Managed Security Service Providers can alleviate many of the headaches suffered by in-house security, but they need to remain nimble and focused to retain their edge.
A recent report from CyberEdge revealed that 80% of organizations today suffer from a global shortfall in skilled IT security personnel. However, with research also showing that the global cost of cybercrime has now reached over $600 billion, the importance of organizations finding the right combination of people and technology to protect their data and detect threats is significantly on the increase.
The good news from the report is that "for the first time in five years, the percentage of respondents' organizations affected by a successful cybertalk has decreased--from 79.2% to 77.2%."
SEE: Information security policy template download (Tech Pro Research)
That's progress, but the slight decrease emphasizes how important it is that security personnel remain nimble and forward-thinking to continue building the advantage over attackers.
Making the cut
To help tackle this need and address the security skills shortage, many organizations outsource their security to Managed Security Service Providers (MSSPs). However, as threats become more advanced and attackers become more persistent, many people are realizing that old, traditional, SLA-based MSSPs simply do not cut it.
"Simply offering better protection isn't enough," said Tony Velleca, CEO of CyberProof, a Managed Security Service Provider. "The best MSSPs work side-by-side with their clients, as an extension of their security team and take a risk-based approach to cybersecurity."
Velleca stated that the best way to approach risk modeling is by using a top-down model, which identifies the primary threats to your business. Your plan should then define the magnitude of the attack and focus on the top two to three attack scenarios.
"Based on that information, we facilitate a business-oriented prioritization of a customer's investment in defense and response," Velleca continued. To ensure that clients spend optimally, CyberProof breaks down risk into distinct categories:
Pre-breach: What you can do before a breach--ensuring you have the right technologies to protect yourself, manage vulnerabilities, and track a constantly morphing threat environment.
Post-breach: What you do ahead of time to prepare for an attack--identify how to detect, respond, and recover faster so as to lessen the impact on your business, operations, and reputation.
Velleca provided the following graph, which depicts a staged approach to customer onboarding to cyber maturation (Figure A):
Velleca explained the six steps entailed in the above chart:
Smart Start: Cybersecurity is complex. Many companies are in a different state of maturity, and the roadmap to reduce cybersecurity depends on the current state. The objective of this phase is to set high-level expectations on timelines and provide recommendations based on previous assessments--as well as sampling to validate the state.
Set up: Our methods are accelerated using our CyberProof Defense Center (CDC) platform that provides transparency and continuous visibility to a company's cybersecurity risk. The platform quickly integrates with a company's existing security devices including SIEM, vulnerability management, threat intelligence, CASB, and other systems. At that point, teams start to respond to incidents using the platform and CyberProof standard set of playbooks (or customized playbooks after being set up).
Enrich: Using the data from multiple sources, security alerts are enriched with asset criticality, vulnerabilities, active threats, and user\system information--turning alerts into smart alerts.
Tune: In parallel, the security systems (most importantly the SIEM) may be tuned to ensure that required rules are built and optimized to detect relevant attack techniques (itemized using MITRE), and data sources for critical assets are enabled.
Analyze/Automate: Once the data is enriched, the rules are working and the data sources are validated; it is time for deploying data science. There are two key areas where data science can make the desired impact on your cyber-risk. First, the analysis of smart alerts correlated by into groups by time. This analysis, in context to the company's environments (enriched data), is focused on reducing false positives and automatically creating incidents and assigning these to playbooks.
Second, as teams respond to incidents, data scientists evaluate the way experts perform the response and determine what steps may be automated or the way playbooks may be improved to reduce time to respond.
In terms of where is cybersecurity is headed in the new year, Velleca stated that cybersecurity will be on the CEO's mind. "The global shortage of cyber experts will worsen before it improves," he said. "Cyber-risk clarity will become a priority at the board level--with growth in cyber insurance as a result."
Based on client interactions, Velleca's witnessed the following trends:
- Clients are tired of "buying" tools and are starting to focus on the success of integrating and successfully deploying their existing investments. They are looking to MSSPs to help with a broader base of services--some more related to IT Services (integration, for example).
- Many clients, due to ransomware attacks, had to abruptly redirect their energy and are now returning to implement their security maturity roadmaps. Some are re-evaluating their roadmaps altogether as a result. MSSPs will be required to take on broader responsibility for the overall maturity.
- As security teams plan to leverage more and more data to detect threats (zero trust model) and need to archive this data for longer periods, the current SIEM solutions are not cost effective. Larger companies are venturing into open source solutions (e.g. ELK) to satisfy their needs. Companies are seeking MSSPs with flexibility in terms of SIEM solutions - and ideally with expertise and abilities to manage these open source SIEM solutions.
SEE: EU GDPR policy (Tech Pro Research)
- As companies move to the cloud, the security teams skills are vastly different. Companies are looking to MSSPs to help to define their security architectures but also provide cost-effective means of security clouds, endpoints, and conventional network environments--altogether without the need for purchasing more and more security solutions.
- Ransomware has created an association between security incident response and disaster recovery. At the same time, companies are focused on orchestrating and potentially automating portions of the incident response to address the global shortage in cyber expertise. As a result, MSSPs must include more automation as part of their services.
"Finally," said Velleca, " the lack of skills talent is driving firms to look for more flexible staffing models--and expecting attrition. MSSPs may need to relook at their business models to enable to flexibility clients are seeking."
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Phishing attacks: A guide for IT pros (TechRepublic download)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2018 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)
- How to get security right in digital transformation: 10 best practices (TechRepublic)
- How to manage cloud security when providers and customers share responsibility (TechRepublic)