Leveraging Threat Intelligence Gateways for Increased MSSP Efficiency


Bandura Cyber’s Threat Intelligence Gateway (TIG) is an ideal, low cost solution which enables managed security service providers (MSSPs) to gather telemetry, apply threat intelligence and block threats from countries and botnets at a scale and pricepoint beyond what firewalls, threat intelligence platforms and network intrusion prevention systems can accomplish. In this blog entry, I’ve interviewed Bandura’s Chief Technical Officer, Patrick McGarry, about how MSSPs can leverage Bandura to offer their customers better protection at an affordable and scalable price point.

In general, do MSSPs leverage their threat intelligence for prevention in addition to hunting and detection? 

You'd really think that they would ... but as amazing as it sounds, the MSSPs haven't been quick to implement protection.  Part of the reason for this stems from the different 'types' of MSSPs as they continue to find their way in a crowded space.  For example, MDRs (Managed Detection and Response service providers) tend to despise being referred to as MSSPs even though in many cases there is tremendous overlap.  But I think the trend here is obvious: at the end of the day, security requires a holistic approach that combines detection, prevention and response.  If an MSSP is able to detect a potential problem ... but then can't easily configure the customer's network to protect against that problem, what use is the MSSP to that customer? I think that question and the obvious answer to it is resulting in more MSSPs realizing that they have to incorporate proper protection schemes in their service offerings - and at suitable scale - in order to compete in a crowded market. To achieve this, forward-looking MSSPs are starting to push protection information to devices like next generation firewalls or endpoint software agents via various rules. But this is challenging for the MSSPs given the limitations of APIs available to them, and more importantly, significant limitations in the number of threat indicators that can be enforced by most next generation firewalls. 

What about MSSPs who develop their own collectors based on Snort, Suricata or Zeek? Can they leverage their curated or commercial threat intel at the sensor to block well known C2 and botnets? 

Typically not with the collectors nor the sensors themselves, since such things are often passive devices (such as perhaps tied to a span or mirrored port, or running as a monitoring agent) as opposed to being inline elements. That's generally a recurring theme with a lot of the MSSPs out there: they are pretty good when it comes to detection and monitoring, and they try to differentiate based on those capabilities, in different ways. But the obvious answer to the "what now?" or "what next?" question is -- prevention! The good news is that we're starting to see a few of the more advanced MSSPs start to reach out to us in order to be able to answer those questions for their customers, and that's a really positive development for the cyber security industry. Our Bandura Cyber Threat Intelligence Protection Platform and our tagline "making threat intelligence actionable" both resonate well with MSSPs and end customers alike.

How can Bandura Cyber's Threat Intelligence Gateway enable an MSSP to better protect their customers than with traditional firewalls and intrusion prevention systems?

We are providing an immediate "day one" increase in network protection as our solution provides "out of the box" threat intelligence from commercial, open source, industry, and government sources.  This is an open and broad approach to threat intelligence compared to traditional firewalls and IPS, which is closed and narrow as their solutions tend to be powered by their own proprietary threat intelligence.  

Another important advantage that Bandura Cyber solutions bring to the table is that we offer a set of simple programmatic mechanisms via our APIs to allow for immediate protection schemes even for tens of millions of indicators or more. Our Threat intelligence Gateway (TIG) is able to achieve protection scales that traditional next generation firewalls and related intrusion prevention systems simply can't touch -- for example, our TIG can easily handle over 150 million real-time threat indicators without skipping a beat -- that is to say, without adversely impacting network performance or network security performance. This compares very favorably to typical firewall indicator numbers which number just in the low millions for even the highest end deployments.

The indicators that Bandura Cyber blocks can come from out-of-the-box sources we supply, or they can come from any variety of other available feeds from the likes of the open source community, a variety of ISACs and ISAOs, various industry leaders such as Anomali, Recorded Future, ThreatConnect and others, and of course, any sources that a particular MSSP may have at their disposal, all via simple-to-configure plugins. So if the MSSP (or an MSSP partner) detects something nefarious and wants to act on it, it is trivial for the MSSP to add those indicators for immediate protective effect in our centrally managed devices, without worrying about the network performance impact and without having to interface with cumbersome firewall configuration paradigms.

Does Bandura lower the overall cost of monitoring MSSP customers? 

Yes! This is one of the very interesting aspects of the Bandura Cyber solution: we really do, in tangible ways, increase not just the security posture of a network, but we also greatly reduce the total cost of ownership of the security stack. Here are several ways that we lower the overall cost:

  • We block more threats because we have a broader view of threat intelligence.  Prevention is always less expensive than having to detect and respond.
  • We significantly reduce a lot of the noise resulting in less alerts that need to be investigated.  This increases the efficiency of the MSSP’s service delivery, reduces their costs, and increases their margins.
  • Our APIs and automation capabilities enable the MSSP to rapidly deploy protections to their entire customer base, which not only increases service delivery efficiency and reduces costs but also improves the protection of their service.
  • Our patented solutions do not require specialty, proprietary hardware to run. We run on commodity hardware, which means we can keep our costs under control. For example, our flagship products run on a variety of Dell 1U servers such as the popular Dell R240 R340 and R640 servers, with an off-the-shelf network bypass card installed to ensure no impact to the network in the event of a hardware or power failure.  
  • Our cloud-based management platform, GMC, has an MSSP-mode that allows for white labeling so our MSSP customers can leverage all of the same capabilities that we utilize for our own customers, but under the MSSP's umbrella. For those MSSPs that would rather implement hooks into their own, separate software stacks, we enable that with a set of powerful APIs - the same APIs that we ourselves use. This reduces integration costs and allows MSSPs to maintain their brand.
  • Our Bandura Cyber TIG devices are able to export all of their detailed internal log information for packet and DNS allows and blocks alike, via syslog export. Our comprehensive syslog export capability enables trivial, seamless integration to practically any SIEM or SIEM-like solution on the planet. Two of my favorite examples that I tend to highlight in product demos are Splunk, as well as a lesser known up-and-coming startup called Gravwell.  Having this built-in mechanism allows for significantly lower SIEM integration costs, which can otherwise grow unruly.

And last but certainly not least, there's the potential for significant infrastructure savings when the Bandura Cyber TIG is deployed in front of an existing next generation firewall. In that mode, since we can act on tens of millions of threat indicators in real-time, we effectively greatly reduce the attack surface out-of-the-gate, and this means that computing needs of the next generation firewall are greatly reduced, since they look at many fewer packets. The associated reductions in the computationally intensive deep packet inspection engines means that end customers can often save on their firewall costs, since they can deploy smaller firewall hardware than they may have otherwise needed. Since firewall costs are heavily correlated to the amount and type of DPI they achieve, requiring fewer or lower cost firewalls can truly result in a tremendous cost savings for the end user... it is easy to see how an MSSP could differentiate with such strategies, making the MSSP look like a hero to their end customers!

Where can readers go to learn more?

Our website, at
banduraycber.com, is a great resource for more information on our Bandura Cyber Threat Intelligence Protection Platform. And for MSSPs that would like to reach out to discuss possible synergies, our business development team is always at-the-ready for any level of discussion. We have a few MSSPs that have started working with us already, and we are seeing a lot of strong movement in the sector, and so we've made a commitment this year to focus on the MSSP environment to extend the ability of MSSPs to move beyond traditional detect-and-hunt schemes, towards the goal of ensuring that threat intelligence can truly be actionable, at real time, and at scale, with our Bandura Cyber Threat Intelligence Protection Platform.