Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
There has been a massive up-swing in the formation, growth and adoption of managed security service providers (MSSP) in recent years. This has been driven by a number of trends such as the ever-growing cyber threat, the increase in the complexity and openness of technology systems, the shortage of cyber security skills (and the resulting difficulty in attracting and retaining good people) and the heightened regulatory and consumer pressures to protect systems and data.
For end-user companies that want to make use of outsourced MSSP services, the increases in market availability of cyber security-as-a-service is a good thing, the competition means they can choose service types or service levels that match their needs, save money and gain additional assurance by transferring security monitoring, alert investigation or incident response support to an expert third party.
For others however, there is a need or preference to run security “services” such as monitoring or alert management in-house as part of the operational delivery of the security function, with ties into the IT delivery team, the risk and compliance function and under the control of a permanent management team working with employed security experts.
Irrespective of the reasons for this decision, it is useful to see what market and competitive pressures mean for managed security service providers (see this case-study paper). Their need to survive/prosper and deliver high-quality services in an efficient way is vital for their entire business – and it can provide lessons on how to operate security internally for businesses who are aiming to achieve the same outcomes.
MSSPs must determine the processes and services they are going to offer – to know what is standard and common across customers and what can be customised. Otherwise they run the risk of managing each customer differently and gaining no economies of scale. Moreover, if they don’t know what they are going to be offering how will they shape sales conversations or know what the dependencies are that will drive technology choices?
For in-house teams there is no sales imperative, but there is a need to justify the spend and costs of operation as part of the budget to senior management (in fact as an alternative to outsourcing, running security in-house does need to be “competitive”).
There is also a need to understand what the team is going to do, what they will be trying to achieve and how they plan to do it so that they can specify requirements and make technology decisions based on this; rather than buying technology and then trying to fit “what they do” around its capabilities.
For an MSSP with a large number of customers spread across a finite pool of staff it is imperative to track the amount of time that is spent on each activity. Part of the value of an MSSP for the end user is that they don’t have to retain their own team of highly skilled analysts. But for the MSSP those highly skilled experts come at a cost and that cost needs to be shared across a number of customers and activities in the most efficient way.
The amount of time each analyst spends on a “per customer” basis, or what the minimum/average/maximum time is to deal with each “incoming alert” or “confirmed incident” really matters.
Factors that can affect this are the intuitiveness and ease of use of the technology solutions, but also the degree of automation, standardisation and pre-configuration that can be employed. If system can do the moving, formatting, processing of data itself, then people don’t have to – they can work off the results of analysis rather than having to perform it themselves.
Having humans gather data, issue the same queries repeatedly, generate reports manually, confirm the presence of indicators of compromise, take a parameter from one system and look it up on another – these all take time and can be done by systems that support the human process in a pro-active way – using automation and providing tools to help orchestrate investigations and response (See this blog post), rather than just sitting waiting to be told what to do by a human operator or answer queries that have been manually submitted.
When Huntsman Security talks to MSSPs offering monitoring or threat detection they invariably have a need to be able to host multiple customers on the same technology platform. This provides a number of benefits, it allows the use of common reporting and alerting profiles (e.g. one single point for unifying threat intelligence and rule/policy configuration) and means that operations teams can have a single window across the whole customer estate, as well as drilling in to answer queries or respond to events within a particular customer silo when an alert or threat arises.
This “single technology platform” must provide a robust solution to multi-tenancy, allowing full and effective separation of customer data and the means to deploy different service types, rules, service levels, reporting schedules and data storage requirements in each case based on either the service level or threat profile.
It is easy to assume that for an enterprise customer this isn’t a requirement, but in fact commonly this need does exist. Certainly, it might be possible within a single business to allow for less strict controls on access to/separation of data; but divisions between parts of an enterprise network may still need to be retained and so the same need for some form of multi-tenancy is present. This might arise due to:
In all these cases making the security toolset and operations too homogeneous will cause problems and lead either to a race to the bottom or to the top – delivering an average level or service to all parts of the business rather than a tailored one. Both are big risks and/or expensive; hence MSSP-influenced multi-tenancy for separate security domains may be the way to go even in the enterprise/end-user space.
One thing MSSPs (in particular new ones) struggle with is making large up-front capital investments. The nature of their business growth plan means that they will onboard customers at a gradual rate. Anything that has to allow for the eventual size of the business and has to be paid for up front is often unworkable as the ROI is too long and/or the initial cost too high to merit the business case for doing it at all. Also, the “capacity” that has been bought lays unused until those subsequent customers arrive. The solution scaling and licensing need to allow a very low start-up cost (or ideally none at all) so that capacity (in terms of technology and licences) can be added as customers come on board and data starts to be gathered and utilised.
This is not quite the same for large enterprises, but similar scenarios do arise.
The roll out of security controls for monitoring and analytics might progress ‘across’ an organisation, especially a large federated one, in stages; or the use cases or data sets might not all be ready on day one so will be brought in and activated in a phased way; or the primary security policy enforcement points (domain controllers, firewalls, AV, IDS) might be assimilated into the monitoring and oversight mechanisms quickly, but wider data sources (such as applications or threat intelligence) or other security platforms may be part of a subsequent phase. As a business grows the size and scope of a monitoring solution can, over time, increase in line with demands.
In these situations, the same need to scale up capacity and licence coverage exists as it does in an MSSP bringing on newly won customers or launching new services.
In an MSSP there is a need to define services and response times – who does what, and when by and how quickly, and what the outputs are etc.
In a service provider-customer relationship this allows value to be defined, expectations to be set and contracts to determine service levels. But within an enterprise, between the security operations function and the rest of the business, there is also usefulness in having some pre agreed “rules of engagement”.
Defining the way services will operate, the timescales and performance targets and setting expectations with the rest of the business around how quickly things will be handled and what reports/outputs will emerge, means that the service delivery can be visible (security often only gets noticed where then is a problem) and also means that if service/business expectations aren’t being met then management can decide whether it needs to be reviewed or if intervention is needed – either raising budgets or headcount or aiming to reduce the incidence of a certain type of alert or event.
For enterprises that have decided to in-source their security operations there are clear advantages in “behaving” like an MSSP in terms of how they define what those operations will deliver, how they will work and the technology platforms they use to support them.
MSSPs have to deliver cost-effective and market-leading/advanced security operations services at scale and in a flexible and future-proof/scalable way; and what large enterprise security team would reject any of those attributes as being unnecessary?
Be like a good MSSP, be:
Huntsman Security’s solutions for MSSPs have been geared to provide for these market dynamics – offering true, robust multi-tenancy is just one example. Avoiding the need for multiple screens and consoles, allowing different security policies, alerting regimes and data management across disparate customers or business areas and keeping data sets separate have shaped the way the technology has evolved; and often these things are hard to retrofit.
The advantages that sound technology platforms can provide for an MSSP are likewise available for enterprises that want flexible and cost effective cyber security too.
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.