CISOs need to bring all of their forces to bear on the growing threat of breaches, advanced persistent threats, and insider attacks. And that’s essential as executives place greater scrutiny on security strategies. Luckily you don’t need to go at it alone. Managed Security Service Providers are proving their worth as trusted, expert partners in the battle against cyber crime. Here’s how they help you address critical security needs.
Security services can speed threat containment by 50%, but how do you find the best MSSP? Get the 15-point checklist from research firm Nemertes.
When it comes to cybersecurity, CISOs need to bring all of their forces to bear on the growing threat of breaches, advanced persistent threats, and insider attacks. Fortunately most executive management is quite aware of these and other cybersecurity challenges and concerns, and are prioritizing efforts to expand security strategies and bolster defense
Perhaps your enterprise is making security investments because it is overwhelmed with the ever-increasing number of security alerts to monitor and address. Perhaps it has received a strongly worded memo from a large customer requiring that all “third parties” comply with rigorous new security standards. Maybe your security policies are about to be reviewed by an external auditor or federal regulator. Or, worst of all, maybe your company was the recent victim of a major security breach.
Whatever the cause, CISOs are faced with the questions: “Do I hire more security staff? Do I fire and replace the ones I have? Do I call in a big consulting firm? Do I hire a lawyer? Do I fall on the sword?”
Security is one of those critical concerns every CISO wishes would just go away. Unfortunately, the only way to make security less of a concern is to infuse it into every aspect of the business. Like quality control, to be effective, security must be woven into every key production environment. That integration process requires time, money and talent. But most importantly, it needs leadership from the top. When security is a priority from the executive level down, the entire business becomes an environment working responsibly – taking calculated risks, but only when it makes sense to do so.
CEOs, CFOs, CIOs and other senior executive leaders who fail to take an active role in security put their organizations at risk. It’s not sufficient to simply delegate security management to mid- or lower-level IT staff. The solution needs to involve executive and IT-level collaboration as well as a combination of both internal and external support.
Security managers face a continuous escalation in both the number and sophistication of cyber threats to their companies. In response, most IT departments have deployed firewalls and intrusion-detection systems as standard operating procedures, along with antivirus, web content filtering, encryption and security policies. Yet when it comes to managing new threats or keeping ahead of the latest vulnerabilities, security managers find it hard to stay ahead (see Who’s Behind Breaches?) They cannot adapt quickly enough; nor do they have the resources needed to keep up with emerging threats and to digest the amount of information their SIEM (Security Information and Event Management) systems are generating. Some security issues are more serious than others. Primary cybersecurity threats include hacking, malware, and social engineering.
Two opposing forces make the problem difficult. One, there are too few skilled security professionals to hire. And two, advanced threats and critical risks are growing each day. Companies need expertise and technology, but only those with the deepest pockets can afford to manage all the threats internally. Hiring experts, either for short-term triage or for longer-term oversight and monitoring, is one technique companies have been using for years to overcome the time and talent shortfall. But staffing is only part of the solution. Cybersecurity requires not only continuous monitoring, but also the latest technologies to adapt to the changing threat landscape.
Security priorities and concerns:
Who’s Behind Breaches?
While many IT security functions consist of operational and business-as-usual activities, today’s environment of sophisticated targeted attacks requires specialized expertise. Vulnerability and patch management, antivirus updates, and changing rules in firewalls are mature technological procedures that are already baked in to most security programs. Over the last few decades, most, but certainly not all organizations, have built teams that are experienced in the day-to-day activity required to reduce attack surfaces.
Unfortunately, these tasks cannot be scheduled to fit into a regular work week. Countering advanced targeted attacks is much more like fending off attackers climbing fences than regularly scheduled fence repair. The skill sets of the security experts needed to ward off attackers is harder to obtain, and those with the desired skills are harder to retain.
In fact, 53% of respondents to the Ponemon Institute 2018 Study on Global Megatrends in Cybersecurity are worried that the inability to hire and retain expert staff could hurt their security efforts (see Factors that Could Cause Decline in Cybersecurity Posture).
While even the smallest organization may train people for operational security tasks, the top security experts get their experience at the most highly threatened and most targeted organizations: large financial institutions, Internet service providers, defense contractors, government agencies and managed security service providers (MSSPs).
Security personnel at MSSPs earn their stripes with constant exposure to the latest threats, which can result in financial losses, disruption of business processes, disclosure of confidential internal information and reputational damage (see Taking a Hit). Because MSSPs are engaged in daily battles on behalf of their many customers, they see more and evolve best practices faster than a single organization can. Among the many tasks that top MSSPs provide, some of the most important are 24/7 monitoring, enhanced protection, advanced threat detection, and compliance. The most successful ones are highly responsive to issues and proactive.
Taking a hit
Due to the technologically challenging environment in which MSSPs dwell, they tend to attract security experts. Security experts seek to hone their skills, and they often find that working with many customers is the most challenging and beneficial environment in which to learn. The MSSP enables a security professional to remain engaged and continue to advance in their career.
Moreover, many enterprises cannot offer the high levels of compensation that security experts now command. They simply cannot afford to pay a team of experts to contend with the onslaught of sophisticated attacks. Therefore, when a targeted attack does occur–probably during off hours on weekends or holidays –no one is available to prevent the types of breaches that have made the news (Target, Home Depot, Anthem, and Sony to name a few). By contrast, an outsourced service provider can provide coverage around the clock with entire teams watching network activity
CEOs and CIOs making budget decisions need to balance the cost of maintaining their own staff of security experts, capable of recognizing advanced attacks and taking the requisite steps to mitigate them, against outsourcing to a third-party service provider (see Road Ahead).
Outsourced MSSPs offer many advantages; among the most critical, the implementation of dynamic and adaptive architectures. While MSSPs have many more security experts on hand than do their customers, they deploy the latest technologies to automate some aspects of threat analysis. That lets their experts focus mainly on the latest attack methodologies. In this way, MSSPs attain threat intelligence and increase the speed of response needed to defend their growing customer base. A particular attack campaign—whether from cyber criminals seeking access to a payment processor, nation-state agents attempting to steal design data, or hacktivists trying to disrupt operations — may use new malware such as “zero-day” vulnerabilities, or sophisticated social engineering.
An MSSP must be prepared for any and all of these techniques.
Stopping targeted attacks in the shortest time possible is now among top priorities for managed security solutions. Minimizing reaction time has given rise to enterprise security strategies that aim to expand traditional perimeter protections with approaches that focus on rapid detection and response. These strategies require three actions:
Recognizing when an attack is underway. Finding evidence of an attack, often one that has already penetrated the perimeter, is hard to do when the few data points available are buried in SIEM logs. Only by adding threat context can these nuggets be extracted and recognized for what they are. Threat context must be derived from a global threat intelligence engine that is automating the discovery of malicious IPs, URLs and Key Indicators of Compromise (IoC). Indeed, having actionable intelligence matters a great deal to more than one-third of Ponemon survey respondents (see Factors that Could Cause Decline in Cybersecurity Posture).
Elevating an alert to the top of a stack so that an analyst can respond is no longer sufficient. Evidence of an attack that is coming from a known source, one that may have already been associated with targeted attacks against your industry segment, needs immediate response. Communications with a command and control server must be blocked to prevent the next phase of an attack. Lateral movement toward the ultimate target must be stopped in its tracks. Attacks must be dealt with by automated solutions that take immediate action. This “shoot first, analyze later” approach may be a daunting shift for many organizations. But it is far better for analysts to prepare reports on how attacks were stopped rather than how breaches succeeded.
Most organizations have instituted strong change control processes to address the issue of inadvertent misconfigurations and the growth of undocumented access control lists (ACLs) and firewall policies. While that is a serious issue, frozen change-control processes interfere with the resilience of an enterprise defense. To respond to persistent threats, active security controls should be connected to the threat-context-driven detection system.
Foreknowledge of threat actor tools, methodologies, even motivation provides context to security alerting and response solutions. This threat context paves the way for a responsive and adaptive security posture for every MSSP customer.
MSSP security experts can monitor corporate defenses, observe potential breaches and help customers mitigate an attack quickly. After the attack is thwarted, the MSSP also captures what they’ve learned, then incorporates those insights into its threat-response knowledge base. That way, every customer benefits from the lessons learned. This constitutes a dynamic response that grows with the ever-evolving threat landscape, putting customers on a more solid footing.
The entire security industry has a tendency towards change and disruption, driven in large measure by the changing threat landscape and the accompanying regulatory regimes being devised to set requirements for minimum security measures. The Managed Security Services market is fragmented, too, with each vendor offering a slightly different set of services and technologies. That can make it difficult for a CISO to conduct apples-to-apples comparisons and craft a clear and comprehensive security strategy.
There are many types of MSSPs, from computer and enterprise software makers to traditional communications service providers. Also crowding the space are Internet service providers, resellers and integrators, as well as big-name security vendors–all offering some manner of outsourced security services. For this reason, many CISOs find that the bundling of network and security services makes perfect sense.
Organizations counting upon MSP security services
With rare exception, most MSSP services are composed of device management plus SIEM as a service. When the Payment Card Industry (PCI) set standards for merchants and payment processors to monitor and improve security, it inadvertently gave rise to a cottage industry; more than 130 specialized MSSPs now provide vulnerability scanning as a service.
Within those core services, MSSPs differentiate themselves by streamlining their internal operations with efficient reporting, billing and problem escalation procedures in an effort to scale. That leads to downward pressure on pricing as measured by monthly fee per-device-monitored-or-managed. In light of commoditization, MSSPs seek to differentiate along several lines. Some extend their management to other key IT functions: authentication services, managed desktops, managed email and, most recently, defenses against the most advanced targeted attacks.
One MSSP may focus on adding value to a popular software product, while another may focus on detailed network inspection. Both are viable models that attract customers with differing priorities. In the first example, where the MSSP specializes in managing one particular brand of SIEM software, the MSSP either deploys and configures the product on the customer’s premises and then feeds the alerts to their cloud service, or they work with the customer on a shared version of the product that the MSSPs hosts remotely.
In the other scenario, the MSSP may describe its services around next-generation network security. It deploys sensors that provide full visibility into packet traffic on the client’s network. Working from a remote operations center, the MSSP can identify attacks and use a firewall command to block the attacks. This model also lets the MSSP charge a premium over traditional alert and log monitoring services.
Another managed service may deploy and manage custom identity and access management solutions in a hosted cloud service. Even organizations with adequate IT staff, technology and procedures–such as banks, manufacturers, hospitals and government agencies– often need to supplement their own capabilities (see The Buyer-MSP Services Connection). This could be to provide off-hours coverage, consistent reporting for compliance, or a source of expertise when the company encounters new threats. An outsourced service can also provide assurance to senior executives and board members that a third-party expert is providing another set of eyes on the network.
Additional characteristics to look for in an MSSP
The buyer-MSP services connection
Looking forward, the opportunities for MSSPs and the CIOs who work with them are limitless. There have been several attempts to create a global service offering. Still, consolidation is not the biggest opportunity. Creating services around the latest technology and methodologies is the bigger opportunity. Let’s look at each in turn.
While the traditional MSSP has focused on device- and log-management of on-premise customer equipment, there is a revolutionary move by enterprises to migrate computing and storage to the cloud (see Driving Factors of the Global Managed Security Market). Thus, dozens of cloud security vendors are taking advantage of this move, distinguishing themselves as cloudfocused MSSPs. They adopt those solutions to extend their security coverage to the cloud.
As an example, they can extend their managed detection and response services to incorporate leading solutions that monitor cloud workloads, with their security teams providing 24/7 coverage to triage alerts and execute responses in a highly competent manner. With managed cloud access security broker (CASB) services, MSSPs can also help companies discover and catalog SaaS usage by employees, offering, consistent and scalable controls across the many solutions that work their way into the organization—from Office 365 to G-Suite to Salesforce.
Professional services offer a way to take an MSSP for a trial run
Driving Factors of the Global Managed Security Market
|Megatrends: technologies that will increase in importance|
|Enabling security technologies||Today||Future||Difference|
|Artificial intelligence in cyber defense||31%||71%||40%|
|Threat intelligence feeds||44%||73%||29%|
|Analytics in cyber defense||33%||59%||26%|
Many MSSPs have evolved to monitor all system log events—a valuable option because it offloads the day-to-day operational security tasks and helps the enterprise achieve more security coverage with a holistic detection and response ecosystem.
In this new world of active defense, security experts actively monitor network traffic, access logs and endpoints, SIEM, vulnerability scanning, cloud workload protection, and CASB. They ingest threat-intelligence feeds from multiple third parties, and they perform security analytics based on their own data from a wide swathe of customers. When they see something unusual on a customer’s network, they immediately segregate the affected machines, lock out any suspected employees, block command-and-control activity from infected machines, and shun network attacks. They’re on the front lines of what is becoming a battleground. For all but the largest organizations, there will be nowhere else to go for such services but to an MSSP.
Many forward-looking businesses seek to expand their defenses against advanced threats or to take advantage of cloud storage and computing. Either way, they need new analytical techniques and tools to maintain or reduce their risk exposure. These tools leverage the generational advances in data processing, memory, machine learning and algorithmic data processing that have occurred in the past few years with the rise of big data.
The overwhelming mass of data collected from network monitoring, intrusion detection and endpoint monitoring contains critical information, and the data deluge problem only gets worse when SaaS services like Microsoft Office 365 enter the picture, where the burden of security monitoring and analytics still falls largely on the customer. As security becomes more complex, the need for artificial intelligence increases.
Correlation, link analysis and big data architectures are leading the way to solve the problem of finding the needle in the haystack—or, as one noted security analyst put it, “finding a particular needle in a stack of needles.” Machine learning automatically detects, tracks and classifies new threats, all without the need for constant human involvement to calibrate rules and update settings. Behavior analytics also identifies abnormal behaviors and alerts security operators in real time. Once the system learns what common network activity looks like in an environment, it can easily identify anomalies without relying on often inaccurate and out-of-date attack signatures.
Security analytics is one of the fastest growing segments of the IT security industry (see Technologies Growing in Importance for Cyber Defense). Drawing on generations of artificial intelligence, machine learning is an excellent complement to managed security services. MSSPs that incorporate machine learning into their security analytics offer a powerful advantage; they can aggregate and analyze vast amounts of threat data over a long period of time to detect attack patterns and behaviors. Some machine learning systems can also conduct multi-dimensional analysis across threat vectors.
All these advances bring with them additional benefits. Now, even small enterprises can enjoy the capability to process very large numbers of network and system events and to proactively apply analytics within their commercial decision-making processes. The application of predictive analysis techniques to information security, originally developed for nationstate and intelligence applications, affords greater control of risk than ever. This lets organizations take advantage of cloud infrastructures and global workforces in ways that would have been deemed too risky with less sophisticated or nuanced technologies.
Outsourcing aspects of security management to an MSSP augments constrained IT resources. When effectively utilizing managed security services, a security department can take a strategic role as a consultative function within the company, including:
Outsourcing to MSSP experts also provides immediate coverage in the form of security incident monitoring, responding to problems in real time and reducing the signal-to-noise ratio of security incidents. And in the long term, outsourcing saves the company the cost of constant staff changes, along with the normal turnover that can be expected in a vibrant market for security expertise.
Conversely, building a security program on your own can be fraught with difficulties. Consider these challenges:
Hackers, hacktivists and nation-states are continually developing new zero-day attacks and outsmarting yesterday’s security technologies. Only with advanced anomaly detection, the latest threat intelligence and continuous monitoring can an MSSP provide access to emerging threat information and a suitable defense.
Rather than investing more and more in advanced solutions and hiring the personnel to manage them, CISOs can turn the task over to a service provider for cost-savings and other benefits (see Evaluating Security Operations Options). This can relieve the organization of having to stay on top of a rapidly evolving threat landscape.
|Do It Yourself Security Monitoring||MSSP Team|
|Staffing||$80K-150K per employee (need >8)||Included|
|Coverage||8 hours per day||24/7/365|
|Tech/Tools||Not included: find, eval. procure = $$$$||Included|
|Compliance||Your responsibility = $$||Included|
|Training||Your responsibility = $$$||Included|
|Threat Intelligence||Subscription required = $$||Included|
|TCO||> $85,000 monthly||Starts at $5,000 monthly|
Complementing an internal IT department with external expert services also enables the CIO to help create an agile and dynamic business environment. MSSPs provide consistency and reliability in a rapidly changing business environment. Meanwhile, regular business activities can continue, including mergers and acquisitions, expansion to new regions with new offices, and the launch of new lines of businesses. While they’re accomplished, the MSSP continues to provide security services. And as the organization rolls out new applications, implements a mobile strategy and moves infrastructure to the cloud–including thousands of sanctioned as well as shadow IT cloud apps—the MSSP can act as a security partner, ensuring that overall corporate risk stays in check.