Modern-day Multidimensional Threats and the Increased Role of MSSPs

By WeathersfieldTM

With the growing complexity of cybersecurity threats; the dearth in cybersecurity expert talent; and adoption of hybrid cloud networks where data can exist everywhere and can be accessed from anywhere, many businesses are increasingly outsourcing the key function of security threat monitoring, management and incident response to external experts whose sole function is to constantly design, strategize and stay a step ahead of the hacker.

This trend is giving rise to the increased role of Managed Security Service Providers 2.0 (MSSPs 2.0). Recent surveys demonstrate that MSSPs identified “heightened security risk” as customers’ number one IT or service problem. 

Even MSSPs with some of the industry’s best tools in place are challenged to identify cyber threats more quickly and to stop them from inflicting damage once the organization is breached. The challenge is that existing cybersecurity solutions require human intervention – smart humans that are specifically trained in how to use an array of complicated tools to identify a threat by correlating thousands of events and then figure out how to stop it.

Specifically, the MSSP security analyst is responsible for working with firewall, intrusion detection, data loss prevention, next-gen end-point solutions, identity management solutions, and security incident and event management (SIEM) systems and must respond as quickly as possible to stop any potential data breach due to any cybersecurity attack. The problem, as the 2016 Verizon Data Breach Report notes, is that 95 percent of attacks ex-filtrate and/or corrupt data within a few hours of a breach. This is not enough time for even the smartest humans to detect the attack through analysis and correlation of events and respond to it quickly enough to stop the damage. 

MSSPs can provide protection of corporate digital assets no matter the volume or size of the organizations they are charged with protecting, however, they need tools that can make it affordable and feasible. MSSPs have to increasingly rely on automating their cybersecurity process, including incident detection and response. Automation is one of the toughest tasks, especially when one considers the large number of key tools to be integrated. Even the best cybersecurity expert analysts are not capable of correlating the volume of some of the threat activities across multiple sets of tools or solutions. 

MSSPs need a comprehensive cybersecurity threat detection tool that not only brings all of these entities together, but also provides a strong correlation engine that can correlate, de-duplicate and prioritize millions of different threat events within real time as they are happening. The tool needs to have visibility into not just the north-south traffic that is entering or exiting the premises including data centers and private/public clouds, but also the traffic that is east-west bound within the premise or data center or cloud.

There are several tools that sample the traffic and then apply dynamic behavioral algorithms powered by artificial intelligence and machine learning, however, sampling the traffic based on port mirroring or SPAN (Switch Port Analyzer) technology is not enough. SPAN traffic-based solutions are not scalable and provide limited visibility of that corner of the organization where SPAN traffic is being monitored. Since one cannot afford to monitor all the traffic in the organization, using SPAN, you will typically end up with localized visibility. Also, one has to identify critical locations where to use SPAN port monitoring, which is sometimes not easy.

Another set of tools are using network flows in the form of NetFlow, sFlow, JFlow or IPFix to get the visibility across all of the traffic within organization’s domain. The network flow-based solution that combines other artifacts, such as host or server logs and events, provides a comprehensive view of the organization and can be installed in any corner. It is much more cost effective and scalable and adds only 1 percent load on the network traffic.

With machine learning capabilities, many tools can now detect abnormalities and anomalies in behavior quickly, but highlighting these abnormalities without context is likely to increase the workload of security analysts. Machine learning has to be complemented with a strong correlation engine powered by artificial intelligence in order to make only the relevant threat events bubble up based on whether they pose real immediate danger to the organization or not. The correlation algorithm used by these tools is one of the most important as it not only needs to reduce the false positives, but also not miss the negatives at any cost.

Many SIEM tools caution on the side of not missing the negatives, but much of the time they end up providing more false positives, requiring security analysts to constantly re-write policy rules to optimize this. Some flexibility in policy editing is expected, but requiring analysts to re-write rules is an overkill and a point where most organizations end up losing as they either don’t invest enough time and resources to update the rules or they just end up ignoring the threat information, potentially missing real alerts.

Finally, threat remediation is as important as the threat detection. A recent Ponemon Institute report found that even in organizations with dedicated security personnel, it took on an average two months or more to completely eradicate and prevent known threats from recurring. That response time is unacceptable in today’s world where hackers can steal data within minutes of breaching the organization. MSSPs need a tool to quickly identify the right set of policies and right set of network firewall or gateway routers to apply these policies on. An automated approach ensures that the threats are remediated in near real time. 

With cybersecurity tools providing the required automation and integration with firewall and other network infrastructure, MSSPs can take advantage of detection, response, elimination and remediation of cyber threats in near real time. By addressing compromises in real-time, organizations can stave off significant damage and recoup the cost of their investment in MSSP services that use security automation tools within months of implementation, while at the same time better understanding the vectors for attack and preparing future defenses. 

About the Author

Lalit Shinde, Vice President, Strategic Partnerships & Business Development, Seceon Inc. Lalit currently leads strategic sales partnerships and business development for Seceon. He is an industry leader with over 24 years of expertise in strategy, product lifecycle management and business development.