Sponsored Feature Most experts agree cybersecurity is now so complex that managing it has become a security problem in itself.
This has happened gradually over the last 25 years, often for perfectly good reasons. Hackers targeted weaknesses in isolated systems such as email, office applications or Windows PCs and so it made perfect sense to protect them with dedicated layers of security.
The result has been tool and system sprawl as ever more layers have been needed to protect new technologies such as web applications, IoT, and mobile devices from a constant barrage of threats. One of the simplest ways to measure this phenomenon is to look at the number of security tools organizations use to protect themselves, which according to one recent estimate has reached 50-60 for medium-size organizations and north of 130 each for larger enterprises.
More tools require more people, and more people need an ever-greater range of skills and experience to use them properly. That’s become a huge block in itself, with the 2023 Workforce Study from ISC2 revealing that the gap between the supply and demand for cybersecurity people in the UK has grown to 367,000. Evidently, if management complexity is to be overcome, it won’t be by hiring more people or using fewer tools, which most organizations can’t easily do without.
The MSSP solution
Growing complexity, skills shortages, and rising costs have resulted in huge growth in the managed security service provider (MSSPs) sector over the last decade. The principle driving this is simple: outsource some, or all, of the security management problem to a third party and pay for this as a predictable operational cost rather than capital expenditure. At a stroke, organizations free themselves from hiring challenges, complex equipment choices, and some of the ongoing need to configure and migrate to new platforms.
But the rise of MSSPs is not simply about general practicality. A separate argument is that the once everyday task of threat detection and response has become too demanding and specialized to be carried out by in-house security teams which must also balance this function with their everyday security tasks.
An MSSP founded in 2003 to address this expanding corporate cybersecurity problem is SecurityHQ, which today has Tier 3 security operations centers (SOCs) in the UK, the Middle East, the Americas, India, and Australia. The company was awarded ‘Best Cyber Security Service Provider of the Year’ – 2023 by Cyber Security Awards. At the heart of its proposition to customers is its integrated security service, Managed Defense. This includes traditional MSSP MDR/EDR/XDR protections, as well as Managed Firewall (FW) and Managed Endpoint Protection (MEPP), Managed Data Security, Threat & Risk Intelligence, and email security.
In addition, the company offers cloud protection through its Managed Protection for AWS, Managed Microsoft Sentinel and other specialized services such as its innovative SOAR-based Contain-X incident automation response system, a user behavior analytics (UBA) add-on, and digital forensics and incident response. One of the company’s senior cyber security managers, Sam Mannox, agrees that for many organizations, using an MSSP has become the only way they can access advanced security capabilities in an affordable way.
“Organizations don’t have the budget to conduct security in house, and to monitor their own security 24/7. To do this, you need a big team and that costs money,” suggests Mannox. “For comparatively less, you can go to an MSSP and get that and access to many other services too.”
But even when a budget is available, the efficiency of the MSSP approach can make more sense.
Mannox continues: “Companies have experts managing their SIEM tools such as Splunk or Sentinel, but they don’t really have the technical capabilities in place to support them. An MSSP is just better value for money, and you get a whole team with that.”
Alert binge
The services are designed to cover the whole spectrum of cybersecurity. At one end is prevention, for example penetration testing, phishing simulation, red teaming, web application testing, and threat intelligence, all of which in different ways are about reducing the attack surface. At the other extreme is real-time incident response and post-event digital forensics, the parts that come during and after an attack.
In the middle lies minute-to-minute threat detection, which consists of a wide range of routine but essential tasks. This is where the capabilities of an MSSP’s SOC model must show its mettle. According to Mannox, the main threat types are phishing attacks and credential theft as well as fake invoices/invoice fraud campaigns. Stopping these sounds like a basic form of security but remains as critical as ever.
“Large companies often don’t pay attention and just pay them,” he says regarding the surprisingly underestimated threat of convincing-looking but fake invoices. “Sometimes these invoices will be paid multiple times, but it won’t be until months later when all the calculations are made that this becomes visible.”
One of the biggest advantages of using a specialist MSSP is that they have a box seat from which to observe how criminal techniques such as this are evolving in real time. Right now, ransomware is the biggie, a constant threat which often results from a simple credential compromise. As numerous victims have discovered, this is inherently difficult to stop. Stealing credentials has turned into the number one technique for cybercriminals because it is cheap and effective. Through it, attackers can impersonate a legitimate user or account ID, bypassing whole layers of expensive network security in ways that organizations struggle to detect.
Even so, attackers will still leave clues to their presence, some of which will turn up in a security console as an alert. This is where SOCs really earn their money and where the relationship between the SecurityHQ SOC team and the customer’s inhouse team comes into play.
“If it’s a major event, our analysts will start checking the logs, and then once we have a better picture we can tell if it’s a true positive or false positive. If it’s an actual threat, we have a bridge call with the client within 15 minutes,” explains Mannox. “Then we start remediation from the 2,000 pre-defined playbooks we’ve developed inhouse to automate response.”
The whole process is managed through SecurityHQ’sIncident Management & Analytics Platform by the company’s SOC analysts, which also helpfully gives customers a visual overview of an incident workflow and the actions that arise from this. Customer onboarding commences with the collection of logs into the IBM QRadar system or through the organization’s own SIEM.
“Incidents are also viewable on our mobile app, as well as on the web platform itself,” says Mannox. “That way customers can access anything they need from their phone and get notified within seconds of an issue being raised.”
AI versus AI
Log analysis and event correlation algorithms will only get you so far, however, which is why SecurityHQ analytics uses technology from UK company Darktrace to expand the network anomaly detection possibilities into a new realm. Right now, AI elicits equal amounts of fascination, trepidation, and a degree of bafflement, even among seasoned cybersecurity professionals. It’s also probably true that early forms of AI are now being used by attackers as the spearhead of a new generation of sophisticated attacks accessed through cybercrime-as-a-service platforms. If this continues to develop as many believe it will, machine learning AI will soon be needed by defenders to counter the same technology on the criminal side. But whose AI will gain the upper hand?
Mannox believes it will be the human dimension that makes the difference. In the era of machine versus machine duels, the human SOC analysts will still be a critical factor.
“This is because AI learns from repeating the same behavior and looking at the results. It might be able to recognize that something was anomalous,” he argues. “But it would not know what it is looking for specifically, like a zero-day exploit and critical elements would be missed.”
Because the technology is designed to see everything statistically by comparing behavior to an image or ‘normal’ state, AI can spot patterns that no human could detect. If this sounds a bit like traditional anomaly detection which has been around for years, the difference is the volume of data points means vast amounts of extra detail and correlation. Nevertheless, this still can’t replace an experienced SOC analyst who intuitively understands nuances such as criminal intention and what attackers value most. AI can see the network in huge detail, but it will still be humans that understand what an event might mean in terms of network and business risk.
According to Mannox, the biggest problem in security is still a tendency for organizations to ignore problems they can’t see or haven’t bothered to look for. Mining, education, construction are all industries that need to up their coverage, he says, with even some newer digital industries such as gaming and e-sports still lagging. Eventually, they risk being found out, more so if the security team is small.
“We see a lot of customers struggling with simple things, like access control, even with their standard network security. It’s not hard to sort those problems out, but companies either just don’t know about them in the first place, or they choose to ignore them. A company could be worth two billion dollars and they have one guy monitoring all their IT.”
Sponsored by SecurityHQ.