Choosing a Security Provider - Understanding the Offerings
There is an ongoing issue of traditional managed service providers attempting to transition to providing security services beyond the typical endpoint security or vulnerability scans, and the varied level of success that some have had.
First, I want to note that it is possible to make this transition successfully. Many managed service providers have done an excellent job of growing their practice to include a compelling and high-quality security offering, in addition to their traditional managed services. Unfortunately, even more have failed to make that leap. As a result, businesses are left with a confusing services landscape. Even in my relatively small city, there are DOZENS of "security providers" that claim they can help you meet your compliance needs, prepare you for audits, monitor your network 24/7/365, etc. Most claim to be able to offer similar services, claim to have the same experience, etc. Unless you really know what you are looking for, it can be tough to differentiate between them beyond their price tag and who can give the best sales pitch. To help quiet the noise a bit, I wanted to spend some time discussing things businesses can look for to differentiate successful security providers from those still trying to make that transition.
To get started, let’s talk about some standard offerings you might come across that are often confusing or deliberately presented in a deceiving manner by lower-maturity providers in an effort to sell services they can't effectively offer.
Vulnerability Scans v. Vulnerability Management:
Vulnerability scans are easy; anyone who can click a mouse can do it. You pay the license fee, enter an IP address range, and off you go. You get a report with a list of the devices you scanned and what vulnerabilities show up. That is really all there is to it.
Vulnerability Management is significantly more involved and includes the scan mentioned above but more importantly, it includes a human who then reviews that list and helps prioritize which needs to address and the priority you should treat them with. It turns DATA (scan results) into INFORMATION (action items with priorities and potential risk).
In a perfect world, data would be enough. Every vulnerability would have an easy-to-apply patch, and scheduling downtime is no problem. But the reality of a production computer network is that not everything can be fully patched immediately. Patches need to be tested, compatibility with existing applications needs to be reviewed, downtime needs to be scheduled, and this can take significant amounts of time in large environments. And all that only works if there is actually a patch to resolve the issue. This is why review and prioritization by a human who is familiar with your environment are needed.
With only the scan results, you can rank the vulnerability into a few broad categories and apply a generic risk profile. Management takes that a step further and asses that ranking against the asset's value, the asset's location on the network, and that makes a risk assessment. Risk is the thing you should actually care about, not the vulnerabilities.
Ask your potential provider to explain what RISK is, ask how they determine the level of risk a vulnerability poses, and what things they consider when making that determination. Do they do a scan and accept it at face value? Do they actively manage vulnerabilities for you and give you recommendations based on their knowledge of your network? What happens if there is no available patch to resolve the vulnerability or if the available update breaks something else on your network?
Penetration Testing (Pen Test):
This is one of the most commonly confused things in the Security Services space. It is frequently (and incorrectly) used interchangeably with Vulnerability Scanning, especially by lower-maturity providers. A Pen Test is scoped engagement, where a professional attacker attempts to gain access to the data on your network via weaknesses in design or vulnerabilities in existing systems. So while a vulnerability scan is likely to be part of the Pen Test, the company conducting the test must then try to exploit the vulnerabilities to determine if access is actually possible. Lower-maturity providers often do not complete that second step and stop at the scan. While knowing a vulnerability exists is useful, it does not tell the whole story.
Pen Tests also look for weaknesses beyond software vulnerabilities. They may test the ability to crack and use weak or leaked credentials and look for misconfigurations in systems that allow data to be leaked directly or get the attacker closer to breaching your network. They can even test the human elements of your network via attempted social engineering or phishing.
As a best practice, Pen Tests should be completed after you believe your network is secure in an effort to validate that belief or completed on schedule as required by your compliance framework. The reason for this is legitimate Pen Tests are often costly and time-consuming, so you are better off doing an audit of your practices, use automated tools to spot the "low hanging fruit" and addressing that stuff, then do a Pen Test once you believe you are sufficiently secure. But be sure it’s an actual Pen Test and not just another automated vulnerability scan.
But most importantly, a good provider will help you understand the findings and prioritize the fixes. Getting the test done if often enough to "check the box" from a compliance perspective, but taking action to resolve the weaknesses is how to actually improve your security posture, and that should be the ultimate goal.
Ask your potential provider for background on their pen-tester(s). What certifications do they have? What is their professional experience like? What is their Pen Test process like? How do they prove they were able to access the data via a vulnerability? Ask for an example report from a previous Pen Test and make sure it is info you can understand and do something with, and ask how they prioritize the findings to align them to your specific environment and needs. If you are aiming for a specific level of compliance, ask how they can adapt their finding to align to that framework so you are able to prioritize your action items.
Security Operations Center (SOC) as a Service:
To round out the common security offerings comes SOC as a Service. Traditionally, the role of a SOC is to monitor your network for security issues, provide an analysis of the issue, assign a risk, and ideally provide some potential steps to remediate the issue. To be effective, SOC analysts are trained to look at information, usually in the form of security and even logs, and assess the risk associated with that information. The speed and quality of those assessments are what separate good SOC analysts from bad. It is a skill that is fully independent of standard "helpdesk" or "network" operations, as the focus is less technical and more analysis / risk-based.
That difference is one of the major issues that traditional managed services run into when attempting to move into the security services space. Providers are left with a few options:
- Hire a security engineer/analyst (also different roles, but when just getting started, they can be combined) to build the offering around. You generally need more than 1 for continuity to exist in the event that person gets sick, takes a vacation, or quits. Even more so if you are offering 24/7 emergency response.
- Use their existing helpdesk and train them to be SOC analysts. This is one of the more common choices, and what often leads to poor SOC service. Analyzing an alert to fix a technical issue and analyzing an alert to understand the potential business risk are different tasks. They require different tools, different training, etc. And the provider then needs to balance the prioritization of security alarms against non-security alarms which can get messy.
- Resell a "white-labeled" product from another product (outsourced). This can be hit or miss depending on the provider they are reselling, which often adds delays in things like communication as the 3rd party needs to communicate with the provider, who then needs to relay the info to the customer. During an emergency, this can get problematic if their lines of communication are not clear. It can also make fixing any process or delivery problems harder, as the provider often has little control over the actual service being sold.
Each of the 3 choices has pros and cons, and many times providers go through an evolution, usually by starting with option 2 or 3 then evolving to 1 once they can afford to do so. Lower maturity providers often stick with option 2 as it allows for the most profit to be retained, but frequently results in the lowest maturity offering to start.
Beyond the analyst team, understanding the providers security engineering background is also important. A SOC can only be as effective as the data it has to analyze. Choosing an appropriate SIEM solution, understanding which data sources on your network need to be monitored, and understanding how to tune those tools to reduce noise is critical in an effective SOC solution.
Ask your provider about their team. Are they employees or a 3rd party? What is their training like? What is their approach to continuous education? What certifications do they have? (Threats evolve, so should the team). What is the role of the SOC in incident response? What does their SIEM tuning process look like?
Hopefully, the questions above help businesses differentiate the mature security providers from those still trying to work it out. The best way to determine if a provider genuinely does what they say they can do is to ask how they do it. Our job is to take complex issues and communicate them in a way for our customers to understand, so never be afraid to ask questions if there is something you aren't sure about, and if your provider can't clearly articulate how they accomplish things, there is a high likelihood they aren't actually doing it.
CBTS | Hawaiian Telcom has been helping many customers improve their cyber security posture. Solutions like Email Security, Endpoint Protection, or even Managed IT, can greatly lessen the risk of a cyber attack. If you would like to chat more about securing your business please call us at 808-777-6027 or visit our website for more information.