The average SMB doesn’t want to retain an in-house IT department. Running its network properly and keeping it secure is a complex task and the people who know how to do it command a high salary. It makes more sense to outsource system management to a managed services provider (MSP). The business shares the cost of expertise with other customers and has extra resources available when they’re needed temporarily.
Executives think of managed services as an all-in-one service covering hardware and software recommendations, network and user management, maintenance, and even security. But cybersecurity is a challenging task, one that’s too specialized even for IT people who don’t have the training. Loss of data and website hijacking can be very expensive as well as seriously damaging a business’s reputation. An MSP will provide a basic level of security services, but for serious protection, a business should outsource its cybersecurity to specialists — a managed security services provider or MSSP.
MSSP vs. MSP
Originally a part of system administration, cybersecurity has grown into a full-blown specialty. Many certifications are available to those who prove their expertise. Online attacks have grown in variety and sophistication, and being able to deal with all the new developments requires constant study.
This isn’t to dismiss the complexities of the work that IT teams do. Their plate is full. Keeping a business’s systems running smoothly requires understanding networks, computers, routers, switches, operating systems, and applications. There’s a trade-off between covering so much ground and in-depth expertise.
Network security is an area where that depth is essential. You could say, hopefully without offending anyone, that an IT team’s skills are a mile wide and an inch deep, while a cybersecurity team’s skills are an inch wide and a mile deep.
A business can use both MSP and MSSP services, or it can use one without the other. A company that uses an MSSP can have it work with an MSP or with its in-house IT department. If just some parts of IT are outsourced, all three groups can work together. What’s important is to have an approach to security that can deal with all the challenges the network faces. Neglecting security is as bad as, if not worse than, neglecting basic hardware and software maintenance.
The security methods of IT departments — firewalls, software updates, network segmenting, multi-factor authentication, anti-malware software, and so on — will thwart 95% of all attacks. Unfortunately, 95% isn’t good enough anymore.
Attacks like password guessing, crude phishing, and exploitation of bugs in year-old software are still around. The most dangerous intrusions, though, use state-of-the-art techniques that bypass ordinary defenses. The people behind them have large budgets and top-quality talent. Something more is needed to thwart them.
The hard-to-stop techniques of the most dangerous attacks include:
- Zero-day threats. Hostile groups discover bugs to exploit and develop attacks before anyone else knows the weakness exists.
- Spearphishing and whaling. These names refer to highly personalized phishing messages that can fool even people who are alert. Whaling messages go after top executives and system managers for high stakes.
- Stealthy malware. Advanced persistent threats, or APTs, are like cloaked spaceships on TV space operas. Once they get onto a system, they’re fully armed and operational yet remain invisible to most detection techniques. They collect valuable information for weeks or months without being noticed.
No single method of defense is 100% effective. Good defense requires attackers to get past multiple barriers before doing any harm. Even them, some intrusions get through. Catching them quickly will minimize the damage they do.
To stay ahead of the sophisticated attacks on today’s Internet, an organization needs three things: the most effective tools available, detailed knowledge about current and emerging threats, and experts who can reliably identify threats and take action against them. This is the role filled by a managed security service provider.
What to expect of an MSSP
Anyone can claim to provide managed cybersecurity services. That says nothing about how much protection they’ll give you. Some offer nothing more than an add-on set of software and some degree of on-call service. High-quality security calls for more than that. The structure and terminology vary between providers, but an MSSP’s offering should include the following or its equivalent:
- A constantly active security operations center (SOC). A SOC receives a steady stream of data 24 hours a day from an organization’s entire IT infrastructure and analyzes it against threat intelligence to identify suspicious activity. The SOC’s analysts examine the information they get and decide if action is necessary. If they see a threat in progress, they notify the incident response team, which starts the remediation process. If they detect risks that aren’t immediate, the SOC’s engineers will look for ways to close the security holes.
- SIEM as a service (SIEMaaS). A SIEM (security information and event management) system gives the SOC information on what is happening throughout the network. SIEM goes beyond network monitoring and log analysis to combine information from all the devices on the network. It uses machine learning to match patterns of activity against hostile tactics and known threats. The software can run on your network or operate from outside (SIEM as a service).
- A SOAR platform. SOAR, which stands for Security Orchestration, Automation, and Response, lets independent tools work together automatically to get the maximum amount of information with a minimum of manual intervention. Incident response is automated where possible, ending the threat quickly and letting the staff focus their efforts elsewhere.
The best cybersecurity talent and the best software are a powerful combination. The amount of information to analyze is huge, and SIEM brings it together to discover patterns. SOAR goes a step further to let independent tools work together and produce insights. The automated coordination of tools and services is called orchestration. An orchestrated approach lets the analysts see a summary of the security status in a single glance and drill down to results that need attention.
If you already have strong security measures in place, you don’t have to hand everything over to the MSSP. Managed security services, also known as cybersecurity as a service, can work with your in-house security specialists, stepping in when you need additional help. You can run your own SIEM or let the service provider take charge of it.
Providers of online security services have been around for a long time, but the model continues to change along with the risks which online systems face. Ongoing areas of change include dealing with regulatory requirements and developing a managed detection and response (MDR) model. The business continues to grow as more organizations find they need expert cybersecurity protection.
The security assessment
The starting point of a managed security relationship is a thorough study of a customer’s current security posture. Whether a company has neglected online protection or done its best, there are always areas that could use improvement. It’s a process of constant review and updating, not a final goal to reach and rest at.
An assessment will find vulnerabilities that need patching. It will identify practices that leave systems open to risk. In many cases, the assessment will discover undetected malware that needs to be removed. It isn’t possible to fix everything at once, so the MSSP will prioritize the issues it discovers. The customer, working with the MSSP, will address the most urgent problems and then proceed to fix as many of the others as it reasonably can.
The assessment should be repeated periodically, once or twice a year, or more often in security-critical environments. Comparing them over time will show how much improvement has happened and where practices are lagging behind.
Real threats and false positives
SIEM and other protective software can’t always tell a real threat from a false positive. To err on the safe side, they have to report some doubtful cases rather than miss a real intrusion. The people in charge of security have to check each report and decide whether it’s worth doing anything.
Skill and experience are necessary to make that decision. People with IT skills but no specialized security experience are likely to start by treating every report seriously. When they realize how much time they’ve wasted, they might jump in the other direction and pay little attention to security alerts. Security specialists are better able to separate the attacks from the noise, so they can focus on the real problems without being distracted too often by false alarms.
Stealth techniques include hiding malicious code in a place that is rarely examined and doesn’t have any obvious connection to its effect. Just being behind the firewall and having file system privileges is enough. The malware may hide in a database or an add-on. It could be in some service that everyone has forgotten about and isn’t maintained anymore. The usual techniques aren’t likely to discover it.
An MSSP using SOAR technology gets an end-to-end view of the entire network. This makes it possible to spot activity that shouldn’t be there. Advanced persistent threats, which can be very costly, don’t stay hidden as long.
The MSSP and IT
The MSSP works together with the MSP or the in-house IT department to stop threats, improve on weak points, and repair damage. While the SOC can and will act to stop threats, the system managers are responsible for network management, implementation of policies, and upgrading of hardware and software.
How much authority the MSSP has to make changes depends on the provider and the contract. Some providers handle patches and upgrades directly. Others make recommendations for the system managers to implement. Regardless of the model, the customer always has ultimate control. Upgrading all software automatically is best from a security standpoint but runs the risk of getting an incompatible change at an inconvenient time. The choice depends on weighing stability against security.
A good MSSP knows that security isn’t just a technological issue. Most breaches are partially the result of human error or, less often, deliberate insider action. A well-designed set of security policies will limit the chances of serious harm. Spam filtering, security awareness training, multi-factor authentication, and restricting privileges all make damage from user actions less likely and less serious.
Every customer is different
Bolt-on security packages aren’t tailored to your particular security needs. Each industry has different requirements. Depending on the business you’re in and the data you handle, certain kinds of attacks are more likely than others to set their aim on your network. Some go after government, healthcare, or education. Others specialize in a CMS such as WordPress or Drupal.
A top-rated managed security service provider will look at your business, software, and risk profile and tailor your protection to prioritize the most urgent concerns. They’ll focus their effort where it will give you the most benefit.
Do you need an MSSP?
When deciding whether to use an MSSP’s services, you have to consider the potential cost of a security incident. If you manage employee data or purchase records, losing control of them could not only be expensive but also damage your business reputation. If you deal with data that comes under special government or industry protection, the stakes are even higher. Examples are personal health records and financial information.
Another question to consider is how much downtime you can stand. If continuous operation is critical, you don’t want security incidents to take your systems offline, and if it happens, you want operations restored as quickly as possible. An MSSP offers a lower mean time to recovery than a generalist MSP.
Even if your servers don’t carry sensitive data, ransomware and website vandalism will ruin anyone’s day. It takes time and money to recover from them, and having a hacked website for any length of time can destroy its search engine rank as well as repel visitors. What is your tolerance for these risks?
If you think an MSSP could be right for you, schedule a consultation with BitLyft. You can talk with an expert on how our services will save you from costly malware attacks, and you’ll get to see a demonstration of managed security services in action.