Catapult’s Spyglass security team sees this a lot, and that is, prospective clients with too few resources just trying to keep up: managing many disparate security and monitoring tools, trying to respond to compliance audits, management inquiries, as well as incidents, and trying to move their security posture forward (even if slightly). The operative word is, “trying”. Most of the time though, the tools and competing work tasks are managing your resources – hence they are not able to stay focused on the stuff that matters most.
The question is: when you are trying to keep with with all those tools, how and when do you get to focus on security stuff – like issue resolution, risk management and treatment, promoting enterprise security awareness, and moving your baseline posture forward.
Several recent surveys highlight that close to 45 percent of security groups spent more than half their time configuring security and monitoring tools. Worse, over 75 percent think that complete visibility to their monitoring tools is important, yet over 1/3 are not confident this actually happens. Roger Grimes recently presented a great article on this very topic, below is an excerpt:
This problem was well-documented by the Verizon Data Breach Reports, which each year revealed that the vast majority of companies (usually more than 70 percent) suffering a breach actually had the security event log data that would have alerted them to it, if they had just looked and analyzed the data. It’s quite embarrassing to acknowledge to customers and shareholders that you had the data that could have prevented or lessened the breach but didn’t care enough to use it. ~Roger Grimes
What does that mean?
Simply put, it means that there are too few of us to properly get the job done. If you can’t keep up, then shouldn’t you get some additional experts from a partner that can help?
Sometimes I think we “security folks” are just like that stubborn spouse who, after getting us lost, refuses for ask for directions.
Good help is hard to find.
The number of available security experts in the market is currently way short of the requirements and getting worse. For example, industry reports predict that by 2020 (just two years from now) a workforce shortage will exist of around 40% between the number of qualified security personnel and the jobs that require advanced security skills.
Back to those tools for a moment…
Concurrent to the shrinking number and availability of expertise, the number of security and monitoring tools is drastically increasing. In 2016, a typical enterprise would operate between 10 and 15 security tools. Yet, two-year later, we now see 30% more security tools in use. Specifically, the typical enterprise, in the range of 1000 – 5000 employees, operates between 15 and 25 disparate security tools – without the appropriate staffing to properly manage them. Our Spyglass team confirms these field-stats when we onboard new Spyglass subscription clients.
This is where the old adage, “don’t throw money at a problem”, kicks in. This strategy doesn’t work, and the statistics and highly publicized breach reports confirm it.
The trouble with managing security-tool-sprawled environments
The alerts are of such volume that the obvious response is to filter out the lower priority alerts, right? Wrong.
With today’s attack patterns, it’s the low-level alerts (you know, the filtered out stuff) that are representative of Advanced Persistent Threats (APTs). Bad actors get past the detection (usually by compromising a low-level user’s ID), then sit idle and listen, then systematically perform “low level” advancement to remain undetected, and then elevate privilege at the opportune time, and finally steal all your money (your data, your IP, your employees’ PII/PHI). Advanced Persistent Threats are among the hardest to detect because of the way they operate (e.g., like a normal user, making low-level advancements, that your tools are probably detecting, but you’ve ummm… filtered them out.
By filtering out the low-level alerts, you are actually giving bad-actors places to hide and time to play.
Additionally, all your security tools may have likely captured many of the “bits and pieces” that comprise an attack. But some of the problem is that all those filtered bits and pieces (attack key indicators) are sitting within disparate tools as low-level items. But you’re missing them. When one puts all the little pieces of the puzzle together, then the resultant picture is one that indicates a high-risk matter that has had time to advance. We all wonder how can bad-actors possibly sit within compromised networks for about 200 days before being discovered. Well, this paragraph explains why.
So, do you throw out your security tools investment and search for another new silver bullet? No! The silver bullet is actually your resources.
The tools you’ve got are likely great, perhaps the best. Even small enterprises tend to make wise decisions and own an impressive inventory of security tools. It’s just that your personnel can’t keep up with all of them, or the volume of information they produce.
The Spyglass team understands this, which is why we are successful in visualizing and applying advanced analytics on all the signals from our client’s existing tools (in other words, we don’t sell any tools). We optimize what you’ve got, run your signals through our tools (advanced analytics and tools) to present actionable insight by coalescing all those low-level signals into actionable intelligence. We’ve developed a lot of advanced intellectual property that helps us help you.
So how about Security as a Service – you know, MSSP? Some things you should know.
What you likely want and need is competent partner with security experts available on-demand with an arsenal of tools to automate as much as possible. Caution: You want to be very selective in the Managed Security Services Provider (MSSP) that you choose, for many legitimate reasons:
- Do you have to give up control of your security program to the MSSP?
- Does the MSSP allow flexibility and agility to adapt itself to your unique environment, or do you have to adapt to them?
- Does the MSSP have the same sense of urgency about your problems, or is that dependent upon your size?
- Can the MSSP do non-security stuff, such as implementations for fix problems or help with optimizing your IT, or are they just a monitoring service?
- Can the MSSP help with topics such as policy development, supporting your security state of the union presentations, supporting your electronic discovery requirements, incident response, strategic planning, and thought-leadership?
- Will the MSSP be there with you when you suffer a breach – you know when “IT” hits the fan?
- Is the MSSP going to staff your account with novice analysts or security architects?
A partner. Not a provider
If you are like most enterprises, you want a partner, not a provider who earns the position as a trustworthy extension of your program. You want a partner that will come alongside your security strategy and assist in several highly valuable ways.
- Bring advanced analytics into the fold to digest all those signals from your security tools (even to low-level signals) and provide actionable insights to you faster.
- Invest in learning your environment by assigning a dedicated expert to head the partner’s team
- Assist your team rolling out security improvements and assisting you with unique topics such as end-user adoption.
- Apply technical expertise to optimize your existing security tools signal processing. Hunting for ghosts in the machine.
- Assistance in shaping your controls and settings according to your compliance requirements (e.g., PCI, HIPAA, GDPR, SOX, etc) and appetite for risk, with best practices throughout.
- Help in aligning your technological environment to agree with your policy, regulations, and standards, as well as providing pragmatic feedback and proactive assistance when the gaps are discovered.
- Provide coaching to highlight the gaps and recommend approaches that have repeatedly closed similar gaps for others.
- Bring the team when there’s an issue who will work with you until it’s resolved.
Makes economic sense
If you explore the Security as a Services (whether with Spyglass or others), you will like find that the cost for a Security as a Service option brings you broader expertise and more advanced skills in a more affordable manner than your budget for hiring and developing these resources by yourself. If you compare the costs for a Security as a Service Partner with hiring just one additional security (expert-level) resource to your team, then you find greater economic and strategic value by partnering. Catapult and the Spyglass team can tell you more about this value and all the other benefits of Security as a Service.
Ready to learn more?
Let’s chat. Please schedule some time on my calendar if you’d like to learn how Security as a Service could benefit your organization.