In 2020 a Russian cyber-espionage group hacked the supply chain of SolarWinds, a large software firm that sells Orion network management products to more than 30,000 customers worldwide, including IT giants like Microsoft and Intel, as well as major telecoms, Fortune 500 firms and, most alarmingly, government agencies with sensitive information like The Pentagon, National Security Agency, and even the Office of the President. The hackers introduced malware into updates to the Orion software to access SolarWinds’ customers’ networks, systems and data. The infected updates spread naturally to SolarWinds’ supply chain partners and, because SolarWinds’ customers used it to manage their own customers’ networks, systems and data, the hackers breached those, too.
It was the most extensive cyberattack of this century, but it resulted from a miniscule act of carelessness — a SolarWinds intern used a weak password on his computer and created a vulnerability the hackers exploited.
If the company had used an MSP, the hack would never have happened.
Types of Attack
Cyberattacks have been on the rise every year since the early 2000s and in keeping with the major information technology developments of the age. The following types have gotten more common.
Network intrusion.The more Net-enabled organizations became, the greater their threat surface grew. Like SolarWinds, they had thousands of egress points that presented potential vulnerabilities for hackers.
Phishing.As network traffic compounded, users were overwhelmed and less rigorous about opening strange emails and other communication. Hackers phish by sending genuine-looking communication to coerce recipients to open a file or follow a link that implants malware on their devices. The malware creates a vulnerability so hackers can perform identity theft by appropriating victims’ banking or other information they then use to steal funds from bank accounts or carry out other nefarious activity. Hackers now even use machine learning to create and distribute many more fake messages, so the likelihood that recipients will open them greatly increases.
Hackers target organizations’ clouds now that organizations are migrating more content to the cloud. Clouds may lack security, say, like encryption or authentication if IT departments lift and shift content but not security to the cloud. Many organizations have multicloud or hybrid cloud environments with services from multiple providers. These environments are difficult to secure.
Hackers target remote workers in hybrid work environments who may be lax about securing their own devices or whom IT staff have been lax in securing.
Ransomware is rampant now. Hackers either steal and encrypt a company’s data then demand a ransom to have it returned, or they do the same with sensitive data and threaten to publish it if ransom isn’t paid.
Digital transformation exposes more data in digital form to create a greater threat surface. Organizations may not scale security sufficiently to guard against hackers exploiting new vulnerabilities.
Internet of Things projects proliferate smart devices and internet connections to them, which creates a larger, less manageable threat surface. Hackers use devices near victims such as their smartwatches to indirectly hack into data on computers and phones.
Hackers are leveraging advanced artificial intelligence for more sophisticated hacking using deepfakes and synthetic audio and video to dupe companies into revealing information. Almost always, cyberattacks originate outside the organization. Security breaches from the inside are due mostly to vulnerabilities resulting from poor security practices and policies. An organization may economize on security training, so workers can’t spot, say, obvious phishing attempts or use weak passwords. Most organizations still rely on a single username and password to access their systems and forego the better security of two-factor authentication. They may not invest in the best security tools, say, for network monitoring and management. They may not secure network devices like routers and office ones like printers that can be exploited to hack computers. IT staff may not prioritize software upgrades and security patches to fix vulnerabilities. They also may fail to perform regular data backups to multiple locations to ensure that a copy of data stolen from one location is still available elsewhere, so they aren’t vulnerable to ransomware attacks. In hybrid work environments, IT staff may fail to secure employees’ own devices or to provide them with tools like password managers. They may have adequate security policies but don’t enforce them.
In any case, new technologies and practices are creating more expansive and complex digital environments. The resulting threat surfaces are always changing, so they’re never impregnable.
Defining the Providers
There are two types of Managed Security Providers to which enterprises can outsource security for a fixed predictable monthly price and cut costs by retaining fewer security personnel. Both types detect and respond to security incidents. Managed Security Service Providers (MSSPs) provide automated monitoring and management of security devices, systems and networks. Services include managed firewalls, intrusion detection and virus protection generally for a contracted time of day — say, peak business hours. They react to attempted or actual breaches and automatically send alerts to the customer — but the customer must respond to them and address damage done.
Managed Demand Response providers (MDRs) also use technology to do monitoring and management but supplement these methods with onsite or remote security staff who perform activities like proactive threat hunting. Humans monitor and respond to more of the customer’s infrastructure -- from smart phones to hard drives, operating systems to networks, and clouds of various vendors – and do 24x7 security. They also provide professional services like customizing an organization’s security solution. They use more, and more advanced, forensic tools than MSSPs, so they can do deeper analysis of complex infrastructure. Analysis determines the type of incidents and posts them ranked by severity to a dashboard. Filtering winnows down alerts, say, by spotting false positive alerts and weeding out duplicates so staff don’t burn out from relentlessly investigating alerts.. MDRs, not the client, respond to breaches, and almost instantaneously, so they preempt damage. The nature of the response is defined in the service contract and can range from a simpler one like defined actions on a limited set of assets to a complex one like doing whatever needs to happen anywhere to secure the enterprise.
When budgeting for services from either provider, organizations’ are best served doing so based on risk – that is, mitigate the threats with the greatest potential for damage, rather than those with a high likelihood of occurring. Customer can then pick an MSP with the unique expertise for securing that content. For instance, a customer storing most sensitive content in a multicloud environment would want a provider with security certifications from the major cloud providers.
Renting managed security from specialists is almost always cheaper, faster to deploy, and more likely to provide bulletproof security than building solutions. There is a severe shortage of highly qualified security experts in the IT industry, and the emergence of new computing models like cloud computing, work models like hybrid workplaces, and more advanced technologies like AI have only exacerbated the skills deficit.
MSPs meanwhile continue to innovate. For example, MSSPs can transform into what are called Master MSSPs. As well as serving their business customers, they rent practices and tech to customer MSPs so the latter eliminate the cost of building a service, grow quickly and further cut costs and improve performance with better economies of scale.
Hackers, of course, study the behavior of MSPs and adapt their strategies and tech to circumvent new security measures. Cybercriminal gangs have even emulated the managed security model to better combat MSPs – they’ve developed hacking solutions they sell to other hackers who supplement them with their own expertise to better hack their preferred target organizations.
The Value Proposition
A cyberattack can be catastrophic for an organization in terms of money and customers lost. Renting security for thousands a month can avert losses in the millions in a minute and prevent irreparable harm to an organization’s reputation that causes customers to leave. The value proposition for managed security could not be more compelling. Doing security any other way should be the exception, not the rule, for organizations operating in today’s threat-intensive cyberspace.
Best Fit for MSPs
When shopping for MSPs, organizations can generally differentiate between the two types per several requirements.
MSSPs are better for organizations that:
- Are cost-constrained
- Are SMBs
- Have a modest threat surface
- Have less complex infrastructure
- Don’t need 24x7 coverage
- Have in-house staff to respond to alerts
- Can tolerate longish response times
- Need alerts-only service
- Have an abundance of time to track and fix a multitude of alerts
- Don’t have partners and suppliers a breach would harm
MDRs are better for organizations that:
- Are not cost-constrained
- Are larger enterprises
- Have an extensive threat surface
- Have complex infrastructure
- Need 24x7 coverage
- Need security experts to supplement in-house staff
- Need fast response times with no business disruption
- Need deep sophisticated service
- Want a customized solution
- Have partners and suppliers a breach would harm
John Harney is President of SaaSWatch, a SaaS consultancy and IT journalism service where for over 30 years he’s consulted and reported on SaaS business strategies, technology and use cases and intelligent information management across all markets. He’s particularly focused on technologies related to Cloud, SaaS, AI and Content Services. You can reach him at 240.877.5019 and firstname.lastname@example.org.