Content

4 Ways MSSPs Are Increasing Their Margins With Next-Generation SOAR

Green arrows moving up to indicate stock market growth

Why are MSSPs driving the growth in the SOAR market? The answer is simple: Adding SOAR makes good business sense.

And, while automation and orchestration platforms have existed for some time, it’s the arrival of next-generation SOAR that is attracting the most interest. Next-generation (or NextGen) SOAR refers to automation and orchestration capabilities that go beyond enrichment and workflow automation, giving MSSPs the ability to minimize manual tasks across the board and ‘close the loop’ with full-lifecycle, automated incident response and proactive threat hunting.

For MSSPs who have added these capabilities, the benefits have been significant. Being able to offer full-lifecycle MSSP and MDR services, improving customer-to-analyst ratios, and achieving greater profit margins are not only goals for the security operation; they are goals for the business overall.

Unique among security tools, the next generation of SOAR technology gives an MSSP the ability to transform its business. In this article, we’ll showcase four outcomes that are driving transformative change at MSSPs right now.

1. NextGen SOAR Enables Higher-Value Capabilities

MSSPs use SOAR as a differentiator that expands the range of services they can provide, and the revenue they can bring in. Even if you are simply monitoring alerts for your clients, SOAR enables you to integrate with all of your clients’ alert sources as well as threat intelligence sources. So you can drive alerting from more sources and offer more comprehensive triage, correlation, and enrichment.

For MSSPs that have wanted to reimagine their offerings and stay ahead of the increasingly competitive field, SOAR’s response capabilities also enable MDR-like functions. With SOAR, you can handle the entire incident lifecycle if necessary—such as enriching alerts with intelligence and orchestrating response actions—even if you don’t have direct access to your client’s tools. Instead of simply alerting their clients of threats, MSSPs that use SOAR are able to resolve threats themselves, allowing them to ‘close the loop’ and maximize the value they provide.

The possibilities for ambitious MSSPs are expansive. We have seen MSSPs use SOAR to offer threat hunting services, by collecting IOCs from incidents in the SOAR tool and running playbooks that orchestrate searches for those IOCs across the tech stack. With next-generation SOAR tools, you can also grow revenue through desirable add-ons like MITRE ATT&CK TTP correlation and reporting.

2. NextGen SOAR Improves Analyst-to-Customer Ratios

Increasing margins isn’t just about adding new services. With the shortage of cyber security analysts, MSSPs that can scale their customer base without additional resources have a huge advantage. The operational efficiencies unlocked by using SOAR have enabled many MSSPs to meet their ambitious growth goals.

When you use a SOAR tool as your operations hub, analysts can manage a single queue with no screen-switching or manual correlation. Even when an analyst is managing multiple clients, they can just switch between sites in their multitenant SOAR tool. No matter what tools your clients are using, your team can stay efficient on a single interface.

Automation and orchestration also increase the efficiency of MSSPs that use SOAR. Their analysts spend much less of their day on time-consuming tasks like alert triage, because the SOAR tool automatically enriches alerts with threat intelligence, IOC correlations, and risk scores. Automation-powered playbooks also standardize an MSSP’s best-practice-based workflows, ensuring that analysts are always on the right path, not wasting time trying to find it.

3. NextGen SOAR Helps Eliminate False Positives

Speaking of alert triage and wasting time… we’re going to make a bold claim here and say that the single biggest time waster for security analysts—and the biggest threat to an MSSP’s margins—is all the time spent on false positives. Do you agree?

If you do, you’ll be pleased to hear that MSSPs are leveraging next-generation SOAR to eliminate false positives and thereby reduce assigned alerts by up to 90% for some customers. Hundreds of integrations and the ability to search for IOCs and TTPs across the technology stack enable SOAR tools to filter out false positives and validate real incidents. SOAR case studies show that MSSPs can automate enrichment from numerous integrated threat feeds, check IOCs against integrated tools like EDR and firewall, and give risk scores to ingested alerts.

Unlike other methods for reducing false positives, like relying on perfectly tuned SIEM rules, SOAR tools’ ability to run automated triage playbooks make it a safe way to reduce alert volume without the risk of missing something important.

4. NextGen SOAR Makes it Easy for MSSPs to Onboard New Clients

Scaling your business is very difficult if you have to use a ton of resources every time you onboard a new client. Luckily, SOAR makes onboarding new customers faster and easier.

With next-generation SOAR, MSSPs can drive alerting from their clients’ toolsets, whether those clients utilize cloud, on-premise, or hybrid environments. Thanks to hundreds of available integrations, an MSSP analyst only needs a few clicks to begin ingesting data from any number of client tools. This allows MSSPs to execute onboarding and begin delivering security services faster, without tying up software or engineering staff.

Another way to speed onboarding is through a playbook library. With next-generation SOAR, an MSSP can offer clients turnkey, proven playbooks that enable day-to-day security operations, totally independently of the underlying tech stack. Keeping playbooks and processes independent from the tech stack gives MSSPs greater flexibility and scalability when it comes to onboarding new clients, as well as when the MSSP or client chooses to switch or bring on new tools, such as switching from one firewall provider to another. Another example is when MSSPs are serving a customer who makes a lot of acquisitions. SOAR makes it easy to bring the newly acquired entity or division ‘into the fold’.

Learn What the Next Generation of SOAR can do for You

D3 supports MSSPs in every corner of the globe and enables high-value, highly differentiated MDR services with our next-generation SOAR platform. D3 Security’s SOAR platform supports full multi-tenancy, so you can keep client sites, data, and playbooks completely segregated. Importantly, we’re vendor-neutral, so no matter what tools your clients use, our 500+ integrations will meet their needs. And finally, innovations like our Event Pipeline—which reduces alert volume by 90% or more—provide massive value to MSSPs that monitor a lot of alerts for clients.


Blog courtesy of D3 Security. Read more D3 Security guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.

You can skip this ad in 5 seconds