As organizations look to improve their cybersecurity efficacy and combat new threats and challenges, they may want to partner with a company to help them manage their threat detection and response. To find how to best balance this kind of relationship, we spoke to Chris Schueler, SVP of Managed Security Services at Trustwave.
An enterprise’s biggest challenge when it comes to modern cybersecurity is being able to move quickly enough to protect their organization. We’ve seen that the explosion of cloud-based services have given enterprises a lot of difficulty and added complication when it comes to security, compliance and data protection. Not only do organizations need to protect themselves against hacks and breaches, but they need to ensure they’re preventing leaks, exposures and unprotected databases, which can happen due to misconfigurations and oversight.
However, as Chris notes, an enterprise is also faced with a skill gap unlike before. New skills and new domains of expertise are required for most enterprises, but there’s a shortage of training content and materials, labs, demos and trainers. It’s not just a matter of time and money, the ability to train up your existing team just might not be available in the way you need it.
And organizations can’t depend on tools or products only - a skilled team is needed. “There’s no platform that does threat hunting by itself.” says Chris. “Organizations can’t just buy a commercial off-the-shelf solution that can perform what organizations need by itself - it requires humans.”
To properly protect and defend your organization, you need a team with the right skillset, platform and tools. If your organization lacks the team or required expertise, that’s when managing and partnering needs to be considered.
When considering partnering or managing, don’t think of it as a binary choice. “It’s not a commoditized asset that’s binary,” says Chris, “where it either works or doesn’t. It’s about knowing what your organization can bring to the table and how a partner can help you fill in those gaps.”
Chris likens managed detection and response (MDR) to a pyramid - the deeper you get, the wider you go, and the more unknowns you’re dealing with. Having the right partner helps you navigate those unknowns.
However, before you can even consider a partner, you need to know what you’re looking for.
Chris recommends taking an outcome-based approach and working your way backwards. What does your security department need to be able to do - prioritize threat hunting, reactive remediation, reverse engineer malware, remote forensic analysis? It could be some of those things or all of those things. Knowing what you need allows you to understand what your organization can provide, what tools are necessary, and how a partner or service provider can help fill skill, talent, and expertise gaps.
“Managing versus partnering isn’t black and white” Chris says, “every single engagement is a hybrid approach - how much does your department want to lean one way or another?”
Once you know the outcome you want, you can begin the prep work.
You know your organization best, so bringing that into conversations with a potential partner will help you decide whether you have the capacity to deliver 50% or 10% of the work, time, and resources involved in detection and response.
When deciding to have a partner or a manager and understanding how exactly they’ll be working with you, Chris recommends taking stock of a few things adherent to your company:
Then you need to know what your security department’s level of maturity is and where it plans to be in the near future. Having a timeline is essential as it will help you find the right partner and one that will work with you as your organization grows.
You should consider how your team’s skillset stacks up to your organization’s needs. Do they have the skills and analytical capabilities to engage in complete detection and response or do they have specific specializations?
All this initial and prep work to ensure you find the right partner will also avoid a common pitfall that security departments run into - purchasing the wrong tool.
Every partner or service provider has a set of specialties, skills and expertise, and that’s also true when it comes to tools. A good partner/service provider should be able to adapt their existing toolset to a new client’s customer environment and tailor it to how a client’s network is built, what their cloud/hybrid infrastructure is like, and what their risks and assets are.
If you jump the gun too early and purchase a tool that your department isn’t equipped to handle or work with and then look for a provider, you’re only creating more ambiguity and complication. You’re better off letting them work with tools they’re already familiar with and adapting to your organization instead of adapting to the tool. One is more effective than the other.
If Chris could sum up the process for finding a good provider, he says “avoid buzzword bingo.”
Too many providers lean on buzzwords to market their services or products - AI, machine learning, “proprietary systems.” But it hardly provides clarity into how they work, the intelligence they use and their processes. Any partner that offers automation as a benefit is worth additional scrutiny. “If an organization is just using machines, or a system,” Chris says, “then they can’t, for example, look at malware from an analysis standpoint.”
A human team is essential for analyzing new threats, learning from events and compromises, finding patterns, understanding how hashes are applied, reverse engineering malware, threat hunting, finding more attack vectors, and preventing any lateral movement. Currently, there’s no technology that replaces this.
Chris recommends taking a back to basics approach, speaking to the experts of a potential partner (not just sales representatives), asking for a proof of concept, and references. “Make them show the work,” he says. Understanding your partner is just important as understanding your own organization.
As your security department matures, it’s inevitable that your attack surface expands and your security needs increase - so you’ll need some help. Whether that’s because of a new tool, required skillsets, or because you now need 24/7 monitoring. The decision isn’t whether or not to take on a partner but in what way - will you provide 50% of what’s needed, 20%, 80%?
Assessing your own department is the first step towards finding the right partner and one that will be most effective in protecting your company.
Find out how Trustwave’s team of MDR experts can help your organization protect itself against even the most advanced threats.
Evan Sharenow is the content marketing manager at Trustwave.