| Anticipating confusion | |
| “Third-party organisations processing log data as a managed service on behalf of clients will come into the GDPR firing line” | 
Cyber Risk International Paul C Dwyer, CEO |
| Delivering certain security functions as a managed service makes a lot of sense. For mundane tasks like maintaining the security of printers, log management, or even a security operations centre activity, it is a no-brainer to outsource those, and the services around them are mature. But the more an organisation looks at its core business activities, the more it will need to go through a deeper assessment of what risks are involved before taking steps to bring in an external provider — if it chooses to do so.Recently, it became clear to us at Cyber Risk International that there was a gap in the market around cyber risk assessment, and the related consultancy services. We found this was the kind of exercise where companies went shopping for genuine expertise in security. So, to cater for that need, we built our own model into a managed service. We developed software, called Cyber Prism, which allows organisations to calculate their own inherent risks. This has already been very successful in sectors like financial services which are under additional regulatory pressure to stay on top of security, on top of the very obvious operational reasons for doing so.
Our software calculates a metric that corresponds to the maturity a company requires in a particular area. Instead of measuring an individual organisation’s risk profile against a general standard, the software asks specific questions in order to build a profile of the business. Effectively it is a kind of risk audit and it’s not a technical exercise but instead is about governance, risk management, relationships – the holistic view of cybersecurity. The only intelligence that really counts is actionable information, and the software delivers this information in a form that boards can understand and use to make calculated decisions. As clients go through the questions and the profile, they get instant access to an expert, so in a sense we’re providing the traditional consulting model as a managed service, by giving clients access to a pool of experts. I believe that the looming changes around EU GDPR means that every organisation will need to rethink what they’re doing around managed security services. Given the scope of the changes, I would caution that what was OK last year might not apply when the new regulation comes into force in May 2018. My interpretation of GDPR is that third-party organisations processing log data as a managed service on behalf of clients will come into the firing line. Between now and May 2018, I anticipate a lot of confusion. There could be a scenario where the operator of a managed security operations centre could be held legally responsible, and this could impact on cost models from the provider to the consumer of those managed services because GDPR mandates notification to the relevant data protection authority in the event of a breach — that has to have cost implications, from what I can see. That said, everything is possible if organisations have the right governance model to begin with, and the right agreements with trusted service providers in place. The key now is for governance models to mature in line with an organisation’s use of managed services. It is no longer enough to sign the contract for the managed service and walk away; ultimately the buying organisation and the service provider must now share the responsibility. |
|
| Pace of change demands | |
| “It should also be said the customer still needs to manage the managed service; it is pointless if no-one is taking action on the output. That means having to regularly reassess MSSP vendors” | 
edgescan Rahim Jina, COO |
| Before getting to the maturity of managed security services, it is worth looking at the drivers pushing organisations towards using them. Firstly, skilled security staff are hard to find: Cisco reckons there is a shortfall of around a million info-security professionals across the globe. Recent data from Indeed.com also shows massive demand for security skills in Ireland.So, the sheer number of organisations without the necessary expertise is one factor creating demand for managed security services.
The second driver is technology change. Security assessments like vulnerability management and penetration testing used to be one-off annual events, back when large systems had one major release a year, and the code was developed with that single date in mind and then nothing changed for the following 12 months. The huge push over recent years to using cloud, along with the rise of development methodologies like Agile, mean the single annual release has given way to frequent small releases — sometimes as often as daily. A once-yearly security assessment no longer fits the bill, because any change to the code can potentially introduce new vulnerabilities. Fortunately, there are several managed security service providers [MSSPs] specifically addressing the vulnerability management and penetration testing space, and many sectors are adopting the model, which is helping to push it towards maturity. For example, games developers were quick to embrace the agile and cloud trends, so managed security was an obvious fit for them. Financial services firms such as banking and insurance providers have also adopted MSSPs. For compliance or operational reasons, they have always needed strong security and many have in-house security teams themselves. These organisations often use external managed security providers in a very tactical way. Rather than using internal resources to sift through large volumes of events, they rely on the MSSP to identify bugs and vulnerabilities. This way, the organisation’s team can more productively work on fixing those weak points and focus on the real issues that impact on the business. Reading through security tool output or alerts is hugely time consuming, so another huge advantage of a MSSP is that they have the expertise to look at this data and identify false positives. The benefit to the end business is time saving: they win more time back to carry out higher-value work because the MSSP has the expertise to filter out the signals from the noise – taking one headache away from the end customer. Similarly, managed static application security testing (SAST) is a security code review that we perform for our clients. Like other services, SAST tools traditionally generate a lot of output and can often result in reports that run to hundreds of pages. As above, there are similar advantages for clients who can upload their source code to the MSSP who then scans that code for security bugs and provides them details on real issues only. It should also be said the customer still needs to manage the managed service; it is pointless if no-one is taking action on the output. That means having to regularly reassess MSSP vendors, but there is a good choice in the market, and since managed services are remote by nature, buyers aren’t restricted to the Irish market for options. MSSP options like managed firewalls are especially suited to SMEs who don’t have the resources for in-house teams. Full end-to-end managed security isn’t mature yet, in my opinion, but in the meantime, for specific tasks like full-stack application and network testing, or managed SAST, Irish organisations can have confidence in the available options.
|
|
| A brick in the wall | |
| “Security is much more than just AV and patches, the sophistication and functionality integrated into endpoint protection tools have provided multiple layers of protection to endpoints and users alike” | 
Asystec Ryan O’ Donnell |
| I have heard it said that a well-managed device is a secure device, and where this bears an element of truth, it is only the beginning of the story. When I first came to the IT arena, the security of a desktop was reported on based on the age of anti-virus (AV) definitions and the number of critical OS patches it was missing. Usually if it was in single figures of missing patches it was deemed ‘grand’ and if the AV had checked in that month, that was grand as well. Security is much more than just AV and patches, the sophistication and functionality integrated into endpoint protection tools have provided multiple layers of protection to endpoints and users alike. This ability to provide numerous layers of protection is complex both from an enablement and an ongoing support perspective, the more rules that are in place the harder it is to troubleshoot and the more focused an IT organisation must be on process and procedure.What I have seen in the past is organisations have no issue in embracing new technology, they are agile and willing to protect their organisation at every step, but where they have required assistance was around how this plays through into a process. The adoption of security managed services allows IT organisations to embrace the technology and the process adoption from providers who understand the limitations and procedural focus required. Having excelled in these layers this knowledge and experience is being brought to you rather than having to learn it. It takes away another element of risk and provides an additional level of security to the organisation. Traditional product still has its place; however, a managed offering is another brick in the wall. The echoes of ‘We don’t need no education, we don’t need no thought control’ are ringing through my head – to embrace a managed security service this is relevant, from a customer perspective you don’t need to understand the technical intricacies, the thought control transfers to the service provider to proactively report on as opposed to the additional complexities being just another tool to manage.
Asystec as a Security Managed service provider have gained experience in deploying and maintaining security products in our customer environments, we adopt the ‘Learn, Do, Review’ methodology and continually push to improve our service offerings to ensure our customer don’t have to. We understand how to integrate security products into your environment from a process perspective as well as the technical integration. If heard it said often ‘you don’t know what you don’t know’, we know the product, we know the process. I believe this is where Asystec and our Security Managed Service offerings show their real value, let us be ‘just another brick in the wall’.
|
|
Subscribers 0
Fans 0
Followers 0
Followers