Tag Archives: rsa 2017

3 Things on Cyber All Firms Must Know

Managed security services providers, or MSSPs, continue to rise in presence and impact—by giving companies a cost-effective alternative to having to dedicate in-house staff to network defense.

In the thick of this emerging market is Rook Security. I spoke with Tom Gorup, Rook’s director of security operations, about this at RSA 2017. A few takeaways:

Outsourced SOCs. MSSPs essentially function as a contracted Security Operations Center, or SOC. Most giant corporations, especially in the financial and tech sectors, have long maintained full-blown SOCs, manned 24/7/365. And so the top MSSP vendors, which include the likes of AT&T, Dell SecureWorks, Symantec, Trustwave and Verizon, are aggressively marketing MSSP services to midsize companies, those with 1,000 to 10,000 employees.

See also: 7 Key Changes for Insurers’ Cybersecurity  

At the other end of the spectrum—catering to very small businesses—you have consulting technicians, operating in effect as local and regional MSSPs. These service providers may have one or two employees. They make their living by assembling and integrating security products developed by others, working with suppliers such as SolarWinds MSP, which packages and white labels cloud-based security solutions for very small businesses.

So what about the companies in between, those with, say, 50 to 999 employees? Security vendors recognize this to be a vastly underserved market, one that probably has pent-up demand for MSSP services.

What MSSPs provide. For midsize and large enterprises, MSSPs deliver an added layer of expertise that can help bigger organizations actually derive actionable intelligence from multiple security systems already in place, such as firewalls, intrusion detection systems, sandboxing and SIEMs. The top MSSPs tap into all existing systems and provide deeper threat intelligence services, such as device management, breach monitoring, data loss prevention, insider threat detection and incident response.

For small businesses, local MSSPs focus on doing the basics to protect endpoints and servers. This relieves the small business operator from duties such as staying current on anti-virus updates, as well as security patches for Microsoft, Apple, Adobe and Linux operating systems and business applications that are continually probed and exploited.

 Who needs one? Every business today is starkly exposed to network breaches. So who could use an MSSP? The calculation for midsize and large organizations is straightforward. The goal is to provide more data protection at less cost, based on thoughtful, risk-based assessments. The most successful MSSPs will help company decision-makers build a strong case for their services.

See also: Quest for Reliable Cyber Security  

At smaller companies, the first question to ask is this: How mature is my security posture to begin with?

Gorup observes: “Is security even on the radar right now? In smaller organizations, you might have just one person, part-time, working IT. Security is kind of secondary. I’d recommend seeking more advisory services to help detect phishing attacks, help build some processes, help understand what technologies you should invest in. This will allow growth to occur. And then you can make a natural transition into building an SOC or seeking SOC services.”

SMBs Need to Bulk Up Cyber Security

Third-party risks—the notion that a contractor or a supplier could inadvertently expose the first-party organization to a network breach—may not be the sexiest cybersecurity issue out there. But at RSA 2017—the weeklong cybersecurity conference that drew 43,000 attendees to San Francisco’s Moscone Center last month—there was much talk that third-party risks are destined to ascend as a bellwether phenomenon.

I mean that in this sense: Actually addressing third-party risks is something companies of all sizes—from enterprise-class first-party organizations to SMB-size third-party suppliers—must come to grips with, probably sooner than later. What’s more, as the journey to mitigate third-party risk unfolds, trustworthiness of internet-centric commerce naturally will rise, perhaps dramatically.

New market emerges

One marker is that tech research firm Gartner has begun monitoring a dozen or so technology vendors marketing third-party risk solutions to large enterprises. Gartner refers to this fledgling cottage industry as the “IT vendor risk management” market. In a report last fall, Gartner predicted that the IT VRM market would expand 30% by 2019.

See also: Ransomware: Growing Threat for SMBs  

The main growth driver: regulatory requirements.

Case in point: New York state’s freshly minted Cybersecurity Requirements for Financial Services Companies, which took effect March 1, includes provisions that require financial services companies to ensure the security of the systems used by their third-party suppliers.

Meanwhile, Europe has begun to roll out a comprehensive set of data-handling rules that also call out the need to address third-party risk. These include the new framework for commercial data exchange between the U.S. and the European Union, referred to as the EU-U.S. Privacy Shield, as well as the new EU privacy rules known as General Data Protection Regulation or GDPR.

SMBs in hackers’ cross-hairs

To be clear, the burden does not solely rest with large enterprises to mitigate third-party risks. This issue profoundly affects small and medium-size organizations. SMBs no doubt will face increasing requirements to prove their cybersecurity fitness to win contracts from first-party business customers.

“Third-party issues are driven by the fact that outsourcing trends are continuing unabated,” says Jonathan Dambrot, CEO and co-founder of Prevalent, one of the leading IT VRM vendors tracked by Gartner. He says third-party suppliers, in fact, are believed to be the source of as much as 70% of the network breaches that occur today,

Professional cyber criminals are fully aware of capabilities of the multimillion-dollar security systems that large companies have in place. So they wisely target “the small provider who’s providing some service and who doesn’t have their security controls,” Dambrot says.

Vendors lack knowledge

Meanwhile, all too many third-party suppliers continue to operate either ignorant of, or in denial of, the exposures they’re creating by failing to adhere to security best practices.

“A lot of smaller firms are still struggling with even understanding what they need to do, from a policies standpoint all the way down to the technical controls,” Dambrot says. “Do they have appropriate controls for encryption, identity management and multifactor authentication?”

It’s very early in the ballgame. A Ponemon Institute survey conducted last May found that the majority of the 600-plus respondents agreed that third-party risk was both serious and has been significantly growing in their organizations.

See also: Cyber Attacks Shift to Small Businesses  

However, Ponemon found that only a third of those organizations had formal programs in place to manage third-party risks, and only about a quarter of them purchased cyber insurance to reduce the economic impact of third-party risks.

But the potential for elevating internet security, in the longer run, is palpable.

This post originally appeared on ThirdCertainty.