Virginia's Arlington County government first signed up with a managed security service provider to offload some of the cost and resource burdens associated with maintaining a constant state of cyber readiness.
That was more than a decade ago. Over the years, its relationship with MSSPs has since morphed from vulnerability risk assessments to critical security information and event management (SIEM) functions across government departments and offices throughout Arlington, the second largest city in the Washington, D.C., metropolitan area. MSSPs provide the county with real-time cyber health assessments and immediate breach notification, which is vital to the government's ability to deal with the current threat environment and attack surface.
"A firm that offers 24/7 year-round threat monitoring, detection and response can provide [Arlington County] a level of resources it couldn't otherwise create or afford independently," said David Jordan, the chief information security and privacy officer at Arlington County, who has held the position for 16 years.
Many organizations struggling with tight budgets and a shortage of cybersecurity skills are expanding their use of MSSPs in strategic ways to deal with an array of new threats. "The option to choose whether to spend is now down to how best to spend," Jordan said. "Funds have to be allocated and spent well. [There's] no room for resets of strategy or tactical realignment."
Expertise as a service
While organizations of all sizes have tapped MSSPs to varying degrees, the demand for such services is expected to pop over the next few years. Research firm MarketsandMarkets expects the overall market size for security services to double from just over $17 billion in 2016 to about $34 billion in 2021.
Much of the growth is being driven by the need for increased security measures at small to medium-sized businesses to address evolving threats, according to researchers. Also pushing demand are factors like convenience, quality assurance, better responsiveness, quick fault resolution and the potential to lower cost, according to Technavio, which pegs global market growth at 12% annually until 2020.
"The primary reasons for selecting an MSSP are greater competency, specialized skills, improving the quality of protection and reduced complexity," said Forrester Research principal analyst Jeff Pollard. In addition to SMBs, it's time for enterprises to think of MSSPs as 'expertise as a service' rather than just generic security providers for filling gaps in people, process and technology.
Jeff Pollardprincipal analyst, Forrester Research
Standard managed security services like network infrastructure and antivirus are still growing and provide value, according to Pollard. But increasingly, CIOs and CISOs running mature security programs are interested in services like security analytics, incident response as a service and managed threat hunting.
Organizations should use MSSPs strategically to fill gaps in their security capabilities, according to Pollard. Those requirements could be related to technology, like needing security engineers to handle the configuration and administration of security tools, or they could be related to operational issues such as contracting security analysts to investigate and respond to security events. "The best advice here is to pick your internal team's specialty and then select services that fill any gaps," he said.
For example, if your internal team is great at device management and change controls, then it makes sense to select an MSSP that will focus on detection, investigation and response. "The key is putting together a set of internal and external experts so that resources are allocated appropriately to secure your business," Pollard said.
Himansu Karunadasa, the chief technology officer at Media Defined, a learning management system provider whose service is used by over 12,000 organizations in 100 countries, has adopted the two-pronged approach. The Dallas company's internal team ensures secure coding practices are followed throughout the entire development lifecycle and performs internal vulnerability tests before any code hits the web.
Other critical security functions have been outsourced to MSSPs: Initially, Media Defined hired one service provider to handle its firewall, intrusion prevention and detection and log monitoring requirements. Later, the company decided to bring on another provider, ControlScan—a Dallas MSSP that provides IT security, PCI and HIPAA services—to help it meet the specialized compliance requirements of the Payment Card Industry Data Security Standard (PCI DSS).
"Our core competency is developing learning-related technology," Karunadasa said. Media Defined builds a lot of its software internally and has implemented multiple controls to ensure security is a part of the conversation before a learning system's software architecture document is finalized. Matters like PCI compliance are out of Media Defined's realm of competence, however. "ControlScan helped us get a roadmap of compliance requirements," Karunadasa said.
The MSSP aided the development team with vulnerability scans, penetration tests and web application firewall services that were required for meeting PCI DSS compliance. Like many MSSPs, ControlScan has increasingly partnered with technology suppliers, such as Tripwire and Cisco, to support its growing range of managed security services. With PCI standards constantly evolving, the managed service provider has played a critical role in handling Media Defined's compliance requirements, Karunadasa said: "To me, that is the biggest advantage."
A hybrid security model has worked for Arlington County as well. The local government's security operations center is managed by in-house engineers, who inherently know the network and are better positioned to respond to SIEM alerts from the MSSP. "We preferred the hybrid approach because we had the seasoned staff available to perform this aspect of the security practice," Jordan said. "It's a positive and successful approach, and the results are repeatable."
Changing threat landscape
Strategic outsourcing of security functions is poised to become more critical as chief security and privacy officers come under tremendous pressure to secure their networks, sensitive data and endpoints against a range of increasingly sophisticated threats including ransomware, advanced persistent threats and highly targeted attacks.
These factors contributed to 974 publicly disclosed breaches in the first half of 2016 and resulted in the loss of 554 million data records, according to global statistics from Gemalto. The Herjavec Group estimated that losses from ransomware alone could have topped $1 billion or more in 2016.
The attacks show adversaries are able to innovate with ease around whatever security control organizations put in their way, maintained Justin Turner, security researcher and director of the counter threat unit at managed security service provider SecureWorks. (Dell is still the majority stakeholder in the Atlanta-based company, which went public in 2016.)
It's a partnership
For a little more than two years, Talking Rain Beverage Company has outsourced the management of key security services -- such as network intrusion prevention, vulnerability assessment and penetration testing -- to a managed security service provider. The Seattle-area beverage company reached a mass market in recent years with the popularity of its Sparkling Ice and other carbonated drinks.
The security tools, expertise and round-the-clock monitoring that managed security service provider SecureWorks delivers has been critical to ensuring robust cybersecurity, according to Gina Harris, director of information technology at Talking Rain.
Even so, it's a mistake to assume an MSSP is a silver bullet, she said. "Don't believe you can totally outsource responsibility for security; it's a partnership, and you are ultimately accountable for your company's security."
Large and small organizations need to do plenty of homework before signing up for managed security services. "Evaluate service offerings based on your company's needs, check references and do all that you can to be fully informed on the total cost of ownership for an in-house versus contracted service offering," Harris said.
While companies usually can rely on MSSPs in their specific areas of expertise, make sure roles and responsibilities are clearly defined. "Be pragmatic," Harris said. Make it a point to meet with the service provider at least semiannually to ensure up-to-date security and privacy controls, compliance with contract terms and to learn about new service offerings. --J.V.
Not so long ago, most attacks targeted the network because perimeter controls were weak and the demand for managed security services centered on network protection. When network defenses improved, criminals started going after endpoint systems. "We have evolved significantly over the past four or five years, both as an industry and from our client perspective, from a focus on network-based detection … to a focus on observing, tracking and eradicating malicious traffic from the endpoint," Turner said.
Managed service providers can augment an organization's cybersecurity capabilities, but not everyone touting advanced threat protection and incident response services is qualified to offer that functionality. Security service providers that have failed to get much traction with earlier offerings often rebrand and pivot to any area where there's a perceived need for specialized skills and expertise.
"CISOs need to avoid being fooled by an updated website and new PowerPoint slides," Pollard said. It pays to research what a vendor was doing a few years ago to get an idea of where they are headed. "If a potential provider's website four years ago said 'Advanced Managed Security Services' and two years ago said 'Advanced [Security Operations Center]' and now says 'Advanced Threat' or 'Managed Detection & Response,' they likely haven't been very good at any one of those things," Pollard warned.
Organizations should also never assume a managed service provider can take care of all incident response needs. "There are always going to be incidents so severe that they require boots on the ground to investigate, contain and remediate. Clients have to avoid complacency in thinking that a remote approach solves everything," Pollard said.
As endpoint defenses have become better, attackers have also started resorting to attacks involving the use of legitimate tools and business processes. This poses fresh challenges for organizations and is creating demand for yet another type of service.
Vertically aligned services
Many MSSPs are now organizing their security operations teams by customer vertical, rather than overall function, according to Pollard. Instead of having a general security staff of analysts, engineers and researchers, MSSPs have begun to reconfigure their security teams based on industry expertise in areas such as financial services, manufacturing and energy.
The benefit for organizations is that they get MSSPs that are more familiar and aligned with the specific security requirements of their industry. Hacienda Mexican Restaurants started in 1978 in South Bend, Ind., and today has 13 locations. The company first contracted with MSSPs to provide managed firewalls and cloud-managed wireless access points at all of its restaurants. More recently, the restaurant company began using an MSSP for PCI services—including scanning, penetration testing, a breach protection program and a dashboard to assist in completing a compliance-related questionnaire.
"Unless you have the necessary in-house resources and a team dedicated to your security platform, I would recommend using a MSSP," said Timothy Yoder, director of technology at Hacienda Mexican Restaurants.
"This industry is so dynamic; [it's] almost impossible to keep up with the changes and new security threats," he said. "Why not leave it to the experts? It just makes sense."
More on the pros and cons of managed security services
Managed security service providers expand their threat offerings
Why organizations require transparency from security services