“May you live in interesting times.” In the realm of cybersecurity, interesting times can be both full of upheaval and change as well as optimistic opportunities for security service providers.
Interesting or not, these are certainly busy times for Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs). The cyber threat landscape is changing and expanding quite rapidly, making their services more critical than ever.
Enterprises in every industry are looking to these service providers for the resources, skills and expertise that they don’t have in-house or can’t find or afford to hire. For companies that offer the right kinds of security services and good value for the customer, opportunities abound.
From my perch as head of engineering for a security platform company, I pay close attention to the cyber threats we all face. Maybe it’s the curse part of interesting times, but the threat landscape is changing quite rapidly, putting extra pressure on those of us who protect all types of businesses against these threats.
The primary reason for the rapid change in the threat landscape comes down to the attack surface getting ever bigger, which makes it much easier for attackers to “browse” around for a soft target and much harder for protections to span all assets. The burgeoning attack surface largely has to do with the voracious appetite that organizations have for taking their workloads off traditional infrastructures and putting them in the cloud.
Cloud computing has played havoc on traditional perimeter defenses and made it a real challenge to protect data when it’s no longer in the on-premise datacenter. What’s more, the threat landscape is only going to continue to expand as organizations bring millions of devices online via the Internet of Things. Each “thing” grows the attack surface, and unfortunately, many such devices are poorly secured, making them very attractive targets for cyber attackers.
The threat landscape is changing, but so is the security tools market
The good news is that security tools vendors are always pushing the envelope to try to stay at least a step ahead of attackers with their ever-evolving tactics, techniques and procedures (TTPs). Lately the big trend has been toward “Machine Learning this…” and “AI that…” and it’s gotten to the point where ML/AI is table stakes for a good security tool that must learn from what it’s observing and adjust to match the attackers’ TTPs.
Perhaps an even better trend of late is that cooperation among security tool developers is beginning to occur across the industry. As the head of a software engineering team, I have my sights set on how we can leverage the broader community as well as how we can contribute back in some way. The bad guys band together, so it’s time for the good guys to play as a team too.
What to have in the security toolbox
The way to fight these cyber threats is with an effective security toolbox. Looking at the breadth of the security industry, the threat areas that must be covered, and the complexity of protecting enterprise environments, it’s clear to see that there’s no “silver bullet” and a variety of tools are needed.
Even more important than the tools themselves is the security model that companies use to protect their digital assets. The security industry has long preached that a “defense in-depth” or “layered security” model is what’s needed to protect an enterprise.
However, recent trends have shown that this model is outdated because it makes the assumption that companies must protect themselves from “the outside” and that internal people and systems can be trusted. The increase in breaches (and very publicized breaches at that) indicate that perhaps it’s better to implement a security methodology that assumes that no one and nothing should be trusted.
This philosophy is largely outlined in the Zero Trust security architecture, which puts a perimeter around very specific applications, data, users and resources.
The Zero Trust security model is gaining adoption for specific needs – for example, very sensitive financial applications – but most companies today are still quite dependent on the layered security approach. That said, here are the kinds of tool categories that security providers should be advocating to their customers:
- Validation of Authentication / Authorization – These tools require multiple forms of identification to gain access to assets and applications. Access should be restricted to the least amount of privilege possible.
- Activity Logging – Companies should log everything that people, applications and other assets do and where they go. This audit trail of events is important in assessing normal and abnormal behaviors and when doing a forensic analysis of what has taken place on the network.
- Network Micro-segmentation - The finer the isolation of workloads, the easier it is to properly secure them by establishing what is and is not allowed to talk to assets and applications based on the workload.
- Network Traffic Monitoring – Leverage NetFlow as a mechanism to truly monitor network traffic—what is communicating, how it is communicating, and when it is communicating. This information is crucial in being able to identify and understand normal behaviors in an environment versus something that is out of place.
- Automation and Orchestration – This is a large bag of tooling; however, the purpose is fairly straight-forward. Automation and orchestration ensure that solid DevSecOps practices are implemented as systems, software and configuration changes are being rolled into production.
- Protection, Detection and Response – Assets, applications and data are what we must care for; therefore, we must have tooling that ensures a strong protection, detection and response play exists. Tooling must exist to protect those assets for things that are known, stopping them in their tracks, and to detect problems that may exist (anomalies, odd behaviors, malicious objects, configuration problems, etc.) and then respond with automated (or orchestrated) methods to quickly remediate.
- Cyber Incident Response Plan and Tooling – Security practitioners need a solid incident response plan and incident response tooling that can be leveraged to quickly identify, remediate and eradicate problems before they become a news article that we all reference later.
MSPs/MSSPs can thrive in these interesting times
Security service providers can thrive in these times of vast change by delivering security value, plain and simple. Security is complex and it’s difficult to understand. The MSPs and MSSPs that will come out on top are the ones who understand – and truly care about – their customers’ security problems and fears, and who focus on building a solid solution to quell their customers’ risks.
This advice might sound simple, but so many security providers get this wrong and too many times the customer is left waiting to see what security value their money produced for them.