Defending your business from cyber-attack requires a sophisticated security strategy – one that covers everything from DDoS protection, Web application firewalls, and security information management to data loss prevention and much more.
Given the complexity, cost, and scarcity of talent, an increasing number of organizations are considering outsourcing to MSSPs (Managed Security Service Providers).
But what’s the best course of action for your organization? Tony Velleca, CEO of CyberProof, offers his thoughts about the top issues to consider in deciding whether to outsource to an MSSP or maintain a team in-house.
1. It’s Not Just About Regulatory Compliance
Outsourced providers today are mostly focused on meeting regulatory compliance requirements at the lowest possible cost. It’s sort of like auto insurance: customers will always want the cheapest policy.
But what happens if you wreck your car? What if your car starts to need attention more frequently, or your kids start driving it? What if you end up buying a more expensive car? At some point, you’re going to want better insurance. Yet when it comes to cyber defense, companies want better protection – but still don’t want to pay more for the service. They are looking for the most effective cyber defense solutions at the lowest price.
Outsourcing still offers the best value for spend. But the next generation of managed services must do better: they must provide top service, both in terms of the breadth of attacks they can detect, and the speed at which they detect and respond.
Complicating the matter is the fact that cyber security is not a one-size-fits-all problem anymore. In times past, a generic approach might have been okay but today, it’s all about continuous operational improvement. That means that to be effective, an approach has to be completely client-focused. It must take into account the client’s environment, and the threats that client cares about – and then adapt to changes as they occur.
“It’s a question of share-sourcing, because you can’t effectively split the skills you need to run an operation,” says Velleca. “What is needed is sharing higher-end talent, which means sharing access to the experts who have seen a multitude of attacks.”
If you choose the right MSSP, you can have a team of data scientists working for you, using advanced AI (artificial intelligence) to develop algorithms that allow your organization’s cyber defenses to be maximally effective – without the prohibitive OpEx and CapEx that would be necessary to maintain a comparable in-house team. Whereas the old-school MSSP models focused on outsourcing tier 1 and tier 2 activities, the new model includes the most advanced capabilities.
2. And It’s Not Just about People Anymore
Once upon a time, security strategy and risk management primarily focused on prevention. Build strong defenses, we were told, and you’ll keep the bad guys out. But prevention is inherently flawed, because even if you are 99 percent protected – there is still a high risk of breach. The hackers have patience; they have time. And they know they’ll uncover the vulnerability eventually. So the strategy has started to move away from prevention toward rapid detection, response, and recovery.
“The focus of security strategy has now shifted to facilitating the quickest possible MTTD and MTTR [Mean Time to Detect and Mean Time to Respond],” Velleca explains. “And that’s where AI comes in. To increase speed, it’s essential to automate as many steps as possible. Things analysts do manually can be handled automatically in a fraction of the time.”
Augmenting an existing team with additional experts is not only too expensive for many organizations, it is also less effective, particularly as they are not needed all the time. And more and more of your operational defenses must be “automated humans” because humans simply can’t process the information as fast as computers can process data. Computers, on the other hand, are only as smart as the people they are learning from – so the best bet is to have the most experienced, most knowledgeable cyber professionals “training” them.
Working with an MSSP can provide an organization with these crucial capabilities, which represent the optimal approach to avoiding data loss due to a breach. But fair warning: Not all MSSPs are created equal. If you’re talking to different providers, make sure to learn about their AI and machine learning expertise.
AI and machine learning have additional significance with the recent implementation of the GDPR, whose requirements limit what kinds of data can be shared with individuals situated in other countries. MSSPs have an advantage where they have the AI capabilities to develop bots that can handle a variety of security actions. Use of bots offers a way around some of the new GDPR restrictions.
3. Threat & Vulnerability Intelligence – Make It Part of Your Operation
When we talk about operational security, we mean not only collecting data but knowing how to use it, reducing vulnerability risks as part of the operational requirement. You want to be able to fix problems as they occur and this means going end to end – using data coming from the system as part of your SOC operations to manage the risk of vulnerabilities and threats.
“Most companies spend too much on prevention technology and not enough on the basics like managing vulnerabilities. Taking a lesson from the art of war – ‘know thy self, know thy enemy’ – an effective strategy depends on knowing your vulnerabilities and knowing your threats,” Velleca points out. “An understanding of vulnerabilities is challenging particularly in larger organizations, because things are constantly changing. Hackers are waiting for these types of mistakes – so, for example, a quarterly penetration test and annual red team are not enough anymore.”
Gartner’s latest Magic Quadrant Report for managed security services worldwide points out that end-to-end management – including scanning, prioritization, and patching on behalf of the customer – may be part of some MSSP offerings, but are not common across all providers. In choosing an MSSP, look for one that is focused on these capabilities.
4. Those Who Have Experience – and Those Who Do Not
It happens again and again: an in-house team looks at a set of data and does not see any indication of a threat. But then an experienced cyber defense professional from outside the company has a look, and is able to identify the threat within minutes.
Experienced cyber defense professionals notice the patterns. They understand how a hacker thinks. Someone coming from an infrastructure or network operations background simply thinks differently – it’s not the same mindset. So if you’re working with a team that’s coming primarily from IT, this begs the question: Do you have the experienced talent you need for effective cyber defense?
The reality is that there’s a global shortage of cyber security experts who have relevant experience. While the large, higher profile corporations can perhaps pull in top talent, smaller organizations simply don’t have that option. And even the largest organizations – with the budget to maintain experts in-house – find it hard to get them to stay.
The leading people in cyber security are invariably drawn to environments with a strong flow of complex incidents. Frequently they prefer working for MSSPs, where the action is drawn from a wide customer base with diverse requirements and encounters – giving them ongoing exposure to a range of bad actors and security challenges.
“Security service providers often provide the low end of cyber defense – passing difficult incidents to the client. But it’s the experienced talent that is hard to find. The people with experience in attack and defense who know how to see new attack patterns, conduct forensic investigations, or search for clues in the darknet,” Velleca emphasizes. “Unless you are a large financial institution under constant attack, you can’t retain these people.”
5. Must It Be All or Nothing?
Today, customers want aspects of security to be augmented without losing the advantages of an internal team approach. Perhaps, for example, security operations use a “follow the sun” model so night hours are handled externally. Or certain kinds of upper tier security positions are offered as an extension of an internal team.
However, providing this kind of solution isn’t easy. It requires security operations orchestration and automation capabilities that are purpose-built for managing flexible, outsourced operations. Providing a managed service with performance guarantees requires an automated SOC operations platform –ChatOps based – with mechanisms for smooth collaboration that include operations management.
“More and more, our clients are demanding more flexible models where the managed provider operates as an extension of the employees,” Velleca says, adding, “There is a palatable fear that an organization may lose its existing security expertise when they outsource. In particular, larger-scale operations find it worthwhile to consider augmenting their in-house teams, retaining expertise internally but also filling in gaps to keep those team members happy.”