Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK.
With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they both converged at the interface between the security function and the business.
One set of challenges sat at the security leadership level in terms of the recognition of the impact of an incident on the security team and its operations. The other set of challenges sat directly above the function – between security leaders and the higher/executive level of management.
Many of the issues Huntsman Security hears about in conversations with managed security services providers (MSSPs) also resonated with the conference delegates. They relate to the importance of security of course, but also the business challenges that service providers face in operating security teams in profitable and competitive ways.
The biggest topic under discussion was undoubtedly the need to minimise the time to get new clients up and running, reducing the delay and effort required to establish services, and shortening the time to revenue. This requires solutions that offer true multi-tenancy (rather than just a form of group access control) and can support the customer onboarding process, by allowing standard use-cases and configurations to be mapped across tenants automatically, while allowing the MSSP to recognise that each customer will have differences.
This was followed by the twin needs for flexibility and scalability. These both relate to the suitability of solutions for MSSPs that need to grow their monitoring capabilities as business develops.
One – flexibility – reflects the need to be able to easily accept new technology types and data sources and to be capable of handling the nuances of customer technology stacks over which the provider has limited influence.
The second – scalability – is a recognition that, if successful, MSSPs can require big jumps in the scale of their monitoring needs as new customers come on board. They can’t simply buy the biggest box or appliance up front, the return on investment is just too distant and risky. So they need to be able to scale dynamically the way only software solutions and virtualised systems can.
We also discussed the need to demonstrate value to customers of monitoring services. This means more than simply rehashing bland and technical outputs from tools and sending them over to customers in a raw form; in the hope they will understand them. More successful MSSPs show their value and expertise with reports that are targeted directly at the individual customer needs, providing clear insights into the investigations, incidents and alerts that have been dealt with, and are more comprehendible and realistic in their recommendations. There is a clear correlation between the price a customer is prepared to pay to have a service and the visibility that service provides; there is also a strong connection to customer retention.
The other topic discussed affects MSSPs, but also enterprises more widely. The challenge of running successful security operations – proactive and reactive – depends heavily on people, and retaining skilled talent. This is acknowledged, almost universally, as a real challenge in a highly competitive market.
It is not uncommon that instead of focusing their time investigating and resolving threats, SOC analysts can spend much of it trawling through an endless flow of information about risks facing an organisation or, in the case of an MSSP, its customers.
Without a SIEM solution (Security Information and Event Management) to pull data into a single searchable format, the problem is amplified. Operators that are presented with multiple consoles with information in different formats and then challenged with manually trying and make sense of it, will be endlessly looking for patterns and clues in an ocean of data.
Eliminating boring manual activity is important not just to reveal threats quickly but also to avoid those at the coalface feeling like their job is an endless churn of manual and tedious tasks. Laboriously clearing out false positives and gradually sinking under the load of investigating real threats is not a recipe for success for anyone.
This challenge of staff retention is echoed across the security industry – it’s a perennial problem for security leaders in a tight skills market. For MSSPs where service levels are built into contracts, it holds particular significance.
In contrast, the recent ISACA Central Chapter event was mostly concerned with how the security function interfaces with the wider organisation management structures above it.
We spoke about the need for visibility of the effectiveness of security controls and cyber resilience. In particular, the evolution toward data-driven cyber security (DDCS), encouraged by the National Cyber Security Centre (NCSC), to improve security outcomes. DDCS speeds up and clarifies the reporting on control effectiveness. The improved quality of the security information allows security leaders and boards to make better risk decisions based on objective and accurate evidence collected directly from enterprise systems, rather than subjective interpretations of control settings and often incomplete opinions. We’ve blogged about this, and NCSC themselves have argued the need for data driven cyber as one of the challenges to be addressed in their “Research Problem Book”.
The theme of “working the problem” rather than blindly trusting “instrumentation” arose in other presentations during the day. Knowing what is working and what isn’t is clearly a step forward in assessing and understanding cyber security controls. In presenting this information to the upper levels of management, it must be reliable and relevant to the strategic risk issues that are being discussed.
“Digital trust”, the conference theme, means implementing strategic solutions and initiatives to support the business as it seeks to adapt and grow in a changing world.
The days of security saying “No” are long past. The goal now is to support the business in its risk decision making – do we launch an App, provide an online portal, open up an API to better interface with our suppliers?
The role of the security and compliance function is to enable this to happen, and to ensure that controls and safeguards are in place. The topic of ransomware, one of the biggest and well-understood threats to face businesses, provided some useful examples. The limits of users when it comes to defending against advanced phishing attacks and the ability of attackers to spread their infection to monetise the result, are well known.
“Trust” means having provisions in place to defend the organisation – to prevent, contain and recover from breaches. But these controls need to be visible and working effectively. The ability of security teams to provide this visibility, and audit functions to assure the business of this, are key.
We spoke to several organisations that were seeking better evidence and assurance of their security controls, and those of third parties they relied upon. These security and audit professionals were looking for evidence-based ways to provide this assurance to senior managers and stakeholders without relying on subjective questionnaires and surveys. The industry is clearly moving from eminence to evidence-based cyber security reporting. Executives and directors can no longer rely on time consuming and disruptive manual processes to inform regulatory reporting and oversight responsibilities. Evidence-based actionable reporting ensures that decision makers are presented with timely and actionable reporting to inform their operational and strategic management requirements – operational resilience is key.
Given the fast-moving and dynamic nature of cyber security, and the scale of business impacts that can result when it fails, who could blame executives and directors for seeking the highest possible quality of operational resilience information and reporting.
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.