Lack of cybersecurity talent coupled with the increasing complexity of threats and networks, a heightened regulatory environment, and an accelerating pace of innovation is driving many organisations to look outside their walls for cybersecurity protection.
In fact, Gartner has predicted that the global market for security outsourcing will grow from $12 billion in 2013 to more than $24.5 billion by 2017.
However, finding the resources to address the evolving cybersecurity landscape effectively can be challenging. Today’s attacks are stealthier than ever. To understand and protect against them, organisations need to mobilise all aspects of their defenses to focus on the threat, including services.
It’s about gaining visibility and control across the extended network and the full attack continuum – before an attack happens, during the time it is in progress, and even after an attack may have been successful, with information stolen or systems damaged. This new threat-centric model is driving changes in cybersecurity technologies, products and services alike.
The first wave of managed security service providers (MSSPs) focused on getting products and tools up and running, maintenance, upgrades, and training. But today, effective cybersecurity services need to be based on an in-depth and continuously evolving knowledge of the threats themselves, not just the operations of the technology. Reflective of a new era in how we must address cybersecurity, some industry analysts are starting to call this next wave of security services MSSP 2.0.
Based on in-house security skills, budget, and competing business priorities you may choose to outsource more or less of your cybersecurity needs. Wherever you fall on the outsourcing continuum, when evaluating managed security services the following five questions can help ensure you get the support you need to stay focused on the threat.
1. What types of telemetry data form the basis for your visibility and detection capabilities?
If the answer is simply flow or log data that isn’t enough. Other data, such as protocol metadata (i.e., data extracted directly from packets traversing the network) is a rich source of insights into today’s more popular attack methods like ‘watering hole’ attacks and phishing campaigns that contain links to malicious sites. In these cases, the ability to incorporate HTTP metadata in a telemetry model provides the depth of information needed to help detect web-based threats. With more data the more effective the MSSP will be in zeroing-in on anomalies and that’s a key capability to finding the needle in the haystack.
2. How are you performing analytics on that data?
With the introduction of more data, simple analytics models such as correlating log data against rule sets fall short, particularly if they do not function in real-time. Advanced, real-time big data analytics techniques are essential to leverage the large amounts of data gathered, not just locally across the enterprise but globally through community-based threat intelligence.
This level of analysis isn’t based on rules that attackers can understand and evade, but is predictive and uses dynamic statistical modelling to identify anomalous behaviours from granular, customer network baselines and other indications of compromise (IoCs) to pinpoint likely malicious activities. Regardless of the number of telemetry sources used, applying robust analytics to data rather than simple correlation will make detections high-fidelity.
3. Where do you keep that data and how do you protect it?
You’ll need to understand if the data is held onsite at the MSSP’s data centre or in the cloud. Depending on the type of data your organisation has, the compliance requirements you face, and the guarantees the MSSP provides, you’ll need to decide if the answer is adequate or, if not, if they can offer an alternative approach.
This is an individual choice for each organisation and must be based on the comfort level of all parties affected from the technical, legal, and business sides of the organisation.
4. What do you report on?
Data is great but you need to be able to understand and act on it. You need a level of assurance that the data is correlated to provide context so that the information you’re getting is relevant to your environment and prioritised. In this way you can focus on the threats that matter most. Time is of the essence when dealing with advanced targeted attacks with a specific mission.
Understand if the MSSP is able to present you with only vetted, high-fidelity information versus an endless list of events that require further analysis and investigation only to find these were needless alerts.
5. How can you help protect my organisation against unknown, zero-day attacks?
To detect and protect against zero-day threats you need to be able to go beyond traditional point-in-time approaches with capabilities that let you monitor and apply protection on an ongoing basis across your extended network. That’s where the value of a large set of detection telemetry coupled with predictive analytics and statistical modelling really becomes apparent.
This moves beyond mere event correlation that MSSPs have offered for years. In combination, these capabilities can pinpoint nearly imperceptible IoCs and anomalies to help you identify these particularly stealthy and damaging attacks.
Given today’s business, regulatory, and cybersecurity challenges more and more organisations are looking for outside, expert help to protect their environments from cyber attacks. By asking these key questions you can help ensure you’re staying focused on the threats themselves in order to gain the protection you need.