Cybersecurity needs are driving significant managed security service provider (“MSSP”) growth. Managing cybersecurity in-house is an increasingly difficult task, especially for small and medium enterprises (“SME”). Threats are constantly changing and becoming more difficult to detect – driving up costs and increasing risk. Mobile, the cloud, SaaS providers, Covid-19, the WFH revolution, and the Internet of Things have all made it challenging to maintain full visibility into a corporate IT environment, let alone keep the network and your sensitive data secure.
Few organizations, especially SMEs, have the expertise to manage the necessary systems and software; and the shortage of trained cybersecurity professionals has many of them struggling to find the necessary people resources. As they look at all of this, and the need to pursue digital transformation initiatives, organizations everywhere are coming to realize they need help.
MSP/MSSPs can help your organization meet many of the resource and operational challenges created by cybersecurity threats, and you are wise to consider their services. They can help you address the challenges you are unable to meet directly in-house. They can bring experience, talent, staff, infrastructure that you can’t match on an individual basis. They can guide you to the cloud, where so much can be gained. In fact, much of the growth of MSSPs can be attributed to their ability to meet this large and growing marketplace need. We should be thankful for their presence.
But we have another problem – one that I hope MSSPs can be enlisted to help fix. While MSSPs can deliver on the promise of making your organization more efficient and cost effective when tackling cybersecurity threats and attacks, is that enough? Is there no more to ask of them when they promote themselves to you as “the answer” to your security and compliance challenges?
What more is there to ask? And why is this important? Financial regulators and other Federal agencies are continuing to warn us about growing threats because we remain under increasing risk of attack from sophisticated malware, ransomware and advanced persistent threats (‘APTs”) generated by individuals, groups, even nation states. Unfortunately, the recommendations and compliance guidance offer too little to help to all of us looking to build more successful defenses to combat the worst of what is coming our way.
Amid all this, however, we turn to MSSPs (just like the security solution providers they purchase from and deploy with) only to find they are providing “industry standard processes” that deliver “industry standard outcomes.” But the continued successes of malware, ransomware and APTs against both supply-chains and individual organizations show us that “industry standards” are failing us.
We need to start asking for more — of ourselves and the security vendors we choose. Before transferring cybersecurity tasks to an MSSP, it’s important to remember that you cannot absolve yourself of responsibility for outcomes simply by contracting security services. Your customers and members won’t distinguish between your “direct security failure” and a failure by your selected MSSP. The same questions and challenges you face when trying to manage internally remain when outsourcing to a MSSP.
The challenges to find adequate qualified staff, appropriate cybersecurity tools, and strategies to minimize or mitigate risk are not solved fully by picking a vendor, by checking the box because there is more to be done. If you ever hope to close the gap on cybersecurity performance, bring to heel the kinds of APTs that leave you wondering “what comes next”, you need to start asking your team or your security service vendor(s) what they are doing to address these targeted attacks that just keep coming.
If you don’t ask the question, you’ll never find the answer. They may not (probably don’t) have an answer today but, if they aren’t pursuing more and better answers and are able to articulate them to you, demand more. Because it’s not enough to “do things right.” We also need to do “the right things.”
Where might MSSPs look to help us find answers? Why not Application Security? In the market today, malware attacks target software applications (the folks at OnSystem Logic tell me “70% of successful penetrations start at the endpoint, and 100% of successful damaging attacks involve at least one stage of the attack that executes on an application at an endpoint”). These application attack methods have become the primary means used by bad actors to execute their plans, whether they are phishing, ransomware, supply chain, or others (Solarwinds, Kaseya, exchange, Log4J).
Why do they attack here? Because software applications are the cornerstones of most of what we do today in information technology and computer systems. Applications are complex. They are built using lines of code written over many years; and these billions of lines of code are used again and again to develop applications that run in our complex environments. This creative approach has made building our information infrastructures easier and more efficient. However, it’s also created opportunities for multiple forms of attack by bad actors.
More troubling? Rather than address application flaws, holes, backdoors and other weaknesses in a holistic fashion, we are told “as consumers” to accept individual “fixes/patches” and to accept the notion that when it comes to malware and other attacks on applications, prevention isn’t possible, and detection is enough. There is no good reason why a Chief Information Security Officer (“CISO”) should accept that premise. Nor should you accept it when shopping for solutions or solution providers such as MSSPs.
Today’s endpoint security defenses (THE ONES YOU OR YOUR SECURITY VENDORS ARE USING NOW) are built around observation and potential enforcement of visible operations OUTSIDE of the applications themselves. This is true regardless of the technology being used by any of the industry standard endpoint security products. However, all attacks, including ransomware, data theft, data modifications, endpoint software and data destruction, etc., run inside known applications or benign looking applications without being noticed by current endpoint security products — until it is too late. This is the major reason why, despite billions of dollars spent on endpoint security, these endpoints are not truly safer than before.
Relying entirely on signature-based detection (which is the industry standard today, and AI doesn’t markedly change this) will not solve this growing problem. Other solutions must be implemented. I’ve come to understand the importance of tackling application security to close the gap on this continuing threat, but I see no easy path to prompt the industry of security vendors to address it when their customers aren’t demanding better solutions, better and different approaches. We, as individual organizations, can’t make change happen. We are going to need help. And I hope MSP/MSSPs can be persuaded to bring some of that help. If you agree, ask them for more.