From Equifax to Yahoo, and Facebook to Marriott, large-scale data breaches impacting hundreds of millions of consumers have received their fair share of media attention in recent years. All this ink hasn’t been spilled (or pixels displayed) in vain: there’s growing awareness among business leaders of the security and privacy risks their organizations face, and increasing concern that their preparedness may be inadequate. In a recent PwC survey, for example, 72% of CEOs worldwide listed cybercriminal activity as a significant threat to their businesses, yet only 35% were comfortable with their organization’s digital resilience and readiness to face such threats.
Especially among small and mid-sized enterprises, the growth in awareness of the severity and urgency of cybersecurity risks is driving demand for managed security services. Organizations are increasingly turning to external vendors to help them build, maintain, and monitor their security operations programs and the technologies that comprise them. It’s a logical and understandable impulse: in the face of proliferating threats, business leaders want to call upon industry “experts” to reduce their risks and boost resilience.
Outsourcing cybersecurity monitoring and incident response is a particularly attractive option in industries where regulatory compliance requirements dictate how and where companies can store data, what kinds of logs and audit trails must be maintained, and which technologies they need to have in place. It’s tempting to believe that hiring a managed security service provider (MSSP) will guarantee your compliance and safeguard you against all risks.
Today’s realities are more complex, however. Though MSSPs can remotely manage the security of your IT infrastructure, they can’t offer ironclad assurance that no vulnerabilities will ever exist. In case of a breach affecting your customers’ data, it’s your company – not your MSSP – that will be held liable for any financial penalties you incur. Although your vendor can advise you on best practices and offer guidance in terms of which technologies to deploy, they can’t promise that your employees will practice good password hygiene. And although your MSSP can assume primary responsibility for security monitoring in your environment, this may or may not save your internal IT team time if they’re escalating large volumes of false positive alerts back to you for investigation.
When it comes to actual risk reduction, the most effective MSSPs are those that build strong relationships with their client organizations. For many business leaders, however, it can be challenging to assess the quality of the collaborative partnership they have established with a vendor. How can you tell if your MSSP is truly reducing your organization’s vulnerability to cybercrime? While a lack of escalations may make it seem as though your risks are low, how can you be confident that malicious activities are never being missed? Does your MSSP proactively evaluate all alerts, or only engage reactively?
What are warning signs that you may in fact be more exposed than you’d think? We’ve put together a list of the five most important questions to ask yourself – and your IT and risk management team.
#1: Is your MSSP meeting your organization’s unique needs? Or is there a mismatch between what they’re offering and what you require?
MSSPs may deliver a number of different services. Some are of high quality, and may be a perfect fit for your business. For instance, hiring a partner than can provide incident response services the moment you need them could make all the difference if you were to experience a serious cyberattack. It’s a smart decision to collaborate with someone who’s able to ensure that you’ll have the right skills and capabilities on hand in times of crisis.
Perhaps your primary concern is regulatory compliance, and you’ve passed all audits since engaging your provider. That’s great: your requirements are being met.
But the world is changing quickly. Has your business or its technology environment changed too?
MSSPs created packaged service offerings so that they can cater to as many customers as possible with the same technologies, infrastructure, and shared staff. In theory, this allocation of resources makes higher-quality security monitoring available to a broader array of smaller companies than building their own in-house security programs would, since the costs of the security operations center (SOC) and its employees are spread between them.
In practice, growing alert volume and a customer base that’s increasing in size may strain the resources of an MSSP. How is your provider handling this challenge? Many tune down their sensors or log management tools to cope with the problem, but this comes at a cost – they may be missing out on valuable information, including signals indicating malicious activity.
Is your MSSP using a legacy event funnel to filter events before presenting them to their team? Or are they using automation, or an advanced, scalable software solution that’s been purpose-built to handle massive data volumes?
If your business is in the process of migrating data and applications to the cloud, or is increasingly adopting Software-as-a-Service applications, can your provider keep pace with your changing technology needs? Do their offerings still fit within your cloud-based environment?
And if your provider is managing your security devices, are they applying patches and installing updates proactively? Are their technology recommendations in line with the requirements for scalability and efficiency that today’s businesses have?
#2: Are you receiving more escalations than you can keep up with? How many of these are false positives?
Many organizations engage with third-party security service providers to spare their employees time and effort. But if the MSSP you work with doesn’t offer additional detection and response capabilities as part of their service delivery model, this means that although they’ll assume primary responsibility for monitoring your environment, they won’t triage the alerts they escalate. Instead, your team will be tasked with responding to alerts. That is, they’ll call you whenever they notice something worthy of further investigation, but the responsibility for conducting that investigation will still be yours.
Since every false positive alert you receive wastes your time (and ultimately, money, since you’re paying for the labor hours your staff is spending on their fruitless investigation), it’s important to keep a critical eye on the volume of escalations you’re getting. This is a widespread problem. According to one recent survey, nearly 45% of MSSPs investigate 10 or more alerts per day on behalf of their customers, and 44% are seeing a false positive rate that’s greater than 50%. Some analysts are spending as much as five hours during each workday just investigating these alerts.
To reduce this alert volume to manageable levels, some MSSPs are taking steps that may compromise the quality and effectiveness of security monitoring. It’s common practice to turn off alerting features or lower alert thresholds on network security sensors in an effort to reduce alert volume, but this increases the chance that an attack will be missed.
It can be tricky to evaluate, but you want to be sure that your provider is escalating just the right number of events. Too few may mean that their sensors or system information and event management (SIEM) platform is tuned down too low, leaving you vulnerable. If there are too many, your MSSP is costing you more time than it’s saving you. This isn’t a situation you want to be in.
#3: Are you able to communicate with experienced members of their staff during times of need?
What happens when they escalate an alert back to your team, and you need to know more about how the attack was detected? Will they provide you with appropriate contextual information? Will an experienced member of their team answer your questions? Do they seem to understand the terminology of the cybersecurity field? Can they explain how they make escalation decisions?
If you notice too many rapid personnel changes at the company, it’s a trouble sign. The global shortage of skilled cybersecurity professionals has hit managed service providers hard, and many struggle to retain their most talented employees.
But you’re paying for their expertise – and their ability to recruit and retain top talent. If they’re not delivering what they promise, you’re not gaining maximum value from the relationship.
#4: Are they putting cost-saving measures in place that are introducing risks or compromising your security?
Though growing, the market for managed security services remains highly competitive, and many providers face intense pressure to contain costs. They confront the same challenges that companies encounter when deciding whether or not to build an in-house security operations center (SOC), including expensive technologies and infrastructures, high labor costs, and difficulty retaining experienced security analysts.
The unfortunate consequence can be a tendency to reduce their service offerings to the lowest common denominator, to hire less experienced personnel, or to find other ways to save. This may include outsourcing SOC operations to a facility in Eastern Europe, India, or elsewhere in Asia. Such outsourcing might be putting your intellectual property and valuable data at significant risk.
#5: Is working with this MSSP making my security operations program better?
Overall, this is the most crucial question: am I getting real value in return for my investment in managed security services? A top-tier provider will make your team smarter and able to work more efficiently. They’ll increase the maturity of your security program in general.
For organizations that are unwilling or unable to build their own in-house security operations programs, finding an MSSP that they can trust, and with whom they can build a strong partnership, is invaluable. Look for a service provider who’s offering higher value security services that extend beyond simple monitoring and analysis. These organizations may describe their offering as “managed detection and response” rather than simple “security services.” And they make take greater responsibility for incident response and remediation.
The best service providers are those who make optimal use of cutting-edge technologies, including automation and security analysis software. Those MSSPs who support their SOC analysis and monitoring procedures by implementing today’s most advanced solutions will be able to offer their customers better quality (and higher value) services at a lower overall cost.