Cybersecurity and the Evolution of Managed Security Services

Featured article by Aaron Shaha, Director of Network Defense Operations (NDO) and Data Science, R9B

What can cybersecurity learn from economics? Some might recognize the current skills gap as a product of demand outstripping supply. This is great news for the computer science major hoping to capitalize on years behind the keyboard. Less so for the chief information security officer (CISO) whose budget may not allow for extravagances like hiring a fully-staffed team. Another economic lesson deals with the so-called law of diminishing returns.

Simply put, the impact of an investment increases up to a point, at which it will tend to level off or even decrease over time. For years, cybersecurity practitioners have had to contend with diminishing returns on investments in hardware and software. To complicate matters, some security investments can not only yield less of a return over time, they can complicate operations and even reduce security overall. In response, many companies have turned to managed security services (MSS) to ensure they are getting the most for their money.

Drowning in Data

Given the enormous breadth of cybersecurity products and services that exist today, it seems quaint to think back 30 years to the release of the first commercial antivirus software. Since then, wave after wave of solutions have hit the market. This includes firewalls, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), security information and event management (SIEM) platforms, secure email gateway (SEG) appliances, and of course ever more robust versions of antimalware and antivirus software, generally referred to as endpoint detection suites.

The swelling commercial markets have created two major problems for CISOs. First is a “keeping up with the Joneses” mentality. This is as prudent as it is an aim at due diligence by “buying what Jones has”. In the event of a breach, heaven help the one CISO in the industry who did not implement at least the same security measures as his or her neighbors and competitors. The second problem is far more insidious and speaks directly to difficulties presented by diminishing returns. With so much technology comes ever-increasing complexity. In addition to requiring individual strategic, policy, network and compatibility considerations, firewalls, IDSs, IPSs, SIEMs, SEGs, and endpoint solutions all generate massive amounts of data. This includes raw activity feeds, log files, alerts, and notifications.

The Scalable Solution: Managed Security Services

Security leaders depend of the efficient processing and accurate analysis of all that data for proper decision making. However, the reality is both budgetary and personnel constraints make it nearly impossible to consider all available information, leaving open possible vulnerabilities. Many CISOs have found the solution to these problems in the form of managed security services.

Research firm Gartner defines managed security service providers as those companies that offer, “outsourced monitoring and management of security devices and systems. [They] use high-availability security operations centers…to provide 24/7 services designed to reduce the number of operational security personnel an enterprise needs to hire, train, and retain to maintain an acceptable security posture.” In short, an MSS provider does the heavy lifting when it comes to sorting possible threats from routine data, reducing the number of false positives so security teams are making more effective use of time and energy.

The Next Evolution: Managed Detection and Response

The fact that outsourcing basic monitoring, processing, and analysis of security event data is such a valuable enterprise, both to organizations and MSS providers, is an indicator of the current state of cybersecurity. These essential steps generally only ever aim to alert security teams to the possibility of a threat. They typically do not address threats themselves, let alone how to respond to an attack in progress. For these critical functions, a new market is emerging in so-called managed detection and response (MDR).

MDR is still growing and maturing. To give a sense of time, Gartner only began investigating the MDR space as an independent category in 2016. There are still no hard and fast rules about what a provider should or should not offer. Companies entering the space often have backgrounds in MSS, but new competitors are emerging. One thing is certain, in order to have a seat at the table, MDR providers must offer at least as much as an MSS provider, adding responsive measures as the next step in security. These response measures can include integrated threat intelligence, hunting, and limited on- or offsite forensic analysis. Given current trends, it is likely MDR will overtake the more limited MSS space, promising organizations greater value through managed response measures. A more cynical view is MSS will erode as current providers simply rebrand as MDR specialists.

As budgetary constraints put more pressure on CISOs; as the global cyber skills gap continues to widen; as cyber threats increase in both number and impact severity; and as costs of a security lapse continue to rise, outsourcing expertise to MSS and MDR providers will prove to be the smartest option for ensuring economies of scale. Those organizations that recognize their own limitations and seek outside expertise will find a more focused internal security enterprise. That increases the opportunity to invest existing resources in more profitable endeavors, such as improving preventive measures for cybersecurity. In closing, it was the famed economist Adam Smith who said, “the real price of everything…is the toil and trouble of acquiring it.” The price of cybersecurity will always be higher for those who seek to acquire it on their own.

Aaron Shaha, Director of Network Defense Operations (NDO) and Data Science, R9B

Aaron Shaha is responsible for network defense operations and data science capabilities for R9B’s customers, including Fortune 500 and government organizations. He has over 15 years of experience working in physical and network security within the U.S. Department of Defense.

Prior to joining R9B, Mr. Shaha served as technical director in the National Security Agency NSA/CSS Threat Operations Center (NTOC) where he led a team of advanced cyber analysts responsible for finding the most advanced cyber actors and malicious tools in network traffic. He has also worked on supporting real-time cyber military integration operations and architecting a near real-time Distributed Denial of Service (DDoS) system. Mr. Shaha has been awarded the National Intelligence Award – Exceptional Achievement Medal (EAM) for Computer Network Exploitation (CNE) expertise and problem solving in support of a major operation for the Counterterrorism Production Center. This highly-coveted and very selective award recognized him for making “a single exceptional contribution to the Intelligence community and to the United States of America.” Mr. Shaha holds a master’s degree in security engineering from Southern Methodist University in Dallas, Texas.