Has anyone found it helpful to leverage an MSSP for initial triage or would it be best to have them manage the entire process from detection to resolution?
From a security perspective I think the question should be “which would result in a faster response time?”
There are many examples in recent years where intrusions were detected early, a ticket was opened, but the ticket sat in a bucket waiting to be touched for longer than it took the bad actors to exfiltrate data, or for ransomware to spread. Hence the big push for security automation and workflow orchestration in the cybersecurity industry recently. You don’t want your expensive IPS/subscription security services/SIEM all to just be for forensic analysis in the event of a breach.
Each security environment is different, as are the needs of each organization’s workforce (not to mention the capabilities and effectiveness of their prospective MSSPs) so I don’t know if there’s a one-size-fits-all answer to the question, but I think response time should be a critical factor in making decisions about how your security infrastructure is being managed.
I see more and more SOCs deciding to do triage on a possible event before sending/opening the ticket to their MSSP. That way it “should” reduce the amount of time they can get an answer on whether it was a FP or TP.