`

Bar Talk: The Buy vs. Build Dilemma

Two MSSP security analysts walk into a bar…

“Hey man. How’s things at your new company?”

“Lousy. I work all day and all night and never seem to get ahead of things.”

 “Why’s that?”

“Our SIEM just spits out a firehose of alerts all day long and I get to clean up the mess. It’s really wearing me down.”

“Why don’t you guys do something about it? We used to have the same problem, but we bought a management platform from ATA that filters out all the false positives and redundant alerts and then gives us our work priorities. It makes it way easier for us to do our jobs. In fact, I should say we can finally do our jobs – we were never supposed to be ‘human alert filterers.’”

“Well, that’s what I am. Apparently our development team is working on some sort of management platform like the one you describe. They keep telling us it’s coming, but at this point I’m beginning to wonder.”

 “So, what are you doing in the meantime?”

“Well, we’re constantly looking for new analysts, but we’re having a really hard time finding people who know what they’re doing. So our team is pretty much overwhelmed all of the time. We try to reduce the alert volume by narrowing criteria and shutting off some product features, which helps a little. On the other hand, we’re creating holes in our defense by doing that, so it’s a bit of a gamble.”

“Why don’t you just buy a management platform like we did? Our SIEM can spit out bad alerts all day long, but I never see them. I just get real events to investigate.”

“I don’t know – my boss says we need something built specifically for our environment, so our development guys are working on it.”

“That’s crazy – that’s like saying you need to build your own firewall because your operations are so unique that commercial ones won’t do. Buy vs. build is no-brainer in this case.”

“Another no-brainer is my career path…I’m updating my resume. Once I hit one-year, I’m gone. You think your company could use me?”

“We’re not looking for new people at the moment. Once we got ATA installed, we found we had enough people to do the job.  You’re smart to start looking though, because MSSPs that keep throwing more bodies at incident response aren’t going to be around very long.”

“What makes you say that?”

“Think about it – while you’re spending tons of money on people to manage alert volume, we can spend that money on things our clients actually care about. Your business model is based on finding and paying bodies, ours is based on delivering services. Who do you think wins in the end?”

“Well, we’re not totally backwards. We’re installing some automation tools that are supposed to help us deal with all these alerts.”

“Yeah, but when your basic process is broken, automation just means you’re doing bad things faster. Wasting time on useless alerts is a bad thing, even if you’re doing it quickly.”

“Thanks a lot. I still have five months before I hit a year at this place, and every day feels like a week by the time I go to bed at night. Sure you can’t use someone like me?”

“Sorry…we’re all set. But I can make tonight go faster for you: Hey bartender…two boilermakers!”