Managed security service providers (MSSPs) are likely to be in the spotlight over the next few years as the scale and sophistication of cyberattacks increase at alarming rates. In its latest report, the SA Banking Risk Information Centre found that cybercrime costs the South African economy R2.2-billion a year. Data points to notable increases in phishing, impersonation fraud, mobile malware and ransomware attacks.
But the MSSP model – and CISOs’ expectations of what value an MSSP should deliver – will have to evolve. Staying stuck in a reactive state with poor visibility and a lack of appropriate response capabilities means many organisations are simply waiting for the inevitable system breach to inform how and where they should bolster defences.
MSSPs: Old and New
Traditionally, MSSPs were used by organisations as an outsourced partner for certain IT security functions. Within this model, MSSPs would provide some level of security monitoring, vulnerability risk assessment, threat intelligence and general support with compliance requirements, such as Europe’s GDPR and South Africa’s POPI Act.
The value proposition was clear: by outsourcing some functions, the organisation could better manage and contain costs without having to attract and retain certain key skills. But too often it left organisations reactive. Change would only occur after the fact, once systems have been breached or compromised.
"Staying stuck in a reactive state with poor visibility and a lack of appropriate response capabilities means many organisations are simply waiting for the inevitable system breach"
Today, an evolving threat landscape and heightened risk of being targeted by cybercriminals makes passive security management obsolete. CISOs want full visibility over the entire security landscape in real time, and demand the ability to respond quickly and effectively to any emerging threats.
This is partly because security has become a boardroom-level issue. Most companies will experience a form of cyberattack at some point, and it’s not uncommon for CISOs – especially those in high-risk industries such as banking – to report to board members following a breach.
Maintaining stakeholder trust in the wake of a breach requires disclosure over the extent of the breach, which systems were affected and what measures are being taken to restore full business productivity. A traditional, reactive MSSP model is simply inadequate.
The MSSP/MDR Model
A new MSSP model - augmented with Managed Detection and Response (MDR) capabilities - is emerging as a viable alternative to the older delivery model. MDR is a fairly new discipline within cybersecurity. It focuses on actively searching for threats and providing appropriate response measures to eliminate the threat, including steps to avoiding similar issues in future.
Let’s say the MDR team detects malware on some production systems, for example. The MSSP will launch an investigation, and then work with MDR to determine the best corrective measures for repairing the issue quickly, and suggest additional measures to avoid similar incidents in future. When MDR detects something that is more operational in nature, the MSSP can remediate the issue and resolve any associated risks without client involvement, freeing up valuable time.
When organisations use the same provider for both MDR and MSSP requirements, there are additional gains in efficiency and cost-savings. There is also less risk of 'alert fatigue', which is a common problem with many of the SIEM technologies. By combining MDR and MSSP, the provider can alleviate pressure on the client’s side by combining tech (MSSP) and alerts (MDR) with corrective action.
This approach also gives organisations the opportunity to add more stringent requirements to service-level agreements. For MSSPs, most service-level agreements relate less to security and more just to maintaining system uptime. There’s little ownership on the part of the MSSP to fix problems.
While it’s attractive to expect MSSPs to just automatically cover every aspect of the security landscape, there’s only so much an MSSP can do until an event occurs that creates visibility of certain gaps in the security controls. MDR assists by raising the visibility of every security event and helping to uncover gaps in the security controls that are unique to the client environment and which, under normal circumstances, would remain undiscovered by the client and service provider.
Adopting an evolved MSSP offering that combines forces with MDR capabilities gives organisations greater visibility over their systems and enables them to quickly address and repair vulnerabilities while continuously delivering greater value over time.
Organisations should ask whether their MSSP still delivers value and innovation while making their lives easier. If not, it’s time for a change.