Matt Lawrence, Head of Defensive Security at JUMPSEC, highlights the challenges organisations face when detecting and responding to cyber threats, and how to ensure maximum value from your MSSP.
Our industry faces a shortage of skilled, experienced professionals, which puts a strain on companies to find and retain capable and reliable security staff.
The rise of specialist cyber security consultants and managed (MSSPs) is underpinned by organisations that appreciate the lower investment cost and greater experience these companies can offer. Outsourcing removes the issues associated with inexperienced talent, yet MSSPs are also struggling with retaining staff, analyst burnout and the ever-increasing costs of employment.
Many organisations today are in danger of moving into toxic working environments characterised by long, often unsociable working hours and excessive workloads. To combat this, we must work towards better business models that ensure sustainable service provision.
To succeed, it is essential for service providers to find a way to attract top-level talent and avoid the growing trend of analyst disillusionment and burnout. To help with this, here are seven key principles for MSSPs that aim to help to address the current challenges facing cybersecurity buyers and service providers.
1: Augment people with technology
Both human and product-centric offerings have significant limitations, which contribute to falling service standards and unsustainable operating practices.
Today’s most effective models retain intelligent human operators at their heart. Failing to take advantage of technology will see traditional offshoring providers continue to lag behind. Utilising intelligent automation and advanced technology is key to streamlining ‘mandraulic’ effort and focusing time and resources on areas that matter most. However, this approach is only possible if you…
2: Become pragmatic and detect what matters
The industry has an unhealthy obsession with ‘100% detection’, a symptom of failing to understand what effective cyber defence looks like.
It is impossible to achieve 100% prevention or detection. Stretching resources too thinly by expecting analysts to process the excessive number of alerts required for the illusion of 100% detection only makes them less effective by encouraging the wrong behaviours.
Instead, organisations should focus on building a strong baseline of defensive controls with a suite of environment-appropriate detections. This must include relevant detections for commonly used TTPs and, more contextually, tailored detections tuned to specific ways attackers are likely to traverse the environment.
3: Respond on the front foot
Detection is meaningless without the ability to do something about it – but the response remains a glaring capability gap for many organisations and service providers.
Our experience managing and responding to real-world cyberattacks has provided first-hand knowledge of how unprepared organisations fail to address security incidents effectively. From poor decision-making under pressure and ineffective communication channels to untested backup, recovery, and redundancy procedures, most organisations cannot respond effectively.
This issue is exacerbated in that most typical MSSPs prioritise detection over response. Containment and eradication of threats are not always included in the service offering. Often, this is handed back to the client or a third party. Where a response is included, it is often slow-moving, hampered by the absence of joint operating procedures and poorly clarified roles and responsibilities (as well as the more general issue of under-resourcing). A third party cannot adequately fill this gap, and there is no substitute for a robust playbook and a well-drilled internal team when responding to an incident.
4: Avoid dependency and enable progress
One of the biggest misconceptions in cyber security is that if you outsource to the right provider or buy the right ‘silver bullet’ product, the problem goes away.
An MSSP is only as effective as the security baseline of the organisations it works with. The second principle (being pragmatic and detecting what matters) stresses the importance of a pragmatic and realistic approach to threat detection. This becomes significantly harder, even impossible if the client has a porous network riddled with vulnerability and misconfiguration. An MSSP willing to accept the risk of defending a fundamentally insecure organisation – while maintaining standard SLAs – is not acting with the best interests of its clients or employees at heart.
We must help clients better themselves and leave them in a more secure position than when we began working with them, raising awareness and appreciation of the importance of effective cyber security across the organisation. Without this, it’s tough for any MSSP to succeed.
5: Be visible and transparent
When responding to client incidents, we frequently encounter situations where the client has noticed signs of malicious activity before being notified by their MSSP. Sometimes, the MSSP fails to find evidence of malice at all (despite, in some cases, obvious indicators of an ongoing ransomware attack).
The underlying problem here is that the communication and visibility offered by many MSSPs are poor. This can lead to a false sense of security and the notion that ‘no news is good news’, which can lead to missed gaps in detection until compromise occurs.
It’s important clients have confidence and evidence that your solution is as effective as we say it is. This means continuously testing and validating that defences remain effective – considering both emerging attacker TTPs, and network changes that might interfere with the configuration of detections.
A mix of offensive and defensive specialist consultants is helpful. This symbiotic relationship enables defences to be continuously updated to reflect the latest attacker TTPs. While offences can be continuously improved to circumvent those controls – enabling defences to be enhanced before an attacker can bypass them in the wild.
6: Be flexible and adaptive
Most organisations have already invested in security tooling, products, and services. Equally, no two organisations will have the same digital infrastructure and operations. Despite this, most MSSPs look to use a standard deployment approach and technology stack – even when investments already made by the client may deliver the same advantages if used correctly.
Before making deployment decisions, it is important not to be wedded to a specific technology stack and always consider what already exists on the client network. Most organisations fail to extract maximum value from their products and services. Harnessing them as part of the service will ensure they are used to their full potential, avoiding the need to duplicate historical investments.
7: Embed continuous improvement
In addition to encouraging client development and progress, we want to achieve the same for ourselves. The ISACA 2022 report cited limited progression opportunities and a lack of support as key factors driving analyst dissatisfaction. We believe the best way to offer development opportunities is continuously innovating – finding more efficient ways to do core tasks. This means spending more time working on more progressive initiatives.
By committing to continuously ‘making ourselves obsolete,’ MSSP can unlock more exciting opportunities for working alongside clients. This means searching for incremental improvements, however small they appear, without waiting for major transformations or upgrades – as the increments add up.
In short, MSSPs need to work smarter and treat current industry professionals better by creating more sustainable systems to maximise their performance and halt analyst burnout.