Is the MSS model obsolete?

In the past 2 years, a Covid-19-led digitalisation has made more organisations vulnerable to cyber-attacks than ever before. In addition, with more connections (remote working, etc.) there are more endpoints at risk, creating significant complexity in how organisations manage their security operations.

These changes call for a new approach to managing security operation centres (SOC). Gartner¹ projects 50 percent of all SOCs in 2022 will integrate new incident response, threat intelligence and proactive threat hunting capabilities, up from less than 10 percent in 2015.

Unsurprisingly, many CISOs are seeking partnerships to supplement their in-house security capabilities or outsource them altogether, driving managed security service providers (MSSP) to evolve to more advanced AI-led security solutions such as Managed Detection and Response (MDR).

For a long time, MSSPs have focused their attention on traditional data log monitoring and security alerts with limited transparency. But these options often lack context as to what potential threats to escalate and what should not. Increasingly, as threat vectors spike and data volumes grow exponentially, there is an urgent need for MSSPs to stay relevant and upgrade the solutions offered.

According to Mr Ng Chin Kar, Director, Sales Engineering for cyber security at Singtel, enterprises are focused on seeking threat visibility in non-traditional sectors such as the Internet of Things (IoT) and 5G applications. “Until recently, many of the newer technologies adopted by enterprises were kept in silos from the IT security team,” notes Ng. “Each silo represented a separate workstream and had its own security policy for threat detection.”

As new technologies such as IoT gain traction and adoption across the industry, there is a pressing need to integrate these workstreams and create a unified threat detection posture across different environments. “So, enterprises are no longer just seeking to aggregate threat visibility and passively identify potential or qualified threats. Instead, they want to know how vendors or MSSPs can respond and remediate these threats instantly,” notes Ng.

He adds that this is a paradigm shift in enterprise security. Enterprises are moving from multiple vendors providing a stack of different solutions to an integrated and comprehensive, single, managed service provider that can detect and respond seamlessly.

Among the key security challenges facing enterprises, Ng identified six emerging trends:

a) The skill set gap

With the wide adoption of hybrid clouds in the enterprise, plugging the cybersecurity skills gap is a critical priority. Any cloud environment, SaaS or otherwise, extends the total attack surface, and misconfiguration of cloud resources remains a leading cause of data leakage. Once a hacker penetrates the endpoint, they are no longer content to access the network but move through the endpoint to the cloud to access corporate data, which is often lower-hanging fruit.

“Enterprises will need to acquire more skill sets into core production environments to understand cloud service providers better,” notes Ng. “If they are using an MSSP, they need to ensure it has the fundamental skill set to help them respond to an attack.”

b) API integration

As the enterprise market becomes more data-driven, APIs are emerging as a key component for digitalisation efforts across the organisation. Unfortunately, they also represent a critical cybersecurity risk, with API-based attacks rising in tandem with the continued adoption of cloud technologies.

According to one survey², integrating API solutions with current systems and workflows and gaining visibility into overall API usage are the main barriers to improving API security. 64% of respondents indicated their existing solutions simply do not provide the API protection that they need.

c) Domain knowledge

Traditional IT security concepts such as segmentation and defence in depth perform well in a wide variety of domains. But enterprises are realising that the one-size-fits-all approach is not always effective, and security leaders must apply learned concepts to domain-specific problems.

“Many enterprises are looking for service providers who can integrate domain expertise with cybersecurity solutions,” remarked Ng. “They feel that vendors who understand the specific business domain will be better positioned to develop incident response playbooks compliant with regulations and internal policies.” He cites industrial control systems (ICS) as one example that is not ideally suited to traditional IT security techniques and would benefit from cybersecurity staff with expertise in the domain they are trying to protect.

d) Compliance

When it comes to cybersecurity and compliance, there is no room for error. In many industries, enterprises must comply with a regulatory framework to obtain a license to operate their business. “Understanding how compliance will translate into the actual deployment of a security service or technology is therefore critical to the success of the business,” notes Ng.

He adds that as compliance standards get more demanding, enterprises are looking at service providers to monitor, manage and mitigate risk. “Compliance standards may never keep up with the rapidly changing cybersecurity landscape. But a service provider who can deliver a real-time, cyber risk management will certainly help enterprises better monitor, manage, and audit compliance initiatives.”

One of the most significant changes in the role of MSSPs and the threat prevention landscape has been the rise of MDR solutions.

MDR is an attractive option for enterprises that want to optimise threat detection and response times. According to Gartner³, more than 25 percent of organisations will be using MDR services by 2024, and 40 percent of midsize enterprises will use MDR as their only managed security service. Client demand for more proactive response and remediation is a major driving factor.

But is MDR much different from conventional MSSP offerings?

Traditionally, MSSPs have offered enterprises managed detection and response capabilities with a focus on threat intelligence, compliance, and log and device management. Over the years, as threats grew in sophistication, MSSPs evolved to include automation, orchestration, and security information and event management systems (SIEMs) to aggregate logs and compliance reporting.

Beyond securing devices for the enterprise, they managed and ingested data from the growth in network endpoints. In response, new services such as threat investigation, as well as forensics and incident response were developed.

But as organisations extend their network edge through digitalisation efforts and remote working, the attack surface is growing, and visibility is becoming increasingly more important. As a result, enterprises need more help in advanced security functionality and are turning to MDR as a proactive solution to detecting and managing security events. MDR is a dynamic option for endpoint security, incorporating a balanced approach between human expertise and analysis using AI and machine learning (ML) to accelerate detection and response.

According to Martha Vazquez⁴, Senior Research Analyst, Infrastructure Services, IDC, a new managed security service model is emerging within this evolution. “In MSS 3.0, MDR really starts to shine in this next generation of security operations,” she observed. Vazquez adds that in the National Institute of Standards and Technology (NIST) framework of “identify, protect, detect, respond, and recover”, MSSPs will encompass MDR. She notes, “MDR is a subset of MSS (not a competitor) which combines the tools, technologies, procedures, and methodologies used to provide full cybersecurity lifecycle capabilities for an organisation.”

Vasquez believes service providers will deploy MDR services utilising a mix of clients’ existing capabilities, cybersecurity partners’ supplied tools or services, and private intellectual property. She expects that in this next-generation MSSP, “the service provider’s well-trained cybersecurity staff will deliver MDR in a 24x7x365 remote SOC.”

If MDR is a subset of MSSP 3.0, what should enterprises look for in a service provider?

In selecting an MSSP that also provides MDR services, it is critical to set appropriate expectations of the desired outcomes. Match the MSSP’s capabilities and how they are structured against your in-house security team’s resources to align objectives.

“At Singtel, for example, we offer enterprises the biggest lens to cyber threats among all telcos and cyber vendors in the region,” said Ng. “As an MSSP, we can see more for our customers with the widest coverage across the Internet and MPLS/leased line connectivity in Asia.”

This lens, he believes, enables Singtel Cybersecurity to provide a unified threat posture for enterprises that is unlike any other provider. Long before malicious traffic arrives at the doorway of the corporate WAN, Singtel MSSP helps customers proactively through its MDR service.

Because threat data available today no longer resides in siloed applications, companies must consider defending the data itself. When data is available via multiple paths, erecting more barriers around application silos won’t protect it.

Unlike pure-play MDR vendors, Singtel MSSP leverages its telco infrastructure and capabilities to access these ‘multiple paths’ and collate the largest threat dataset across the entire connectivity spectrum – corporate WAN, SD-WAN, cloud – whilst simultaneously detecting vulnerabilities, updating the baseline for normal activity and responding proactively to impending threats.

Singtel MSSP’s larger threat lens enables the MDR machine learning system to spot a wider variety of threats — even variants — and decide how best to mitigate them before they infect endpoints and networks. The more data a security vendor has, the better the threat intelligence it uses in defending against cyberattacks.

Ultimately, the idea is to ease the complexity enterprises face in protecting their assets by creating end-to-end visibility that allows cybersecurity teams to detect security events and incidents sooner.

Here are some other things to keep in mind when selecting an MSSP/MDR service:

Endorsements by leading analysts

“An independent evaluation and endorsement from a recognised IT analyst firm should be your first baseline,” said Ng. He notes third-party expert reviews from Frost & Sullivan, Gartner, IDC, Forrester and others offer detailed analyses of the strengths and weaknesses of MSSPs.

Know how the service’s threat intelligence capabilities stack up. Does a proposed partner have a dedicated team of threat hunters? What are their threat intelligence sources? How long has the group been active within the MSSP, and how experienced are its professionals? “If you are selecting an MSSP, answers to these questions from an independent endorsement should be your baseline when making the final decision.”

Is it a good fit?

No matter how impressive the credentials and capabilities of the MSSP are, enterprises must objectively assess if they are a good fit for their specific environment.

Start by asking the right questions: How do we currently detect threats? How well-developed is your security roadmap, or do you need help getting the roadmap in place? “It’s a question of relevance,” adds Ng. “You want to partner with an MSSP that can easily integrate with your internal team’s skills and resources.”

Expert personnel

All across the economy, there is a severe shortage of trained cyber security personnel in every sector. Therefore, access to a pool of skilled cyber security personnel is vital in selecting an MSSP; knowledge of personnel backgrounds, years of experience, skill sets, industry certifications and domain expertise are critical factors in any selection process.

Operational processes

Understand the strategy and processes behind a potential MSSP candidate. When, where and how is the baton passed between teams? Where does one set of roles and responsibilities begin and the other end? Often, clarity is lacking when it comes to strategy playbooks and protocols for response and remediation. Knowing who will act and when and who receives access when an incident takes place requires significant coordination. Getting a feel for a partner’s methodology in advance will help you better understand how prepared you’ll be when a threat arises.

Ultimately, MSSPs are continuously evolving to deliver MDR services as part of their overall security solution suite. Far from becoming obsolete, the unique structure and resources available to customers from partnering with an MSSP ensure a new level of security unmatched by independent MDR vendors. The combination of telco coverage, R&D in technology and personnel, and domain expertise make MSSPs the ideal security partners.

Sources

¹ Gartner Identifies the Top Seven Security and Risk Management Trends for 2019

² Imvision Enterprise API Security Survey 2021

³ 2021 Gartner® Market Guide for Managed Detection and Response Services

⁴ IDC Market Trends, “Understand the Difference Between Managed Security Services, Managed Detection and Response and SOC-as-a-Service”, February 17, 2021.