By Sean Newman, Security Evangelist For Sourcefire, Now Part Of Cisco
As business environments change, security infrastructure must change to enable business success. Whether you’re operating under increased risk from advanced targeted attacks, or transitioning to the cloud or mobile devices for the productivity, agility and efficiency these technologies provide, the end result is the same: You need to adapt your security infrastructure in lock-step. You can’t afford to leave gaps in protection for today’s sophisticated attackers exploit.
However, finding the resources to address the evolving cyber security landscape effectively can be challenging. Today’s attacks are stealthier than ever. To understand and protect against them, organisations need to mobilise all aspects of their defenses to focus on the threat, including services. It’s about gaining visibility and control across the extended network and the full attack continuum – before an attack happens, during the time it is in progress, and even after an attack may have been successful, with information stolen or systems damaged. This new threat-centric model is driving changes in cyber security technologies, products and services alike.
The first wave of managed security service providers (MSSPs) focused on getting products and tools up and running, maintenance, upgrades, and training. But today, effective cyber security services need to be based on an in-depth and continuously evolving knowledge of the threats themselves, not just the operations of the technology. Reflective of a new era in how we must address cyber security, some industry analysts are starting to call this next wave of security services MSSP 2.0.
Based on in-house security skills, budget, and competing business priorities you may choose to outsource more or less of your cyber security needs. Wherever you fall on the outsourcing spectrum, when evaluating managed security services, the following five questions can help ensure you get the support you need to stay focused on the threat:
1. What types of telemetry form the basis for your visibility and detection capabilities?
If the answer is simply flow or log data, that isn’t enough. Other data, such as protocol metadata (i.e., data extracted directly from packets traversing the network) is a rich source of insights into today’s more popular attack methods like ‘watering hole’ attacks and phishing campaigns that contain links to malicious sites. In these cases, the ability to incorporate HTTP metadata in a telemetry model provides the depth of information needed to help detect web-based threats. With more data, the more effective the MSSP will be in zeroing-in on anomalies and that’s a key capability to finding the needle in the haystack.
2. How are you performing analytics on that data?
With the inspection of more data, simple analytics models such as correlating logs against common rule-sets fall short, particularly if they do not function in real-time. Advanced, real-time, big data analytics techniques are essential to scrutinise the large amounts of data gathered, not just locally across the enterprise, but globally through community-based threat intelligence. This level of analysis isn’t based on rules that attackers can understand and hence evade, but is predictive and uses dynamic statistical modelling to identify anomalous behaviours from granular, customer network baselines and other indications of compromise (IoCs) to pinpoint likely malicious activities. Regardless of the number of telemetry sources used, applying robust analytics to data, rather than simple correlation, will result in high-fidelity detections.
3. Where do you keep that data and how do you protect it?
You’ll need to understand if the data is held onsite, at the MSSP’s data centre, or in the cloud. Depending on the type of data your organisation has, the compliance requirements you face, and the guarantees the MSSP provides, you’ll need to decide if the answer is adequate and, if not, can they offer an alternative approach. This is an individual choice, for each organisation, and must be based on the comfort level of all parties affected from the technical, legal, and business sides of the organisation.
4. What do you report on?
Data is great, but you must be able to understand and act on it. You need a level of assurance that the data is correlated to provide context, so that the information you’re getting is relevant to your environment and has been prioritised. In this way you can focus on the threats that matter most. Time is of the essence when dealing with advanced targeted attacks that have a specific mission. Understand if the MSSP is able to present you with only vetted, high-fidelity, information, versus an endless list of events that require further analysis and investigation to determine whether they are true or false alerts.
5. How can you help protect my organisation against unknown, zero-day attacks?
To detect and protect against zero-day threats you need to be able to go beyond traditional point-in-time approaches with capabilities that let you monitor and analyse on an ongoing basis, across your extended network. That’s where the value of diverse telemetry, coupled with predictive analytics and statistical modelling, really becomes apparent. This moves beyond mere event correlation, that the MSSPs have offered for years. In combination, these capabilities can pinpoint nearly imperceptible IoCs and anomalies to help identify these particularly stealthy and damaging attacks.
Given today’s business, regulatory, and cyber security challenges more and more organisations are looking for outside expert help, to protect their environments from cyber attacks. By asking these key questions, you can help ensure you’re MSSP is staying focused on the threats themselves in order to deliver the protection you need.