a result of doing this, Security Orchestration, Automation and Response (SOAR) has been introduced.

SOAR is defined by Gartner as technology that enables organizations to collect security threat data and alerts from different sources, or incident analysis, and triage can be performed leveraging a combination of human and machine power to help define, prioritize and drive standardized incident response activities according to a standardized workflow.

Essentially, SOAR is a tool which allows an organization, whether an Enterprise or an MSSP, to define incident analysis and response procedures in a digital workflow format, such as a range of machine-driven activities which can be automated. A SOAR platform is comprised of four different components. The first component is the orchestration and automation piece, which allows for the creation of automated investigational tasks and to also orchestrate actions to be taken by the network and security products, without any need of human interaction. The second piece is threat intelligence management. This will allow the ingestestion and operationalization of internal and external threat intelligence feeds, which will help to better prioritize and respond to any potential incidents.

The third piece is case and ticket management, which for a very long time had been its own standalone beast - incident responders have had to very carefully cultivate and maintain a separate ticketing and case management system outside of their other response efforts, which can take up a lot of time and effort, and there could always be room for missing certain pieces of information which is critical in documenting a potential incident. And finally, what drives the whole SOAR platform is the workflow engine. This piece will take all three mentioned components and have them work together as one unified solution.

A SOAR solution aims to benefit multiple areas of a security program and the services an MSSP has to offer, but the most relevant is how it can help to better provide managed detection and response services to its clients.

The challenges I highlighted earlier could easily be overcome by the introduction of SOAR to an MSSPs’ service offerings. SOAR accomplishes orchestration and automation capabilities through the use of what’s called automated runbooks or playbooks. These runbooks and playbooks can be built with the correct detection and response strategies necessary to resolve a potential incident. This allows the MSSP to provide its clients with the confidence that every incident will be handled consistently and correctly, while also guiding their internal teams with the investigational steps that were used in passing that knowledge transfer onto them. Another benefit that SOAR adds is that it completely eliminates product segmentation through its orchestration capabilities.

When building out response efforts for investigational types, the full range of a client’s product line can be utilized by tying the security and network devices together, regardless of vendor, through the use of API calls which are known to each product line. This capability will allow similar products to seamlessly integrate, speak to each other and actually take action without any kind of human intervention required.

Lastly, working from a SOAR platform provides the MSSP, client and the support teams with the ability to work from one unified tool. This tool will allow individual teams to quickly gather evidence provided from either the outcome of automated actions taken beforehand, steps taken by previous team members in the past, and/or historical trending information, all which will allow the MSSP and its client to view and track exactly what response efforts were taken, to accelerate remediation, and at the same time unify the separate teams into one incident response team.


These are just a few of the many benefits SOAR can bring to a security program. By combining SOAR with managed detection and response services, MSSPs can provide a solid and unified answer to some of the most difficult challenges and sophisticated attacks that their clients are increasingly being faced with.

For more information on this topic, keep an eye out for our upcoming webinar where we will be going into more detail about DFLab’s IncMan SOAR solution and its very latest features and capabilities designed especially for MSSPs.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo