Enterprises were already moving toward digital transformations at the start of 2020, but the COVID-19 pandemic suddenly threw everything into high gear. Telework, virtual meetings and a host of online transactions – from retail purchases and food ordering to interviewing and onboarding employees – went from being occasional occurrences to being the norm.
With enterprises using the cloud for more and more of their operations, the adoption of “as-a-Service” offerings has grown swiftly in nearly every aspect of technology, including cybersecurity.
The move toward managed security services has some distinct advantages but may also create security gaps for organizations relying on a provider to secure their data.
The security services provided by managed security service providers (MSSPs) tend to be reactive. In the event of an attack, a provider will generally detect and remediate the threat, but the line of defense ends there. A provider may not dig into the motivation behind an attack, get to the bottom of why a particular machine was targeted, or think about how such an attack can be prevented in the future.
Proactive services tend to be missing, especially with regard to threat hunting and information sharing, which are just as critical to securing an organization’s data as detection and response are.
The case for hunting threats
Threat hunting is the process of proactively searching for malware or other attack tools that have managed to evade traditional cybersecurity protections and have taken up residence in a network. They could be sniffing around inside for credentials, lying in wait or surreptitiously exfiltrating sensitive data.
Although firewalls, antivirus software and other security tools and measures deter a lot of attacks, attackers that slip through those defenses go undetected for 197 days, on average.
Some recent studies also have found a gap between what organizations expect of their security tools and how they actually perform. A recent report from Mandiant found that organizations’ security controls detect only 26% of attacks and prevent 33% of them. Fifty-three percent of those attacks infiltrate networks unnoticed, and alerts are generated for attacks only 9% of the time, according to the report.
Organizations streamlining operations through managed services – instead of building and maintaining their own security operations centers (SOCs) – gain advantages such as reducing their mean time to detection and remediation (MTTD/MTTR), but they may not be getting everything they need to fully secure their data. They should be vetting managed service providers (MSPs) and MSSPs to be sure that they deliver essential threat hunting and information sharing capabilities.
Vetting MSSPs: What to look for
In addition to understanding an MSSP’s service delivery model and technology platform, organizations should look for several key features from a provider. An MSSP should try to provide a holistic approach to security, with a full range of experience, tools and techniques beyond simply log monitoring services. It should be able to assess an organization’s risks when helping the organization to define a clear data security strategy.
It should have the ability to not just collect massive amounts of threat data—drawing on external, internal and user-generated sources—but then ingest and fuse that data into comprehensible information that connects the dots with what’s in the threat landscape.
In order to do that, it needs advanced analytics and automation features that can analyze attacks and the kinds of anomalous behaviors that indicate an attack is underway. A SOC analyst’s job too often involves manual work, especially when investigating an attack or hunting for threats, which can severely slow down the process of interpreting and responding to attacks.
An automated system of data extraction and analysis not only takes a sizable workload off the analyst’s plate, but it greatly improves and speeds up reaction time. It also helps ensure that the automated alerts it generates are flagging actual threats, rather than flooding analysts’ email inboxes with false positives.
The ability to integrate an organization’s systems is also important, in order to align elements such as security information and event management (SIEM), firewalls, and endpoint detection and response (EDR) into a holistic approach.
And finally, an MSSP should work in partnership with an organization. In addition to assessing an organization’s cybersecurity risks, it should also have a thorough understanding of its internal environment, how its systems work, how IT architecture is deployed and what makes that environment unique. Cybersecurity has no end state; it’s an ongoing process on which an MSSP and an organization must be able to work together.
Partnering with an MSSP can save an organization time and money, relieving in-house staff of some work and sparing the costs of building and operating an SOC, but it shouldn’t come at the cost of thoroughly securing data. Because of this, vetting MSSPs to ensure they will deliver what the organization needs is essential to protecting your networks.