Mosaic 451 founder Mike Baker knows he’s going to raise some eyebrows with his opinions about the state of the managed security services provider (MSSP) industry.

“I really sincerely believe the MSSP model is based on theft,” he said. “I think that people are buying magic.”

Ironically, Baker’s own firm provides advanced managed security services to clients who need to protect critical infrastructure.

Mosaic 451 customers include the Arizona Public Service Electric Company, that state’s largest electric utility and operator of three nuclear power plants, including the nation’s largest, the Palo Verde Nuclear Generating Station.

Others clients are financial operations, like the International Securities Exchange, which runs three electronic options exchanges.

Providing managed security services to high-stakes clientele has hardened Baker’s belief that to truly be effective, cybersecurity defenses must be customized and involve human on-site staff to manage the unique and constantly evolving threats facing each customer.

Monitoring the networks of numerous clients from a SOC is, Baker argues, largely worthless.

“This model where I’ve got hundreds of poor suckers in a fishbowl looking at blinking lights, they’re stealing from those customers,” Baker said. “The idea of a broad-market MSSP with 10,000 clients just flat does not work.”

“The easy thing to do in an MSSP is to monitor,” he said. “I do not want to monitor. I want to operate.”

When Cybersecurity is ‘War’

Too often, Baker asserts, those in charge of IT security recognize that engaging an MSSP is palliative.

He recounted a recent conversation with an IT manager at a major hospital chain about his rationale for hiring an MSSP: “If we get breached, at least we have somebody to blame,” Baker said.

Many of the clients who hire Mosaic 451 tend to be organizations where cybersecurity is a matter life or death.

“We have been on networks that very fundamentally have been at war since 2003,” Baker said. “Where we grew up, cybersecurity mattered – and it still matters.”

In addition to organized criminals and rogue hackers, many of the adversaries against which Mosaic 451 defends are state actors.

Russia is very active, he said, as is China, which was accused in the successful breach of networks at the U.S. Office of Personnel Management.

An attack by Iran stole sensitive information on U.S. dams, like how strategically over-spilling a particular dam on the Columbia River could cause a domino effect and the “the 20 downstream go down like matchsticks,” Baker said.

Each day, Mosaic 451’s nearly 100 employees – more than 90 of which are engineers – battle against would-be attackers seeking to gain access to network components that control vital activities, and seemingly innocuous functions, like facility lighting, water and HVACs.

Baker is a student of Lockeheed Martin’s “Cyber Kill Chain” framework, which calls for carefully evaluating each step an adversary needs to execute a successful network attack.

In each case, a cyber-attacker must perform reconnaissance, create a suitable weapon and deliver that weapon.

“This is really the anatomy of a hack,” Baker said.

Mosaic 451 assigns employees at clients’ premises, where they collect intelligence, perform constant threat recognition, spend a great deal of time at the endpoints and servers, and do what Baker describes as “baselining,” “trending,” and “visualizing.”

“Technology is a force-multiplier but you cant substitute technology for humans and expect a good outcome,” he said. “We basically say that we will provide that critical mass of smart humans.”

Not All Networks Worth Protecting

Baker acknowledged that Mosaic 451’s services are probably not the best option for a mom-and-pop business or other organizations that are unlikely targets of sophisticated attacks.

Owners of networks should first decide whether they truly have something worth protecting.

“Security fetishists will tell you that everything needs to be secure,” Baker said. “I don’t believe that.”

For example, a small retail business with an outsourced PCI provider likely faces limited liability and might need only simple security measures, like encrypted tunnels. In such a scenario, rudimentary remote monitoring can be a cost-effective approach.

“I think that’s a great place to use another MSSP,” Baker conceded. “If I’m under 100 people, there’s a huge argument to go to the cloud and be done with it.”

For networks where security is absolutely imperative, however, the defense must be customized, taking into consideration each customer’s unique threat profile, culture and actual practices and procedures, he said.

Enterprises’ growing use of hybrid networks, with components partly on the cloud and partly on-premises, means an expanded “threat surface” and further complicates the job of cybersecurity professionals.

Mosaic 451 maintains three SOCs that operate 24/7, in Phoenix, Las Vegas and Portland, Ore. Another facility is under construction in Boston that will house an SOC and separate NOC.

Those resources, combined with on-site security experts, offer the best chance at good outcomes and satisfied customers, Baker said.

“What we do is custom security operations with an outcome in mind,” he said. “We want relationships that last 10 to 15 years. If you’re going to have two or three full-time security staff, we can figure something out.”  

Send tips and news to [email protected].