Coming to grips with managed security services

Outsourcing IT security to a third party can improve an organisation’s cyber security posture, but in-house capabilities, such as drawing up security blueprints and strategies, should still be retained

When employees at a utility firm clicked on a hyperlink in a phishing email that took them to a malicious website a few years ago, little did they realise that their seemingly harmless act would lead to a zero-day ransomware attack on their company.

The ransomware delivered by the malicious website was TeslaCrypt, for which its developers demanded bitcoin in exchange for a decryption key to unlock encrypted files. But instead of caving in, the company turned to its managed security service provider (MSSP) to contain the damage.

The MSSP, a global IT services company, sprang into action. Using its threat intelligence capabilities, it was able to identify the source of the payload and, with the help of an IT security company, develop a malware signature that was used to stop the ransomware from propagating. The utility company’s network was also reconfigured to block the malicious website from delivering more payloads.

But it wasn’t just office staff who had clicked on the malicious link that sparked the attack. Remote workers also had their computers compromised by the same ransomware. To prevent further damage, the MSSP cut off remote access to corporate resources until all the affected computers were free of ransomware.

And the work did not end there. The MSSP performed a deep scan of the company’s network and employee devices for further traces of TeslaCrypt. Any remaining copies of the phishing emails that served as the vector for the attack were deleted.

With the growing number of cyber attacks, it should come as no surprise that demand for managed security services has been growing in recent years, both globally and in the Asia-Pacific (APAC) region.

According to IDC, the security services market in APAC excluding Japan was worth $4.23bn in 2016, and will grow at a compound annual growth rate of 20.5% between 2016 and 2020.

Among various security services segments, managed security services (MSS) accounted for $1.58bn, which translates to 37% of the total market in 2016. Over the next three years, the MSS segment is expected to reach $3.86bn, says IDC.

Desire for better security

IDC believes the rise of professional and MSS offerings will be driven by the desire for better security outcomes and a resilient security posture for organisations.

“These are challenging times for security professionals, given the greater urgency for businesses to address cyber security,” says Cathy Huang, senior research manager for security services at IDC Asia-Pacific.

“As organisations transform to become more digitally enabled, they will fundamentally alter their enterprise technology and process architectures, data value chain and risk appetite. These changes, in turn, create new security challenges that organisations have never faced before.

Citing IDC’s research, Huang notes that more than half of APAC organisations are already using MSS to augment their in-house cyber security capabilities, while shifting cyber security spending to a more predictable operating expenditure model.

“Engaging an MSSP definitely brings a multitude of benefits to businesses,” says Foo Siang-tse, managing director of Quann, a Singapore-based MSSP. “For starters, businesses get access to skilled, trained and experienced cyber security professionals, without needing to invest considerable resources into attracting, hiring, training, upskilling and retaining talent.”

Doing so also frees up an organisation’s internal resources to focus on more critical areas of cyber security that cannot be outsourced because of data sensitivity, such as managing the trade-offs for cost, security and business agility, says Foo.

“With its scalability, coverage and presence of a dedicated cyber security team, a MSSP is in a better position to provide timely threat intelligence to businesses, offer quicker and more accurate detection of threats and prompt response to attacks as soon as they arise,” he says.

“In Singapore, we know some enterprises have as many as 30 security vendors in their environment and they are turning to an MSSP to streamline and consolidate security infrastructure and spending, with the aim of enhancing transparency and integration of security across all levels.”

Sid Deshpande, Gartner’s principal research analyst, says MSSPs offer a cheaper and faster way for organisations to obtain detection and response capabilities, rather than setting up their own security operations centre (SOC) or buying dedicated security information and event management (SIEM) systems and analytics tools.

“However, because it is a shared service, the avenues for customisation of service delivery are very rare,” he says. “Therefore organisations need to start out on their MSS journey with clear scoping of the service delivery model they expect and proper expectations of what the service can and cannot deliver.”

Read more about cyber security in APAC

Most MSSPs offer a buffet of services, ranging from monitoring and management of firewalls, intrusion detection, secure web gateways and other security infrastructure elements, to newer services such as detection and response, threat intelligence, security monitoring of public cloud environments, managed network traffic analysis and Network forensics.

In deciding which aspects of IT security to outsource to MSSPs, Derek Lok, director of solutions consulting at CenturyLink Asia-Pacific, notes that the “security controls” offered by an MSSP should be proportionate to the value of the asset that needs to be protected.

“Organisations need to define the bottom line and acceptable risk level and evaluate their existing people, process and technology capabilities with regard to IT security,” he says.

“When the risk outweighs internal capabilities, that’s when the organisation needs to consider outsourcing. Signature-based tools that provide alerts can be retained in-house, but organisations should seek third-party support for gaps that require skills and expertise that are not available.”

Lok says organisations should also be mindful, when using outsourced security services, of combating threats that are too overwhelming to deal with. This is especially the case for attacks that emerge from well-funded, organised and globalised cyber security criminals. “Only an MSSP with global threat intelligence capabilities can give organisations a fighting chance,” he says.

When assessing an MSSP’s capabilities, IDC’s Huang advises firms to consider areas such as SOC automation, proprietary capabilities, the extent to which it leverages industry partnerships, availability of cloud delivery models and professional services to help its clients build a business case for security outsourcing.

And with cyber security expertise in high demand, Huang says it is also important for MSSPs to be able to retain their own talent.

However, organisations that have outsourced some aspects of cyber security to MSSPs should take responsibility for their own cyber security, she says. “You can outsource security, but you can’t outsource the risks or reputation damage when things go wrong. Enterprises should retain in-house capabilities to provide checks and balances against what their MSSPs are doing, as well as to uphold a holistic cyber security strategy.”

Read more on Managed services and hosting services