Skip to main content

Managed Security Services (MSS) and Eyes on Glass in the Real World

October 11, 2018

“Eyes on Glass” is a common saying when it comes to reviewing SIEM logs and managed services but is often misunderstood. A layman notion is that you simply have someone looking at a large quantity of log data with a low level of skill required to see if something important appears requiring escalation. Technically “eyes on glass” requires a high degree of skill and capabilities to interact directly with unique client technologies, something not commonly included with managed services. 

Optiv MSSP Overview 

Optiv has a robust solution set for Managed Security Services, 24x7x365: 

Optiv MSSP Actionable Services

Optiv MSSP Actionable Services 

As you can see in the flow diagram above, Optiv MSSP is geared towards actionability.  This is a continual process of tuning logs and alert data, rules to improve processing, threat correlation and escalation, with research and response for the client for prioritized events and incidents. 


A Security Information and Event Management (SIEM) solution is designed to collect log data and provide real-time analysis towards alerting of events that require security management (e.g. virus infection or brute force attack attempt). A Managed Security Service Provider (MSSP) provides security monitoring and management which may include review, research, and response to alerts and data collected from a SIEM. For example a client may use an endpoint product that detects a possible virus, initiating a log and alert, collected by the SIEM which is then forwarded to a MSSP for research and response. The MSSP does not actually have access to the “eyes on glass” endpoint product at this point, just the alert or log data that is sent to them from the client endpoint product and SIEM. 

One of the key ingredients for success in an MSSP is proper log ingestion. All too often logs are not collected, ranging from syslog, to firewall, antivirus, IDS/IPS, Windows Active Directory and more. If logs are sent to the SIEM and MSSP, what information is included in the log? It is not uncommon to see logs and alerts that only report the IP related to a domain of a phishing attack when the entire URL, including domain, could have been reported instead. Proper log inclusion and configuration for maximum meta-data is critical to enabling research and response as well as orchestration and automation of potential threats. 

Below is an obfuscated example of a default alert that is then improved to be more actionable for security research and response: 

Default Alert Data:Phishing Threat IP  
May 10, 2018 2:10 PM 

Tuned Alert Data:Phishing Threat IP  
May 10, 2018 2:10 PM  

In the example above the tuned alert contains the entire URL, the protocol and domain and/or URI elements, which is far more actionable than just an IP address and warning seen in the default alert data. 

Scale and Efficiency 

True “eyes on glass” is not a scalable service. Each client has their own software and products configured in their own unique way to meet their security needs. Support of customized configurations and technology is expensive and time consuming. This is why proper tuning of detailed log data from multiple solutions is critical to supporting MSSP operations, whether it be internally or externally managed. It is far more efficient to configure logs to submit as much data as possible than have an employee or service provider perform “eyes on glass” investigations on one or more devices or software services used within an organization. 

Recommended SIEM Data 

Optiv MSSP recommends the following SIEM data related to four primary categories of controls: 

MSS Table

Items in bold are common pillars of enterprise security programs, core to MSSP operations. Each type of log has value in research and response. For example, review of VPN logs for Active Directory may reveal attempted compromises on an account and actions taken with the account. 

Key Elements for MSSP Success 

In order for an MSSP to be successful the following must be available: 

  • Storage Space – data from one organization can easily take up 1 TB of data daily. 
  • Updates – Updates to signature-based solutions are critical to enabling visibility and detection of threats in real-time, such as anti-virus software. 
  • Baseline Configuration – A baseline configuration must be performed to ensure proper configuration and operation as desired. This is key towards maximizing log data sent to the SIEM and MSSP via alerts. 
  • Authorized Access – Should “eyes on glass” be required, proper authentication for authorized individuals is essential.  All too often credentials change or managed in such a way that it is not possible to easily authenticate into an environment to perform additional research and response. 
  • Incident Response – Teams, internally and externally, are likely required to handle incidents which go beyond the scope of MSSP alerting. 

Closing Comments 

“Eyes on Glass” is sometimes required to dive deeper into a threat as one researches and responds to an incident. For daily operations the most cost-effective monitoring solution is to properly configure and tune detailed alerts sent to a SIEM and MSSP solution enabling research and response. This is an ongoing process – not a one-time configuration – that is continuously being updated and changed based upon a variety of update and threat variables impacting a client environment. Properly allocating resources towards this important function is critical in ensuring the effectiveness of this first line of defense into threat visibility and incident response. 

    Ken Dunham

By: Ken Dunham

Senior Director, Technical Cyber Threat Intelligence

See More

Related Blogs

May 30, 2018

Phishing - The Rest of the Story

Receiving an email lure designed to trick you into clicking a phishing link and then logging into a fake website has become a common threat. In this b...

See Details

March 15, 2018


Pass-the-hash (PtH) is an all too common form of credentials attack, especially since the advent of a tool called Mimikatz. Using PtH to extract from ...

See Details

December 13, 2017

Cyber Threat Intelligence Requires Commitment

It’s been said that in a breakfast of bacon and eggs, the chicken is involved but the pig is committed. This saying is relevant when implementing a cy...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.