Managed Cyber Security Services: Points to Ponder

While sipping my coffee one day, I was reflecting on my journey in the cybersecurity domain for the past 20+ years. A few thoughts flashed my mind based on my interactions with various stakeholders at various points in time, and questions raised by them related to cybersecurity awareness, cybersecurity mindset, cybersecurity thought leadership, etc. These are some vague vocabulary but they have contextual definitions when looked at from the perspective of a cybersecurity services organization. My attempt would be to explain some of these from the perspective of various roles & functions, such as CISO (Chief Information Security Officers), CIO (Chief Information Security Officers), cybersecurity operations head, delivery team, etc.

Cybersecurity awareness is about observing and acknowledging various changes in an IT environment to detect any symptoms of breach/potential breach. 

This is not as easy as it’s said because every observation recorded (or not recorded) gets triggered by logic but also predominantly by the potential impact that it may cause. For a normal consumer (end-user), a new process getting created is insignificant until the impact is seen as excess consumption of resources or system slowdown. But for a security analyst, the same new process may ring an alarm until the impact is analyzed to be insignificant. Now, if we look at the same event from a CISO perspective, who is responsible for securing the infra, this event is of great significance, while for a CIO who is responsible for the availability of infra, this may not be a highly significant event until the impact is visible. For a cybersecurity operations head, every such event is of the highest significance until proven to be a false positive. So, awareness levels required for an end-user to cybersecurity custodians vary drastically as per the roles and responsibilities. Thus, the actions to create awareness also vary in depth for each level of stakeholder.

Next on the list is the cybersecurity mindset. This is a critical aspect of any organization, whether a consumer of services or a service provider. Most of the customers (consuming services) would expect a provider to have this as a qualitative and quantitative parameter as part of the service framework. Hence, it is vital to have a definition of mindset. A cybersecurity mindset means having an investigating/probing mindset about every observation with an aim to analyze the potential impact and take pre-emptive/corrective actions within time to contain/mitigate such impacts. This is easier said than done because with billions of events occurring in the operational world, it is humanly impossible to analyze, correlate, and predict the impacts manually. But today, such tasks are made possible by tools like SIEM, EDR/XDRs, NDRs, etc. 

Even with these tools, it would require a focused security mind to exploit these to the hilt and provide analyzed intelligence to take necessary actions. But the question is – is it sufficient if the security analyst is well-versed with the available tools and technologies? The firm answer to this is “NO.” This means even AI& ML built into these tools may not be equipped with default rules/threat models to provide accurate security posture in time. Then, what is missing is “environment context” (customer context) which is vital to convert a security observation into a potential alert/breach or a false positive event so that timely actions can be initiated to contain the impact. “Context”, in this case, is defined by the below:

• What controls are there (like FW, WAF, IDS/IPS, DLP, EDR, etc.) at various levels like perimeter, access network, endpoints, etc.?
• What type of applications are running, and what is their life cycle?
• What is the network topology? 
• Geowise distribution of assets with identified crown jewels (both compute and applications)
• What is the user space (PIM/PAM, AD, etc.)?

With all the above parameters documented and updated, we can define “content management” to create/configure rules/use-cases/playbooks/SOPs etc. to identify/detect/contain/mitigate known threats using the tools/tech listed above. But with the knowledge of the customer environment, an analyst can take most of the preventive actions like blocking a USB on an endpoint, blocking an IP on FW, etc., without waiting for inputs from the relevant stakeholders (so as not to waste valuable time on bumping tickets to various agencies). Also, in my experience, most analysts lack strong operating system (Windows/Linux) know-how, making them under-confident in identifying and mitigating threats at the OS level. This is the security mindset that any service provider should discuss and ensure the team is scaled/updated and equipped at all times. For the delivery (operations) head, the security mindset lies in ensuring a capable team to monitor the violations and take proactive/reactive measures to contain/remediate to reduce the impacts.

What about unknown threats? That’s a different discussion in the “Threat Hunting- Beyond Use-cases/Rule” domain.

Next on the anvil is “thought leadership”. How do we define this? This is a standard tool used by customers/own stakeholders when a service ends as per contractual obligations or when the customer is expecting “deliverables”- beyond the SOW framework. ”Every MSSP would come across this phrase. There is no thought leadership anymore in the engagement.” In my words, thought leadership evolves from the mission and goals of an organization. More so from business goals. Because of the business goals set, the operations would require controls to ensure safety and security, which would entail a “Policy Framework” to ensure a highly available and highly secure operating environment. To achieve this, what is needed is “thought leadership.”

Further, for a CISO, it is about translating business objectives into a robust security policy framework to ensure operational controls are easily identifiable. For a CIO, ensuring that the controls are implemented and customized to ensure services are running in a secure environment. While for a delivery head, thought leadership is about understanding customer business goals and continuously aligning his plan to ensure these goals are achieved within the SOW framework, which is a constraint in itself.

What is this constraint in building “thought leadership”? 

It is, again, customer context (rather a lack of it). Most of the time, security outsourcing happens in patches, i.e., part of the security monitoring environment due to lack of budget, or maybe the organization does not want to give every control to one entity, or maybe other constraints. Such a scenario would mean an incomplete business context/environment for the MSSP on the ground. It means services would be strictly restricted to the set of deliverables defined in the SOW. 

In such a context, it is very difficult to get the “thought leadership” going. How do we solve this problem? In my opinion, consulting arm of an organization consisting of SMEs (who have previously handled operations and have been security architects) would do the trick. This arm is critical to sustaining and building customer contexts for delivery teams while building trust and confidence in the customer himself. Furthermore, their valuable information can drive thought leadership around customer engagement more effectively.

To summarize, cybersecurity is everybody’s business in any organization and is a very fragile phrase of divesting the ownership to everyone. Cybersecurity awareness is achieved through continuous training and accountability to build a “security mindset” across - be it a common end-user or a security analyst, as appropriate to their roles and levels of experience. Further, “thought leadership” brings a clear roadmap to an engagement with the combined ownership of all stakeholders, including the customer himself.