Automated detection will fail. This is not a FUD (Fear, Uncertainty, Doubt) statement designed to strike fear into the hearts of CISO’s, it’s a fundamental problem that’s unlikely to be solved in my lifetime. This problem is not limited to technology alone, sometimes it’s a failure related to process or people, and sometimes it’s a murky mixture. Add any sort of complexity to the mix and the odds become greatly stacked against us.

Regardless of the reason, these factors can result in a failure to notice something bad happening in our environment and puts us in an awkward position. The investment we made to protect ourselves works as intended, but only most of the time.

As security professionals, is it time to admit that we can’t spend our way out of being vulnerable to a breach; as security vendors and service providers, is it time to admit that we can’t actually stop every breach?

IFTTT (If This Then That) or what?

This doesn’t mean we shouldn’t have great technology, people, and processes helping us to make decisions about the activity going on around us. Air disasters have dramatically and steadily declined over the past couple of decades. This is mostly due to advances in pilot training, the design of the planes themselves and fly-by-wire automation technology that most come equipped with today. However, accidents still happen; airspeed indicators freeze over sending instruments into chaos prompting pilots to chase down problems and react in ways that aren’t necessary to resolve the actual problem thereby making the overall situation worse.

We are in a similar situation, great technology that keeps us safe, well-trained operators following a solid process, and automatic detection of most threats.

At this point our conversation can go in many directions, perhaps we’d talk about Risk Mitigation, Security Control Frameworks, the future of AI and Machine Learning, blockchain, next-gen, virtual reality, etc. but you already hear enough about those. I want to talk about this problem from a Managed Security Services Provider perspective.

Does MSS drive value to its clients and are consumers of Managed Security Services expecting enough of their MSSP?

MSSP’s, in general, are not delivering on their promises. “We are an extension of your team”: hardly, as nearly every time you talk with your MSSP it involves explaining something you’ve already explained many times in the past. “You can take advantage of our wide visibility into a large client base to realize improvements in our detection capabilities for you”: doubtful, most MSSPs don’t have the infrastructure or process in place to ensure this actually happens. “We don’t just throw alerts over the fence to our clients”: no comment necessary here, I imagine.

Truth is that MSSPs struggle to provide value. The majority of MSSPs were created when a client opportunity came up to manage and monitor a technology, and due to this, most are only built to monitor security technology and the alerts it generates. This continues throughout the life of the provider. Got a new technology you need managed? MSS will take it on!

On the other hand, consumers of MSSP services have been conditioned to expect that the value of these services is in the expansion of their security device management and monitoring to 24×7 by a larger set of eyes. This is a great expectation, but what some may not realize is that an MSSP will have the same struggle to contain technology sprawl as any enterprise. The more technology an MSS manages and monitors the harder it is to be effective and efficient at doing so. The complexity of it all becomes overwhelming and service delivery suffers as economies of scale disappear. MSSP’s compete in the same job market as everyone else, so this complexity leads to stress and job dissatisfaction which inevitably leads to analyst turnover, only exacerbating the problem. It might be interesting to note that clients tend to overlook blips in service during the duration of the contract because the value is in the coverage, not the actual outcome of the service. At renewal time, however, the realization that little value was delivered is exposed and many organizations look elsewhere (or internally) for a SOC.

Lessons learned.

These are just some of the problems with legacy MSSPs (yes, there’s more) and with over a decade of experience working for some of the biggest and best, I consider them lessons learned. When we came to Kudelski Security in 2016 we asked for and were granted the opportunity to stop selling our MSS and take a hard look at our service model and at the MSSP vertical in general. With the lessons learned in mind, we went about the process of rebuilding everything on top of our Cyber Fusion strategy. Sitting together in many (many!) meetings a fundamental and critical objective bubbled up. We need to deliver value to our clients, not just the perceived value based on extending coverage of internal teams but real value based on business outcomes that reduce overall risk. To do this we needed to understand how to contextualize the modern threat, detect a breach quickly, and limit the impact.

Assume Breach.

Automated detection will fail and we should assume breach, this is the genesis of our strategy to tackle delivering those business outcomes. When we started to work on our infrastructure, our goal was to have the top Threat Monitoring Service in the world. We built in the capability to ingest business context just as easily as we could ingest curated threat intelligence. Luckily Kudelski Security provided us with a team of 30 DevOps engineers dedicated to MSS.

If an organization is monitoring junk, sending that junk to an MSSP doesn’t make it better so we created a set of standard Use Cases which we could deploy regardless of technology as well as the capability to customize Use Cases as needed so our clients could consume alerting with consistency across their environment. We see the network perimeter as deteriorated, so we placed extra focus on the endpoint by developing Managed EDR and Attacker Deception Services, which landed us in the 2017 Gartner MDR Market Guide. By the way, we do have a select set of great technologies we manage as well. This list is kept intentionally small for the reasons we covered above.

If we had stopped there, Kudelski Security would be a great MSSP; we wanted to be greater.

Challenge the MSSP vertical to change.

Fundamentally I want to see all MSSP’s better protect their clients. To induce this market change we provide Threat Hunting as part of our Threat Monitoring Service at no extra cost.

We believe this is what every MSS, every SOC, and every security team should do regularly because automated detection will fail and we must assume breach.

Threat Hunting is an integral part of Threat Monitoring and as such should not be separated on a pricing sheet.

Our hunting is not just marketing lip service either, it comes in 3 flavors and they are all included with our Threat Monitoring.

  • Structured
    • We have a set of Threat Hunting use cases which we monitor for anomalies 24/7/365
  • Targeted
    • We meet Monday – Friday every week to identify noteworthy threats to hunt. It could be based on input from our clients, from what we’ve seen in the intel community, or what we’re seeing with fast-breaking threat events such as notpetya, wannacry, etc.
  • Creative
    • We enable every analyst regardless of level to hunt, at any time, based on their hunches and intuition. If you see something interesting, hunt for it.

Our threat hunting is performed by our own MSS Analysts and not a separate professional services team who mostly do point in time projects. We are always hunting, searching for that clue, that breadcrumb, that something is amiss. We’ve found hidden threats otherwise missed by monitoring. Hunting also allows us to continually improve as many of our hunts have resulted in new monitoring techniques. Allowing everyone to hunt has also increased the job satisfaction of our analysts, virtually eliminating turnover.

If it works for us, it can work for everyone and it should be a normal part of your threat monitoring program.

Francisco Donoso, our lead MSS Architect is writing a follow up to this post titled “SIEM is dead, long live SIEM”. He’s got some great content that emphasizes the work we’ve put into the some of the technical ideas behind what we are all about as an MSSP.

Wrapping up.

Automated detection will still fail, and breaches will still occur, but with our approach, we can contextualize the threat, reduce the time it takes to detect a breach and limit its impact.

MSSPs out in the marketplace, consider this a challenge. We hope you will accept?

Alton Kizziah