Decoding Cybersecurity: Exploring the Challenges of Managed Security Services
There’s no denying that in the fast-paced world of cybersecurity, innovation is both exciting and often bewildering in equal measure. New products and companies turn up almost daily, solving new threats we didn’t realize we faced and forcing companies to develop new processes and policies they didn’t know they needed. In this constant race to not be the next cover story or to bounce back from a costly breach, individuals and companies spend billions every year on new tools that ultimately fail to deliver, not because the security product or service doesn’t work but because organizations fail to integrate it with their wider processes. All too often success lives with a single expert, their departure and often their passion for it spells the slow demise of that product or service and gives rise to the next.
At the center of almost every organization's cybersecurity ecosystem is a SIEM platform, some may call it a data lake but fundamentally there will be a ‘thing’ that a business is sending event logs to for analysis in the hope of detecting the evidence of an attack. That SIEM might be their own or it may belong to an MSSP or other outsourced service provider. Either way, it’s largely considered the brains of any SOC operation and as such requires no small amount of experience and training to run it effectively.
For decades the entire cyber industry has been trying to make this SIEM/SOC challenge easier and whilst the very largest companies have tended to build and maintain their own in-house teams, many more companies have turned to third party service providers for their expertise, experience, and scale. Unsurprisingly there is no shortage of MSSP’s in the market to address this demand and the process of selecting an MSSP is a hugely complicated process for companies to undertake.
In the effort to simplify the process for customers, MSSPs and vendors have sought to package their services together and demystify the complexity for would-be prospects. A one stop-shop provider that can offer the platform (SIEM), the experts, and the intel in a single box makes for an attractive solution on paper and has become a hugely popular model for companies to adopt. Whilst different providers will have their own spin on the concept, generally speaking, these services will see a would-be client configure their infrastructure to send their security event logs to the provider, the provider will then interrogate those events using their own special blends of in-house expertise, threat intelligence, and a healthy dollop of machine learning and artificial intelligence to detect malicious activity in the client's environment. Once detected those ‘events’ will be classified by severity and escalated back to their client for follow-up. Whilst on the surface, it might seem much easier to simply outsource this to experts, but not all MSSPs are the same and those that are a 'black-box' in the cloud may have hidden pitfalls.
- The special blend of platform, people, and intel is in nearly every case the unique IP for that service provider and not something that MSSP’s want to reveal to customers in any detail, even under NDA. In most cases the ‘way they do this’ is kept secret to everyone, even their clients. The whole model requires customers to put faith in the fact that they’re the experts and they’ve been doing this much longer than any of us, so we trust their track record and list of happy customers.
- The MSSP’s model requires that customers export their data to the MSSP, often in significant volumes, for consumption and storage. Assurances around the integrity and the security of their data is almost always a paper-based exercise and questions of where that data is being stored and who has access to it and when are almost always impossible to verify.
- MSSPs don't often help their clients determine which logs to keep, remove, add, or tune. The result is that SIEM costs are higher than they should be, there are too many alerts that don't matter, and subtle indicators or severe threats can be missed.
- Data portability is also a challenge at the end of a contract. Those unique and customized use cases and tuning rules that the MSSP has developed during the contract are not typically available to go. The practicality of exporting the months or years of log data in the MSSP’s backend and then finding somewhere to host that data and importing it into a new provider's service creates cost and complexity that’s often never planned for in advance.
- Limited customization is also common. Many MSSP’s argue that to drive down costs for their customers they must limit the scope of their services and customization. Selecting cybersecurity services from an MSSP should not be like ordering fast food from a limited menu - and still feeling hungry. Either you are secure - or you are not. Cybersecurity is a team sport. The primary goal for an MSSP is to be certain their clients are well protected - everywhere. Then work with all the client's resources, including budgets, people, and existing tools to ensure that goal is never compromised.
- Ultimately the task of assessing and remediating an incident still falls to the client with all the same limitations in expertise and resources that drove the original move to outsource. All too often, companies just aren’t equipped to effectively consume and resolve the alerts that an MSSP provides nor are they able to drive effective remediation to reduce their risk/exposure. Equally, MSSPs just don’t have the intimate understanding of the client's business and processes to be able to make those decisions for their clients outside of very generic steps like endpoint isolation via EDR.
These represent just some of the key issues that organizations face when selecting a managed security services partner. For many, these may be ones they’ve lived and breathed multiple times across multiple companies during their career. It is also important for clients to consider how challenging it is to architect an MSSP business. One that keeps clients secure and continues to grow and innovate new security services and technologies. It should be no surprise that many 'black-box' service providers get this wrong when you consider the pace of change, cost of tools, complex service integration, skills shortages, and wage levels, as well as the inherent complexity of working outside their clients' environment and ensuring security at arm's length. When you consider all those burdens, customization, flexibility, and scalability aren't even possible. That leaves many clients with a less-than-adequate security posture.
Increasingly, businesses are looking for a middle ground or hybrid solution that offers greater flexibility, greater visibility, and better support around remediation. BlueVoyant’s approach seeks to address these challenges with a modern true co-managed service model. To begin with, clients own the SIEM platform and the data therein. Using the capabilities that next generation SIEM providers like Microsoft provide allows us to bring all of our advanced use cases, security IP, and threat intel to our client's data in their environment, not the other way around. Not only can our clients see exactly what rules and detections are in place on their SIEM, the IP is theirs to keep even if we part ways in the future. Furthermore, because we don’t sell the underlying SIEM platform, we have no vested interest in the client's consumption. In fact, we actively focus on helping our clients optimize the log sources they ingest to remove bloat and overspend.