It’s All About the Threat: Five Questions to Ask to Make Sure you Stay Focused

Lack of cybersecurity talent coupled with the increasing complexity of threats and networks, a heightened regulatory environment, and an accelerating pace of innovation is driving many organisations to look outside their walls for cybersecurity protection. 

In fact, Gartner has predicted that the global market for security outsourcing will grow from $12 billion in 2013 to more than $24.5 billion by 2017.

However, finding the resources to address the evolving cybersecurity landscape effectively can be challenging. Today’s attacks are stealthier than ever. To understand and protect against them, organisations need to mobilise all aspects of their defenses to focus on the threat, including services.

It’s about gaining visibility and control across the extended network and the full attack continuum – before an attack happens, during the time it is in progress, and even after an attack may have been successful, with information stolen or systems damaged. This new threat-centric model is driving changes in cybersecurity technologies, products and services alike.

The first wave of managed security service providers (MSSPs) focused on getting products and tools up and running, maintenance, upgrades, and training. But today, effective cybersecurity services need to be based on an in-depth and continuously evolving knowledge of the threats themselves, not just the operations of the technology. Reflective of a new era in how we must address cybersecurity, some industry analysts are starting to call this next wave of security services MSSP 2.0.

Based on in-house security skills, budget, and competing business priorities you may choose to outsource more or less of your cybersecurity needs. Wherever you fall on the outsourcing continuum, when evaluating managed security services the following five questions can help ensure you get the support you need to stay focused on the threat.

1. What types of telemetry data form the basis for your visibility and detection capabilities?
If the answer is simply flow or log data that isn’t enough. Other data, such as protocol metadata (i.e., data extracted directly from packets traversing the network) is a rich source of insights into today’s more popular attack methods like ‘watering hole’ attacks and phishing campaigns that contain links to malicious sites. In these cases, the ability to incorporate HTTP metadata in a telemetry model provides the depth of information needed to help detect web-based threats. With more data the more effective the MSSP will be in zeroing-in on anomalies and that’s a key capability to finding the needle in the haystack.

2. How are you performing analytics on that data?
With the introduction of more data, simple analytics models such as correlating log data against rule sets fall short, particularly if they do not function in real-time. Advanced, real-time big data analytics techniques are essential to leverage the large amounts of data gathered, not just locally across the enterprise but globally through community-based threat intelligence.

This level of analysis isn’t based on rules that attackers can understand and evade, but is predictive and uses dynamic statistical modelling to identify anomalous behaviours from granular, customer network baselines and other indications of compromise (IoCs) to pinpoint likely malicious activities. Regardless of the number of telemetry sources used, applying robust analytics to data rather than simple correlation will make detections high-fidelity. 

3. Where do you keep that data and how do you protect it? 
You’ll need to understand if the data is held onsite at the MSSP’s data centre or in the cloud. Depending on the type of data your organisation has, the compliance requirements you face, and the guarantees the MSSP provides, you’ll need to decide if the answer is adequate or, if not, if they can offer an alternative approach.

Read more: Security outsourcing on the rise

This is an individual choice for each organisation and must be based on the comfort level of all parties affected from the technical, legal, and business sides of the organisation.

4. What do you report on?
Data is great but you need to be able to understand and act on it. You need a level of assurance that the data is correlated to provide context so that the information you’re getting is relevant to your environment and prioritised. In this way you can focus on the threats that matter most. Time is of the essence when dealing with advanced targeted attacks with a specific mission.

Understand if the MSSP is able to present you with only vetted, high-fidelity information versus an endless list of events that require further analysis and investigation only to find these were needless alerts.

5. How can you help protect my organisation against unknown, zero-day attacks?
To detect and protect against zero-day threats you need to be able to go beyond traditional point-in-time approaches with capabilities that let you monitor and apply protection on an ongoing basis across your extended network. That’s where the value of a large set of detection telemetry coupled with predictive analytics and statistical modelling really becomes apparent.

This moves beyond mere event correlation that MSSPs have offered for years.  In combination, these capabilities can pinpoint nearly imperceptible IoCs and anomalies to help you identify these particularly stealthy and damaging attacks.

Given today’s business, regulatory, and cybersecurity challenges more and more organisations are looking for outside, expert help to protect their environments from cyber attacks. By asking these key questions you can help ensure you’re staying focused on the threats themselves in order to gain the protection you need.

Join the CSO newsletter!

Error: Please check your email address.

Tags security outsourcingcybersecuritydataGartnersecurityciscoManaged security service providers

More about AdvancedGartner

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ammar Hindi

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place