The cybersecurity landscape has evolved over the last five years, which has meant cybersecurity partnerships and providers have adapted to ensure what they are offering is relevant. Two major milestones that have assisted the evolution of the cybersecurity domain were:
Where is the industry now?
Within the last five years, companies’ adoption of security has been slow and indirectly conducted. Next-generation security technology such as Firewalls and or Endpoint Detection and Response (EDR) agents were typically added into organizations due to contract renewals of legacy services or due to third party requirements, many of which were combined with managed services. It is estimated that 50% of the U.S., market is utilizing managed security services today.
Prior to the adaption of these services, many organizations witnessed daily attacks such as worms, viruses, and basic phishing attacks. Majority of these have been eliminated with the help of next-generation technology which has created a false sense of security, these events were to be expected when connected to the internet and were easily eradicated due to basic functionality of next-generation features. Note these events should not be confused with actions conducted by a hacker targeting your organization. The modern hacker is an educated person who understands what actions to take to gain access to an environment and will do everything possible to stay in the shadows. This means they know how to avoid alerting the perimeter edge technology, but they cannot stop creating events that can be detected by Managed Detection and Response (MDR) Services that utilize eXteneded Detection and Response (XDR) functionalities.
The direction of the market is why SilverSky has adapted this exact model to have all our services combined with Managed Detection and Response (MDR) to enable holistic security and shine some light on the hackers hiding in the shadows.
What do you look for in a Supplier Technically?
With the adaption of security being more forthcoming and most companies already having security services within their environment the key functions they would look for are Flexibility, the ability to scale, and Advance Alerting Analytics.
As stated most organizations already have security technology whether that be good or bad, they have invested money into perimeter edge service and typically want to see the contract through. This means from a supplier perspective any services sold need to complement any of the 300,000 different combinations of security services already in place enabling SIEM ingestion and security monitoring. This is important to note as security monitoring should be conducted on all aspects of the business and not just the technology that can be supported by the supplier. This makes it harder for the supplier to guarantee the client there are no blind spots that can be taken advantage of, but that is the nature of security, you either holistically support all of the environment or you are not delivering full security monitoring.
Secondarily to ingesting, is the analytical mechanisms that are applied to the data received. This is gauged by asking your supplier if the data sets are mapped to a common naming schema with enrichment or if they have different rule sets per technology brand. The prior obviously being the better of the two as it enables new technology the ability to inherit seasoned analytics and it also is a more efficient mechanism from a management perspective which suggestively means if there are issues, they are singular and easily fixed.
Ability to Scale
It is concerning how quickly the evolution to Managed Detection and Response will be adapted with an estimated 1-2 years for most of the market to buy into these services. This means that suppliers today have the possibility of doubling if not tripling in size within two years. While SilverSky has taken 23 years to get 4000 clients, which sounds almost impossible to double down in a tenth of the time, we believe this is a very realistic expectation and have taken technological enhancements in our MDR stack to ensure growth is an easy endeavor that does not solely rely on us having more people.
Therefore, it is very important to ask your supplier what their strategy is to grow their organization to complement the increasing number of clients they serve without impacting the service they deliver today. This is a growing concern between trusted advisors to ensure they are not advising a company that can only guarantee a few months of quality service or even worse not protect a company and sees them get hacked.
Advance Alerting Analytics
Perimeter edge technology provides preventative capabilities, but they do not stop a hacking attempt. With a hacking scenario that hacker still has access or has managed to deploy an agent that has left residue in the environment that needs to be found, cleaned up, and or potentially rebuilt.
eXtended Detection and Response (XDR) is the action of taking telemetry data from the environment (network, endpoint, AD, DC, Email, and vulnerability scanner to name a few) in conjunction with the events fed from the perimeter edge technology and mapping it against common attack frameworks while maintaining an active memory of the event’s history in the environment by an entity to identify trends, abnormalities, attack sequences, and irregular events. This enables detections to be correlative using feeds over multiple sources, assessed over long periods of time enabling low and slow events to be easily detected or first-time thresholds to be brought to the attention of the security team to review earlier on in the attack making the response nature easier and therefore require less investment time from both parties which also compliments the efficiencies needed with a growing organization.
It is very important to have a supplier that does not solely rely on the alerting from Perimeter edge technology and even more importantly does more than correlation against threat feeds. Everything after the perimeter is a response, the earlier you respond the safer your client is. The response is a compliment to the detection.
What do you look for in a supplier strategically?
Partnerships should be bi-directional with opportunities as well as communicationally, although not always guaranteed many suppliers should make efforts to enable the following functions to enhance the partnership:
Who provides your security?
Do you trust your supplier enough to use them? It is highly recommended to have your supplier provide you at minimum a trial of their services so you can know what your client is going to receive. Nothing sells Cybersecurity more than an advisor saying we trust this provider that much they also secure us.
Not every security provider is right for every business, but when you find one that has the future in mind and knows how to value what you bring to the table both parties should work to maintain that partnership.