As on-line crime continues to surge in 2017, companies are increasing their cyber-security investments to protect their data and assets. In addition to technical countermeasures, employees’ awareness and the implementation of stricter security policies, a new solution is being considered for defending against Internet crime threats: cyber security-as-a-service. This outsourced solution can be the best way to create a more proactive, resilient defense to protect digital assets and achieve real-time threat intelligence and breach response for businesses of any size.
According to the Computer Economics IT Outsourcing Statistics 2016/2017 study, the trend is up for the outsourcing market leading to more flexible agreements between vendors and clients seeking quality network management services. All numbers show that cybersecurity is quickly becoming a #1 outsourcing priority for organizations. In fact, as the 2016 report from Gartner, Inc. also confirms, InfoSec spending will continue to grow in the next few years, until the end of 2020. The highest growth is expected in the funding allocated to IT outsourcing in addition to security testing and data loss prevention. “IT security leads the way with a net of 59% of organizations planning to increase outsourcing of this function,” reveals Computer Economics, Inc. Organizations are becoming more service driven, and software as a service and cloud options are now fueling the need for managed detection and response (MDR).
When Outsourcing Managed Cybersecurity Services is Most Fitting
When is outsourcing cybersecurity services a good idea? There are many reasons why a company might decide to entrust such a delicate function to an external contractor. The first one is, as always, money. Outsourcing means paying a periodic fee but forgetting all the overheads necessary to set up an internal team, from personnel expenses to software and hardware necessary to get the job done. It means a lower burden on the company’s HR department that will not have to worry about the support for the team as well as recruiting the highly-skilled professionals that are necessary for the task in an era in which there is still a shortage of such resources.
Another consideration is availability. Cybersecurity as a service outsourced from a reputable company with a proven track record can ensure the constant availability of experienced security professionals around the clock; in an internal team, especially when a small or medium company is concerned, there might not be enough personnel to cover a 24/7 shift and management would need to account for lower coverage in periods of training, sick and annual leave or other requirements.
Experience is another issue. Outsourcing means also accessing the expertise of a pool of professionals that haven’t just worked with one infrastructure but that, most likely, are providing monitoring and defense services for many companies of various sizes in different industries. Being exposed to a variety of issues, they can better keep abreast with current threat scenarios and might be able to recognize trends and issues as soon as they arise and faster than professionals, even if an expert, that are working in a single environment.
So, cybersecurity-as-a-service is a practical option for companies that cannot afford their own in-house experts or whose staff is struggling to deploy, manage and use technological tools to detect new attack vectors or threats on their own.
Why Choose SOC Over MSSP or MDR, SIEM?
Let’s look in details what are the options for a company regarding security. An in-house Security Operation Center (SOC) is usually the go-to-options for the majority of companies; in fact, a SOC is a vital component of a good cybersecurity solution designed to protect the system infrastructure for organizations that already have onboard a skilled team of experts with the know-how to detect and prevent network intrusions. A security center staffed by internal employees makes companies more comfortable as data and services are entrusted to people who are supposed to be already loyal and committed to the organization. Access to the network and data is not shared with external companies, and full control is retained on customizing software products used, including Security Information and Event Management (SIEM) solutions.
Also, an internal team is fully aware of management requirements and of any changes that are implemented in the system and the reasons behind them; they are also devoting their attention only to one company and might spot unusual patterns and behaviors quicker. There are however some drawbacks. Not all companies, in fact, can afford a large enough team to ensure continuous monitoring and therefore, response times to incidents might be slower than desired. Furthermore, it might not be possible to find and employ several fully experienced professionals so gaps might occur, and a learning curve might be expected for newer personnel. The upfront cost is also a concern as it could be steep.
Many organizations have, in these days, elected to outsource part or all their InfoSec operations to a third-party for on-demand computing services. The most logical security areas to outsource include monitoring and alerting services, security testing, incident response, third-party assessments to identify real risks, followed by targeted training for employees. Each daunting task is a prime opportunity to leverage external expertise, says Christie Terrill, Forbes Contributor. This has the client employ and “lean on a knowledgeable outside expert in an interim or long-term capacity.” Instead, to operate a security operations center (SOC) in-house, an organization may decide on a Cloud Security Operations Center to provide visibility and control through a virtualized infrastructure that can address any areas of concern and ensure the client’s cyber assets will be adequately protected around the clock. An organization outsources key functions and selects a cloud Managed Security Service Provider (MSSP) to keep up with the constant threats in cyberspace; outsourced tasks often include:
- Monitoring cybersecurity risks before they become real issues. Performing vulnerability assessments and IT audits, where risks are identified, measured, and managed over time.
- Scanning to help detect areas vulnerable to computer threats (e.g., a virus, malware, spyware) and providing a realistic threat assessment.
- Testing security measures and existing security controls and processes to ensure the organization is protected against any type of vulnerability. This might entail conducting and/or reviewing penetration test results with the aim to identify corrective actions.
From the list, the MSSP solution seems it has several advantages especially for clients in the SME area.
An MDR service instead allows for continuous monitoring of cyber assets for ever-evolving advanced threats and exploits and ensures quick response to confirmed incidents. As Elad Ben-Meir, mentions in The Rise of Digital MDRs, the increased use of digital Managed Detection and Response (MDR) services is an excellent supplement to existing security tools in predicting and defending against network attacks; continuously scanning digital environment for threats, “MDRs look beyond the perimeter to provide constant vigilance of cyber activities to eliminate potential threats before they become crises.” Also, “MDRs relieve clients of the burden of having to determine which method or device they should use for security monitoring and response capability” beyond what is typically monitored through standard security controls.
Managed services ensure, in fact, access for a fee to a pool of experienced professionals and specialized software that might not be possible to acquire when building an in-house structure. Response to incidents is also potentially much faster as 24x7x365 coverage is normally guaranteed. From a financial point of view, companies might be happier to budget for a monthly/annual fee rather than facing a significant upfront expense and several, subsequent “maintenance/training” charges.
The drawbacks are obvious: the monthly cost could be stable or increase overtime, while an in-house SOC might potentially become less expensive as time passes. Security and privacy are also a concern as trusting subcontractors with company data is a necessity. Some organizations are reluctant to give up complete control over the security of their systems. The risk can be mitigated by devising robust service level agreements (SLAs) that shall clearly state, in details, legal liability responsibilities and consequences. Companies can also decide to outsource only some specific functions to keep an internal SOC while having contractors provide only specific tasks: continuous monitoring, for example, or managing some technical tools, or else vulnerability scanning.
Ethical Hacking Training – Resources (InfoSec)
Plenty of outsourced options exist; as a result, it is quickly becoming a favorite choice for many firms, as proved by current researchers. Gartner’s Market Guide for Managed Detection and Response Services predicts that by 2020, 15% of midsize and enterprise organizations will be using services like MDR, up from less than 1% today.
The alternative is a SIEM service. Many organizations today are especially leveraging SIEM-as-a-service (Security Information and Event Management – SIEM) to enhance their existing cyber defenses as the most effective mitigation strategy for integrated threat intelligence so they can accelerate threat detection in the cloud and/or on-premises environments. As SIEMs tend to generate a considerable amount of data and events, it can overwhelm the security team; organizations might employ managed security services for this function for complete or blended support of their environment.
Fittingly, choosing the right vendor is crucial, and it involves a thorough analysis of the business requirements, managing risks in asset transfer, the gamble the company is willing to take with outsourcing and the potential cost of an InfoSec breach. It also means a complete market review with the identification of reliable partners and, in most cases, the best company that operates in cybersecurity as related to the market in which it operates. Therefore, it is best to begin by researching the vendor’s background, qualifications, credentials, and reputation before a contractual agreement. The service agreements ought to include details about their services, access rights granted and security provisions, as to who has admittance to the network; all this to build a trust relationship before relinquishing control to an outside third party. It is also essential for clients to consider the level of control they still have in the configuration of any software/hardware deployed by the contractor and in the decision-making as related to what to do and when during an incident. So, in the outsourcing agreement, a third-party vendor that is bound to certain levels of service and quality may not be held complete accountable if it fails to deliver the best security for its client that has ultimate responsibility for the results.
In today’s cyber landscape, managing internet security is paramount which is why so many companies opt to set up and run a SOC in-house or choose the services of consulting firms that will ensure that adequate steps are taken to preserve and protect the company’s digital assets.
It is vital for businesses of all sizes and not just large companies to make decisions and provide for the security of their assets. As former US Cyber Command and National Security Agency (NSA) head Gen. Keith Alexander mentioned in a 2004 conference, it is actually imperative for all businesses to pull together to defend their cyberspace better.
“If the small and midsized companies are grouped together, and they have this great cyber-security as a service capability, they are not the downstream problem for the large companies. In fact, they become part of the sensing fabric that helps protect the big industries — which they cannot do today. This capability would greatly improve our cyber hygiene.”
Admin. (2016, January 24). Common Cyber Security Mistakes Made by Organizations. Retrieved from http://infosecnewswire.com/common-cyber-security-mistakes-made-by-organizations/
Beg, N. (2016, July 25). 24×7 SOCs: The Answer to all Monitoring and Logging Needs? Retrieved from https://www.infosecurity-magazine.com/opinions/24×7-socs-the-answer-to-all/
Ben-Meir, E. (2017, March 9). The Rise of Digital MDRs. Retrieved from http://blog.cyberint.com/the-rise-of-digital-mdrs
BrightTALK. (2017, June 7). Webinar – Cybersecurity choices: SIEM, MSSP, or SOC-as-a-Service? Retrieved from https://www.brighttalk.com/webcast/11871/259787/cybersecurity-choices-siem-mssp-or-soc-as-a-service
Computer Economics, Inc. (2016, August). IT Security Outsourcing Becoming Top Priority. Retrieved from http://www.computereconomics.com/article.cfm?id=2246
Cybersecurity Excellence Awards. (2017). 2017 Cybersecurity Product Awards – Winners and Finalists. Retrieved from https://cybersecurity-excellence-awards.com/2017-cybersecurity-product-awards-winners-finalists/
Diachuk, O. (2016, December 20). Cybersecurity As #1 Outsourcing Priority for Businesses. Retrieved from https://www.infopulse.com/blog/cybersecurity-as-outsourcing-priority-for-businesses/
Gartner, Inc. (2016, August 9). Gartner Says Worldwide Information Security Spending Will Grow 7.9 Percent to Reach $81.6 Billion in 2016. Retrieved from http://www.gartner.com/newsroom/id/3404817
Information-age.com. (2015, April 9). To outsource or not to outsource – how to know if you need Managed Security Services. Retrieved from http://www.information-age.com/real-cost-outsourcing-it-123459275/
Lord, N. (2017, July 27). How to Hire & Evaluate Managed Security Service Providers (MSSPs). Retrieved from https://digitalguardian.com/blog/how-hire-evaluate-managed-security-service-providers-mssps
Malykhina, E. (2014, October 2). Ex-NSA Director Touts Cybersecurity as a Service. Retrieved from https://www.informationweek.com/government/cybersecurity/ex-nsa-director-touts-cybersecurity-as-a-service/d/d-id/1316281
Poremba, S. M. (2017, March 13). Cybersecurity Ventures Top 50 Security Companies to Watch. Retrieved from http://www.itbusinessedge.com/articles/top-cybersecurity-companies.html
Pritchard, R. (2013, March 25). Outsourcing – The Weakest Link? Retrieved from https://www.thecybersecurityexpert.com/outsourcing-the-weakeast-lin/
Rochford, O. & Lawson, C. (2016, December 7). The Five Models of Security Operation Centers. Retrieved from
Terrill, C. (2017, March 13). The Top 5 Security Functions to Outsource. Retrieved from
Williamson, L. (2017, September 22). When it comes to cyberattacks, it’s not enough to have the best technology. HR needs to take an active hand in staff training. Retrieved from https://www.hrmonline.com.au/technology/prevent-security-breach/
Yelina, Y. (2017, January 18). How to Outsource Security Services: Tips for Small Businesses. Retrieved from https://www.infosecurity-magazine.com/opinions/outsource-security-services-tips/