There's Help for CISOs Overwhelmed By Security Threats

CISOs need to bring all of their forces to bear on the growing threat of breaches, advanced persistent threats, and insider attacks. And that’s essential as executives place greater scrutiny on security strategies. Luckily you don’t need to go at it alone. Managed Security Service Providers are proving their worth as trusted, expert partners in the battle against cyber crime. Here’s how they help you address critical security needs.

  • Get a current state analysis of the security threat landscape and common problems
  • Explore best practices for stopping advanced threats and outsourcing to the experts
  • Understand how to find a partner you can trust using a list of key differentiators

You may also be interested in

MSSP Buyer’s Guide: What to look for in a modern managed security services provider

MSSP Buyer’s Guide: What to look for in a modern managed security services provider

Security services can speed threat containment by 50%, but how do you find the best MSSP? Get the 15-point checklist from research firm Nemertes.

Download the White Paper

When it comes to cybersecurity, CISOs need to bring all of their forces to bear on the growing threat of breaches, advanced persistent threats, and insider attacks. Fortunately most executive management is quite aware of these and other cybersecurity challenges and concerns, and are prioritizing efforts to expand security strategies and bolster defense

Cybersecurity: current state analysis

Perhaps your enterprise is making security investments because it is overwhelmed with the ever-increasing number of security alerts to monitor and address. Perhaps it has received a strongly worded memo from a large customer requiring that all “third parties” comply with rigorous new security standards. Maybe your security policies are about to be reviewed by an external auditor or federal regulator. Or, worst of all, maybe your company was the recent victim of a major security breach.

Whatever the cause, CISOs are faced with the questions: “Do I hire more security staff? Do I fire and replace the ones I have? Do I call in a big consulting firm? Do I hire a lawyer? Do I fall on the sword?”

Security is one of those critical concerns every CISO wishes would just go away. Unfortunately, the only way to make security less of a concern is to infuse it into every aspect of the business. Like quality control, to be effective, security must be woven into every key production environment. That integration process requires time, money and talent. But most importantly, it needs leadership from the top. When security is a priority from the executive level down, the entire business becomes an environment working responsibly – taking calculated risks, but only when it makes sense to do so.

CEOs, CFOs, CIOs and other senior executive leaders who fail to take an active role in security put their organizations at risk. It’s not sufficient to simply delegate security management to mid- or lower-level IT staff. The solution needs to involve executive and IT-level collaboration as well as a combination of both internal and external support.

Common security problems

Security managers face a continuous escalation in both the number and sophistication of cyber threats to their companies. In response, most IT departments have deployed firewalls and intrusion-detection systems as standard operating procedures, along with antivirus, web content filtering, encryption and security policies. Yet when it comes to managing new threats or keeping ahead of the latest vulnerabilities, security managers find it hard to stay ahead (see Who’s Behind Breaches?) They cannot adapt quickly enough; nor do they have the resources needed to keep up with emerging threats and to digest the amount of information their SIEM (Security Information and Event Management) systems are generating. Some security issues are more serious than others. Primary cybersecurity threats include hacking, malware, and social engineering.

Leading threats

Hacking, malware, social engineering, error, misuse, physical security

Two opposing forces make the problem difficult. One, there are too few skilled security professionals to hire. And two, advanced threats and critical risks are growing each day. Companies need expertise and technology, but only those with the deepest pockets can afford to manage all the threats internally. Hiring experts, either for short-term triage or for longer-term oversight and monitoring, is one technique companies have been using for years to overcome the time and talent shortfall. But staffing is only part of the solution. Cybersecurity requires not only continuous monitoring, but also the latest technologies to adapt to the changing threat landscape.

Security priorities and concerns:

  • 78% of organizations have at most a moderately effective digital strategy, which has implications for successful cybersecurity
  • 77% of respondents are ‘most concerned’ about the threat of organized cyber crime
  • 38% of respondents did not expect to be compliant with the May 2018 GDPR deadline
  • 25% year-over-year increase in ‘security and resilience’ skills shortage.
  • 23% more respondents than in 2017 are prioritizing improvements in cybersecurity
  • 12% increase in organizations prioritizing the management of operational risk and compliance

Who’s Behind Breaches?

  • Outsiders (73%)
  • Organized criminal groups (50%)
  • Insiders (28%)
  • Nation-state or affiliated actors (12%)
  • Errors (17%)

Outsourcing to the experts

While many IT security functions consist of operational and business-as-usual activities, today’s environment of sophisticated targeted attacks requires specialized expertise. Vulnerability and patch management, antivirus updates, and changing rules in firewalls are mature technological procedures that are already baked in to most security programs. Over the last few decades, most, but certainly not all organizations, have built teams that are experienced in the day-to-day activity required to reduce attack surfaces.

Unfortunately, these tasks cannot be scheduled to fit into a regular work week. Countering advanced targeted attacks is much more like fending off attackers climbing fences than regularly scheduled fence repair. The skill sets of the security experts needed to ward off attackers is harder to obtain, and those with the desired skills are harder to retain.

Factors that could cause decline in cybersecurity posture

In fact, 53% of respondents to the Ponemon Institute 2018 Study on Global Megatrends in Cybersecurity are worried that the inability to hire and retain expert staff could hurt their security efforts (see Factors that Could Cause Decline in Cybersecurity Posture).

While even the smallest organization may train people for operational security tasks, the top security experts get their experience at the most highly threatened and most targeted organizations: large financial institutions, Internet service providers, defense contractors, government agencies and managed security service providers (MSSPs).

Security personnel at MSSPs earn their stripes with constant exposure to the latest threats, which can result in financial losses, disruption of business processes, disclosure of confidential internal information and reputational damage (see Taking a Hit). Because MSSPs are engaged in daily battles on behalf of their many customers, they see more and evolve best practices faster than a single organization can. Among the many tasks that top MSSPs provide, some of the most important are 24/7 monitoring, enhanced protection, advanced threat detection, and compliance. The most successful ones are highly responsive to issues and proactive.

Factors contributing to continuation of an MSP partnership

Taking a hit

  • Successful cyber attacks resulted in:
  • Disruption of business processes (42%)
  • Disclosure of confidential internal information (33%)
  • Reputational damage (25%)

Due to the technologically challenging environment in which MSSPs dwell, they tend to attract security experts. Security experts seek to hone their skills, and they often find that working with many customers is the most challenging and beneficial environment in which to learn. The MSSP enables a security professional to remain engaged and continue to advance in their career.

Moreover, many enterprises cannot offer the high levels of compensation that security experts now command. They simply cannot afford to pay a team of experts to contend with the onslaught of sophisticated attacks. Therefore, when a targeted attack does occur–probably during off hours on weekends or holidays –no one is available to prevent the types of breaches that have made the news (Target, Home Depot, Anthem, and Sony to name a few). By contrast, an outsourced service provider can provide coverage around the clock with entire teams watching network activity

CEOs and CIOs making budget decisions need to balance the cost of maintaining their own staff of security experts, capable of recognizing advanced attacks and taking the requisite steps to mitigate them, against outsourcing to a third-party service provider (see Road Ahead).

$45+ billion: expected size of global managed security services market by 2022

Outsourced MSSPs offer many advantages; among the most critical, the implementation of dynamic and adaptive architectures. While MSSPs have many more security experts on hand than do their customers, they deploy the latest technologies to automate some aspects of threat analysis. That lets their experts focus mainly on the latest attack methodologies. In this way, MSSPs attain threat intelligence and increase the speed of response needed to defend their growing customer base. A particular attack campaign—whether from cyber criminals seeking access to a payment processor, nation-state agents attempting to steal design data, or hacktivists trying to disrupt operations — may use new malware such as “zero-day” vulnerabilities, or sophisticated social engineering.

An MSSP must be prepared for any and all of these techniques.

Stopping advanced threats: managed detection and response

Stopping targeted attacks in the shortest time possible is now among top priorities for managed security solutions. Minimizing reaction time has given rise to enterprise security strategies that aim to expand traditional perimeter protections with approaches that focus on rapid detection and response. These strategies require three actions:

Recognizing when an attack is underway. Finding evidence of an attack, often one that has already penetrated the perimeter, is hard to do when the few data points available are buried in SIEM logs. Only by adding threat context can these nuggets be extracted and recognized for what they are. Threat context must be derived from a global threat intelligence engine that is automating the discovery of malicious IPs, URLs and Key Indicators of Compromise (IoC). Indeed, having actionable intelligence matters a great deal to more than one-third of Ponemon survey respondents (see Factors that Could Cause Decline in Cybersecurity Posture).

Elevating an alert to the top of a stack so that an analyst can respond is no longer sufficient. Evidence of an attack that is coming from a known source, one that may have already been associated with targeted attacks against your industry segment, needs immediate response. Communications with a command and control server must be blocked to prevent the next phase of an attack. Lateral movement toward the ultimate target must be stopped in its tracks. Attacks must be dealt with by automated solutions that take immediate action. This “shoot first, analyze later” approach may be a daunting shift for many organizations. But it is far better for analysts to prepare reports on how attacks were stopped rather than how breaches succeeded.

Most organizations have instituted strong change control processes to address the issue of inadvertent misconfigurations and the growth of undocumented access control lists (ACLs) and firewall policies. While that is a serious issue, frozen change-control processes interfere with the resilience of an enterprise defense. To respond to persistent threats, active security controls should be connected to the threat-context-driven detection system.

Foreknowledge of threat actor tools, methodologies, even motivation provides context to security alerting and response solutions. This threat context paves the way for a responsive and adaptive security posture for every MSSP customer.

MSSP security experts can monitor corporate defenses, observe potential breaches and help customers mitigate an attack quickly. After the attack is thwarted, the MSSP also captures what they’ve learned, then incorporates those insights into its threat-response knowledge base. That way, every customer benefits from the lessons learned. This constitutes a dynamic response that grows with the ever-evolving threat landscape, putting customers on a more solid footing.

Finding a trusted partner

The entire security industry has a tendency towards change and disruption, driven in large measure by the changing threat landscape and the accompanying regulatory regimes being devised to set requirements for minimum security measures. The Managed Security Services market is fragmented, too, with each vendor offering a slightly different set of services and technologies. That can make it difficult for a CISO to conduct apples-to-apples comparisons and craft a clear and comprehensive security strategy.

Ten qualities that differentiate MSP “partner” from “vendor”

There are many types of MSSPs, from computer and enterprise software makers to traditional communications service providers. Also crowding the space are Internet service providers, resellers and integrators, as well as big-name security vendors–all offering some manner of outsourced security services. For this reason, many CISOs find that the bundling of network and security services makes perfect sense.

Organizations counting upon MSP security services

MSSPs: key differentiators

With rare exception, most MSSP services are composed of device management plus SIEM as a service. When the Payment Card Industry (PCI) set standards for merchants and payment processors to monitor and improve security, it inadvertently gave rise to a cottage industry; more than 130 specialized MSSPs now provide vulnerability scanning as a service.

Within those core services, MSSPs differentiate themselves by streamlining their internal operations with efficient reporting, billing and problem escalation procedures in an effort to scale. That leads to downward pressure on pricing as measured by monthly fee per-device-monitored-or-managed. In light of commoditization, MSSPs seek to differentiate along several lines. Some extend their management to other key IT functions: authentication services, managed desktops, managed email and, most recently, defenses against the most advanced targeted attacks.

One MSSP may focus on adding value to a popular software product, while another may focus on detailed network inspection. Both are viable models that attract customers with differing priorities. In the first example, where the MSSP specializes in managing one particular brand of SIEM software, the MSSP either deploys and configures the product on the customer’s premises and then feeds the alerts to their cloud service, or they work with the customer on a shared version of the product that the MSSPs hosts remotely.

In the other scenario, the MSSP may describe its services around next-generation network security. It deploys sensors that provide full visibility into packet traffic on the client’s network. Working from a remote operations center, the MSSP can identify attacks and use a firewall command to block the attacks. This model also lets the MSSP charge a premium over traditional alert and log monitoring services.

Another managed service may deploy and manage custom identity and access management solutions in a hosted cloud service. Even organizations with adequate IT staff, technology and procedures–such as banks, manufacturers, hospitals and government agencies– often need to supplement their own capabilities (see The Buyer-MSP Services Connection). This could be to provide off-hours coverage, consistent reporting for compliance, or a source of expertise when the company encounters new threats. An outsourced service can also provide assurance to senior executives and board members that a third-party expert is providing another set of eyes on the network.

Additional characteristics to look for in an MSSP

  • Business Value: Is the service provider able to quantify the value to your business as well as your IT team?
  • Technical Value: Does the MSSP possess tangible technical expertise that your IT department does not and do those characteristics add value to your security defenses?
  • Effective Information Portals: An MSSP should provide your IT department with a portal that provides a window into support issues, event management and reporting.
  • Broad Service Offerings: Does the MSSP have a broad range of managed services that meshes with all of your IT touchpoints and security requirements?
  • Emphasis on Customer Service: Quality and responsiveness of service are tantamount in the current threat landscape that companies find themselves in.

The buyer-MSP services connection

  • Largest customer group for managed IT services in 2016: The banking, financial services and insurance sector
  • One of the fastest growing services sector: Security

Looking forward, the opportunities for MSSPs and the CIOs who work with them are limitless. There have been several attempts to create a global service offering. Still, consolidation is not the biggest opportunity. Creating services around the latest technology and methodologies is the bigger opportunity. Let’s look at each in turn.

Cloud security: cloud workload protection and CASB

While the traditional MSSP has focused on device- and log-management of on-premise customer equipment, there is a revolutionary move by enterprises to migrate computing and storage to the cloud (see Driving Factors of the Global Managed Security Market). Thus, dozens of cloud security vendors are taking advantage of this move, distinguishing themselves as cloudfocused MSSPs. They adopt those solutions to extend their security coverage to the cloud.

As an example, they can extend their managed detection and response services to incorporate leading solutions that monitor cloud workloads, with their security teams providing 24/7 coverage to triage alerts and execute responses in a highly competent manner. With managed cloud access security broker (CASB) services, MSSPs can also help companies discover and catalog SaaS usage by employees, offering, consistent and scalable controls across the many solutions that work their way into the organization—from Office 365 to G-Suite to Salesforce.

Professional services offer a way to take an MSSP for a trial run

  • Penetration Testing
  • Security Audit
  • Gap Analysis
  • Compliance Testing

Driving Factors of the Global Managed Security Market

  • Rising acceptance of cloud-based services
  • Increasing cyber crimes to aim at enterprise network
  • Growing regulatory obedience and data security laws
  • Security recruitment and budgeting constraint
Megatrends: technologies that will increase in importance
Enabling security technologies Today Future Difference
Artificial intelligence in cyber defense 31% 71% 40%
Threat intelligence feeds 44% 73% 29%
Analytics in cyber defense 33% 59% 26%

Advanced threat defenses: monitor all syslog events

Many MSSPs have evolved to monitor all system log events—a valuable option because it offloads the day-to-day operational security tasks and helps the enterprise achieve more security coverage with a holistic detection and response ecosystem.

In this new world of active defense, security experts actively monitor network traffic, access logs and endpoints, SIEM, vulnerability scanning, cloud workload protection, and CASB. They ingest threat-intelligence feeds from multiple third parties, and they perform security analytics based on their own data from a wide swathe of customers. When they see something unusual on a customer’s network, they immediately segregate the affected machines, lock out any suspected employees, block command-and-control activity from infected machines, and shun network attacks. They’re on the front lines of what is becoming a battleground. For all but the largest organizations, there will be nowhere else to go for such services but to an MSSP.

Artificial intelligence: work smarter not harder

Many forward-looking businesses seek to expand their defenses against advanced threats or to take advantage of cloud storage and computing. Either way, they need new analytical techniques and tools to maintain or reduce their risk exposure. These tools leverage the generational advances in data processing, memory, machine learning and algorithmic data processing that have occurred in the past few years with the rise of big data.

The overwhelming mass of data collected from network monitoring, intrusion detection and endpoint monitoring contains critical information, and the data deluge problem only gets worse when SaaS services like Microsoft Office 365 enter the picture, where the burden of security monitoring and analytics still falls largely on the customer. As security becomes more complex, the need for artificial intelligence increases.

Machine learning and behavior analytics

Correlation, link analysis and big data architectures are leading the way to solve the problem of finding the needle in the haystack—or, as one noted security analyst put it, “finding a particular needle in a stack of needles.” Machine learning automatically detects, tracks and classifies new threats, all without the need for constant human involvement to calibrate rules and update settings. Behavior analytics also identifies abnormal behaviors and alerts security operators in real time. Once the system learns what common network activity looks like in an environment, it can easily identify anomalies without relying on often inaccurate and out-of-date attack signatures.

Security analytics is one of the fastest growing segments of the IT security industry (see Technologies Growing in Importance for Cyber Defense). Drawing on generations of artificial intelligence, machine learning is an excellent complement to managed security services. MSSPs that incorporate machine learning into their security analytics offer a powerful advantage; they can aggregate and analyze vast amounts of threat data over a long period of time to detect attack patterns and behaviors. Some machine learning systems can also conduct multi-dimensional analysis across threat vectors.

All these advances bring with them additional benefits. Now, even small enterprises can enjoy the capability to process very large numbers of network and system events and to proactively apply analytics within their commercial decision-making processes. The application of predictive analysis techniques to information security, originally developed for nationstate and intelligence applications, affords greater control of risk than ever. This lets organizations take advantage of cloud infrastructures and global workforces in ways that would have been deemed too risky with less sophisticated or nuanced technologies.

Recommendations: achieve consistency and reliability in a rapidly changing environment

Outsourcing aspects of security management to an MSSP augments constrained IT resources. When effectively utilizing managed security services, a security department can take a strategic role as a consultative function within the company, including:

  • Advising business units on how to weave security and responsible behaviors into all key business operations
  • Establishing best practices
  • Evaluating critical systems

Outsourcing to MSSP experts also provides immediate coverage in the form of security incident monitoring, responding to problems in real time and reducing the signal-to-noise ratio of security incidents. And in the long term, outsourcing saves the company the cost of constant staff changes, along with the normal turnover that can be expected in a vibrant market for security expertise.

Conversely, building a security program on your own can be fraught with difficulties. Consider these challenges:

  • Auditors and regulators have come to expect a welldesigned system of log retention and review. After all, familiar and common standards—such as COBIT, ITIL, ISO 27001 and by extension, Sarbanes Oxley— all require such logging. General Data Protection Regulation (GDPR) and PCI also require detailed reports and vulnerability scans.
  • Maintaining a staff to continuously monitor and respond to security incidents can be prohibitively expensive. Even finding and retaining staff with the requisite skills can be difficult.

Hackers, hacktivists and nation-states are continually developing new zero-day attacks and outsmarting yesterday’s security technologies. Only with advanced anomaly detection, the latest threat intelligence and continuous monitoring can an MSSP provide access to emerging threat information and a suitable defense.

Rather than investing more and more in advanced solutions and hiring the personnel to manage them, CISOs can turn the task over to a service provider for cost-savings and other benefits (see Evaluating Security Operations Options). This can relieve the organization of having to stay on top of a rapidly evolving threat landscape.

Evaluating Security Operations Options: Build or Buy?

Do It Yourself Security Monitoring MSSP Team
Staffing $80K-150K per employee (need >8) Included
Time-To-Hire 8-14 months Instantly
Tenure <24 months Forever
Coverage 8 hours per day 24/7/365
Tech/Tools Not included: find, eval. procure = $$$$ Included
Compliance Your responsibility = $$ Included
Training Your responsibility = $$$ Included
Threat Intelligence Subscription required = $$ Included
TCO > $85,000 monthly Starts at $5,000 monthly

Complementing an internal IT department with external expert services also enables the CIO to help create an agile and dynamic business environment. MSSPs provide consistency and reliability in a rapidly changing business environment. Meanwhile, regular business activities can continue, including mergers and acquisitions, expansion to new regions with new offices, and the launch of new lines of businesses. While they’re accomplished, the MSSP continues to provide security services. And as the organization rolls out new applications, implements a mobile strategy and moves infrastructure to the cloud–including thousands of sanctioned as well as shadow IT cloud apps—the MSSP can act as a security partner, ensuring that overall corporate risk stays in check.

Let's get started

Call for Sales

+1 (866) 627-3749

Schedule a Consultation