The Evolution of Managed Services in Cybersecurity

As cybersecurity threats continue to evolve, organisations need to be confident that their managed security services are keeping pace and delivering the appropriate capabilities to meet the particular requirements of the business.

Managed Services Evolution

There’s an old maxim in cybersecurity: either you’ve been a victim of an attack or you’re going to be. The ever-evolving nature of cybersecurity threats requires constant vigilance from business leaders to keep up. Subsequently, cyber criminals operate with a business-like mentality, focusing on cost-effectiveness while looking for security weak spots and easy targets. Large cyber crime gangs can have sizeable resources with hierarchical organisation structures and even support functions such as human resources. According to research by Trend Micro, such a gang can have an estimated annual revenue of more than $50m.

Tackling this is not new – companies have long invested in specialist managed security services that offer constant monitoring and updating of defences to match the growing professionalism of criminal syndicates. But how do you know if your managed services provider is keeping up? Budgets are stretched, in-house security skills are expensive and hard to find, while threat levels continue to spiral as hackers increasingly use artificial intelligence and machine learning to exploit vulnerabilities. Therefore, as cyber threats evolve, so too must your approach to managed security services.

However, despite the sophistication and growth of cyber attacks, there are many things businesses can do to fight back. The first principle is “not to get hung up on the technology”, according to Paul Allen, Practice Director at SCC. “Focus on how to facilitate the best results for your organisation. Don’t try and get too clever. It’s important to look at your business risk and match the appropriate capability to deliver what is needed,” he says. Not every business needs the shiniest, latest security system to address its needs – do you really need a Ferrari to drive to the local shops? Addressing the real needs of the business and how best to deliver cybersecurity will vary from organisation to organisation.

Dynamic cybersecurity responds to the business environment

Gartner estimates that by 2025, more than 95% of new digital workloads will be deployed on cloud-native platforms. This is up from 30% in 2021, which has been amplified with the growth of hybrid working. The analyst group forecasts that more than 85% of organisations will embrace a cloud-first principle by 2025. These figures show that organisations are on a journey to the cloud but are following different roadmaps and time scales.

“Cloud security touches every part of what an organisation does. Pre-Covid, you might have had 150 staff working in a central office; now, with home working, it’s 150 staff and 150 offices. The castle-and-moat walled approach no longer fits,” explains Allen.

“You need to develop a casino mentality and understand where the risk is. If someone is in the restaurant, there is much less risk than when they go to the casino table.”

Paul Allen, Practice Director, SCC

“You may not have a CISO on the board, but you must have someone with technical capability who understands cyber risk and the potential impact on your organisation or business. It’s a three-dimensional skillset. Its level of importance is not going to go away,” says Allen.

The right cybersecurity at the right price with increased automation

Gartner predicts that by the end of 2023, half of organisations will have replaced legacy endpoint security software, moving to endpoint detection and response (EDR) solutions. However, many organisations with EDR in place have already evolved to use more advanced managed detection and response (MDR). This includes monitoring signals from across the network to enhance the ability to detect and respond efficiently.

Now, the next generation of security technology has emerged: extended detection and response (XDR). XDR uses machine learning and behavioural analytics to identify alerts presenting the highest business risk with the detail required to correctly remediate. It provides a centralised and “single pane of glass” view of risk profiles, threats and mitigation activity. Enrichment of context is automated, as are many of the actions, with human intervention kept to a minimum.

By analysing data across endpoints, networks, and cloud workloads, XDR builds a proactive rather than a reactive approach to cybersecurity. Additonally, XDR provides unified visibility across your entire threat surface whether an on-premises, hybrid or multicloud native environment.

“SIEM [security information and event management] was usually used to best effect after the fact of a breach – you have to go back and look at what happened,” says Allen. “XDR can mean different things to different people. It should be proactive, automated and intuitive – like MDR on steroids. In any cybersecurity event, there is an initial bang at the point of a breach. XDR helps an organisation to spot the potential incident on the leading edge before it becomes a threat – or worse, a breach – before you require a full-on response. Catching a cyber event before it causes damage requires a more informed understanding of risk with more context.”

Actionable intelligence through converged security tooling

XDR offers a more evolved response to cybersecurity threats. Allen highlights how this convergence of security tooling reduces the risk of organisations being oversold and overcomes the urge to buy the latest shiny new security tool.

“Technology is technologist-driven and does not always offer the best value for money,” he says. SCC utilises Microsoft’s Sentinel and Defender products, which consume data from other sources, bringing an enhanced response through data convergence. “The driver is how to automate. As we condense and converge data and services to simplify the lives of customers and technology professionals, automation allows us to use application programming interfaces [APIs] to consume data, analyse and make informed decisions about the value of data for a clearer picture. Data becomes intelligence only when it is actionable,” says Allen.

By giving organisations actionable intelligence to combat cyber threats effectively, common challenges, such as lack of resources, limited budgets, alert fatigue, lack of visibility and vendor overload, are minimised.

“It reduces human error, improves speed and means responses to certain risk factors can be automated,” says Allen. As such, a modern managed services approach should automate, enrich context and reduce alert fatigue for security analysts. They’ll still have to make key decisions – but more confidently in understanding the risk factors and the business context. The technology can be used for what it’s good at: analysis, correlation, enrichment and automation. This means senior analysts can respond and resolve and make better and more informed decisions,” says Allen.

How a cyber criminal sees your organisation

Cyber attacks are often carried out by initial access brokers, who sell information about the compromised systems they have identified to other cyber criminals with different specialisms. This could mean that an organisation will only know months down the line that a potential breach has occurred.

“Managed security services must align to models in the physical world,” says Allen. “With monitoring based on context, and explicit trust where access is based on explicit verification. It is possible to apply security principles and prevent the initial access brokers gaining access to information.”

Organisations can limit the likelihood of cyber attacks with external attack surface management (EASM), to safeguard the digital experience. Through continuous discovery, monitoring and prioritising, full visibility is possible across multiple cloud and hybrid environments. “EASM tackles what threat actors look for and how an organisation appears to the outside world. In the same way you would deter a criminal from entering your house by not leaving the door open. Cyber criminals searching for a quick return on investment will look elsewhere for an easier challenge,” says Allen.

EASM can discover unmanaged resources and identify exposed weaknesses such as misconfigurations. “It is a tool in the arsenal to help understand what action needs to be taken. For example, shadow IT can be uncovered; test and development sites where the software has not been updated; and e-commerce sites presenting a tunnel in and an open door where data can be exfiltrated,” says Allen.

Proactive security to deter cyber criminals

There are three fundamental tenets for information security: confidentiality, integrity and availability. To support this, the MITRE ATT&CK security framework is a curated knowledge base that tracks cyber adversary tactics and techniques used by threat actors across the entire attack lifecycle. The MITRE approach helps organisations become better informed. It collects the right information at the right time to spot a threat, and spot the gaps in their monitoring.

Deception technologies can create honeypots on the internal network as decoys for threat actors intent on gaining access and privileges to harvest credentials. Whether or not there has been an incident, any organisation should undergo incident response planning to become more proactive in its cybersecurity stance.

“Incident response planning should be reviewed on a periodic basis with full board engagement. It should not be a reactive response to an incident that is rushed through, sparking a media frenzy,” says Allen.

How SCC can help

“Cybersecurity is an evolutionary process. Moving from MDR to XDR makes organisations more capable of identifying threats because they can spot risky activity before it becomes an out-and-out breach.”

SCC helps its clients move towards proactive security by listening to and understanding their business needs and treating every client as an individual. “Every customer is different with different business drivers and technology budgets and resources. We help them understand their risk profile and an acceptable level of risk, so we can give an appropriate level of monitoring for their needs and build something they can consume,” says Allen.

The evolution in managed services in cybersecurity, with important developments such as XDR, makes it easier for CISOs and CIOs to do their jobs and aim high based on what the business needs. In many cases, a peer comparison may be misleading and not based on best practice. “For example, non-regulated sectors may be behind in cyber maturity,” explains Allen. Depending on risk profiles, using something like the National Institute of Standards and Technology framework can establish a baseline or a comparison with organisations in the financial sector.

SCC can help you gain full visibility of your attack surface and help with business-impacting cyber incident scenarios to put the right strategies in place. This proactive approach to managed cybersecurity services allows CISOs to build a business case to go to the board.

“A CISO or CIO should never go to the board and say, ‘We are secure’. But based on knowing their risk profile, they can say, ‘We are improving’,” Allen says. “We work with our customers, listen to their needs and only build solutions and services so they can keep pace with threats appropriate to their risk profile and continue to evolve this service over time.”

Are you ready to evolve your cybersecurity managed services?

Written in collaboration with Tech Target