Overview
The consolidated deployment model for MSSPs provides a comprehensive, all-in-one package for MSSPs to efficiently manage and monitor the security infrastructure of multiple clients/tenants from a single interface. This architecture employs a centralized SIRP cloud-based instance to offer a unified and scalable approach to security management.
Key Components
SIRP MSSP Instance:
At the core of the architecture is the SIRP MSSP Instance which is deployed at the MSSP-end. This platform serves as a single instance provided to the MSSP, offering centralized security orchestration, incident response, and automation capabilities.All the data resides on this appliance, all the SOC analysts use this appliance, and the same appliance acts as a customer access portal.
Multi-Tenancy:
SIRP, by design, is a multi-tenant platform. This MSSP instance allows MSSPs to host and manage multiple tenants in a single appliance. Switching from one tenant to another requires just selecting the desired tenant from a dropdown.
Each organization within SIRP is a distinct client organization/tenant. The data of each tenant is hosted on the same SIRP appliance but it is virtually segregated i.e. every tenant has their dashboards, playbook configurations, Ingestion sources, access control, etc. Accessing one tenant means you are going within the virtual environment of that particular tenant.
Secure Connectivity
SIRP leverages MSSP's existing connectivity options with the customers to pull and push data from/to the customer environment. This is typically done through site-to-site VPN.
SIRP Hybrid Appliance
For clients with on-premises security stack or specific infrastructure requirements, a hybrid machine approach is offered. A small hybrid appliance is deployed within the client's environment, which seamlessly integrates with the client's existing security infrastructure (e.g. SIEM, Firewall, EDR, Proxy, Active Directory, etc.). This appliance takes all its instructions from the MSSP instance (since all the data is hosted there), executes the actions locally, and then sends the data back to the MSSP instance.Just like the MSSP instance, this hybrid appliance is also shipped as a VMWare Virtual Machine appliance.
Global-View:
This deployment option allows MSSP to utilize the "Global" dashboard designed for MSSPs. This dashboard provides consolidated statistics from all the tenants. The same Global view is available across different containers as well. For example, on the Incident Management container, if you select "Global" view then you get to see Alerts, Investigations, and Incidents from all the tenants.
Copy Playbooks:
This consolidated deployment model also allows MSSPs to design a playbook once and then deploy it across multiple tenants.
Benefits
Centralized Management: Consolidated deployment enables centralized management of security operations across multiple client environments, streamlining processes and enhancing efficiency.
Scalability: With multi-tenancy support, the architecture can easily scale to accommodate the growing needs of MSSPs and their client base without compromising performance or security.
Flexibility: The hybrid integration approach provides flexibility for clients with diverse security infrastructures, allowing seamless integration with both cloud-based and on-premises environments.
Global-View: Get a bird's-eye view of all the stats from all the tenants.
Conclusion
The Consolidated deployment model offers a robust and scalable solution for MSSPs to effectively manage and monitor the security posture of multiple clients from a single interface. This deployment model is useful in cases where customers have no issue with MSSPs taking out their security data for analysis and response.
For cases where the customer doesn't want their data to go out of their environment, the Distributed Deployment Architecture is proposed.