Managed Security Services Provider - Fears and Issues
October 25, 2018
In this inaugural podcast from EisnerAmper and CloudAccess, Jerry Ravi, Partner in Charge of EisnerAmper’s Process, Risk and Technology Solutions, and Kevin Nikkhoo, CEO of CloudAccess, introduce the concept of a Managed Security Services Provider (“MSSP”), and the fears and issues that typically lead a company to seek out an MSSP.
KC: What exactly is a managed security services provider?
JR: A managed security service provider (MSSP) basically provides outsourced monitoring and management of the devices and systems inside a company. It could include anything from their firewall, their intrusion detection system or virtual private network or VPN, anything that they're doing, including anti-virus. It's basically an aggregation of data, and it's also the outsource function. It's the people that they're using to actually manage that function and help monitor. That's what an MSSP does for a company and its 24/7 services. It basically reduces their footprint in terms of having personnel doing it on their own, inside their company.
KN: From a customer perspective, the vast majority of the customer enterprises do not have the capabilities, the resources, the manpower to be able to look at the large volume of data that goes through the organization through the IT systems. So hiring and retaining staff, managing the data 24/7, and being able to look at the threat analysis on an ongoing basis makes it very difficult for organizations to do it on their own. That's why MSSP added lot of value, because they are focused on that issue and they continuously monitor the threat landscape and identify what are the latest and most recent attacks. Based on that, they look at how they can protect the customers, and they also continue to upgrade their own systems and software so that they become more skilled in finding those threats in real time.
JR: From my perspective—sitting in Process, Risk and Technology Solutions—being a provider of tech solutions, bringing process improvement around security, our clients typically have to deal with issues of retaining and training their people. That's really where the operational security component of MSSP comes in. It's very difficult for enterprises to actually hire, retain and make sure they're staying on top of all the different things to maintain an acceptable risk and security posture for the organization.
KC: What typical fears or issues are you seeing in companies prior to engaging an MSSP?
JR: What we're hearing at our clients, and again, coming from a risk perspective, it's very difficult for them to maintain a good risk posture. They're unable to look at all of the risks, so they don't know what they don't know. They have a lot of devices; they may have many different cloud providers that are supporting the organization and their IT footprint. It's very difficult for them to actually look at everything holistically. I will tell you, it's all about the data. There's a lot of data and logging that occurs, so for an organization to do that without a managed service provider is very difficult because MSSPs can bring a lot more talent to the table and more services with the aggregation of data. That's really a matter of correlating the data, and having people do that has been a challenge for a lot of our clients. The biggest fear is really something happened and a CFO or an executive is going to get a call in the middle of night that something’s happened that wasn't even on his/her radar. Unfortunately, that happens too often. Are we managing it the way we should be internally? Are we handling it all on our own? How do we do it better? C-level executives are continually looking at it that way. What do we need to do to improve our security posture? What do we need to do to improve how we are monitoring? How do we deal with the response?
KN: From experience, I can tell that most executives are concerned about the lack of visibility, what's happening in the environment, and whether they're getting an appropriate level of alerting. I can give you an example of a customer who actually bought appliances to look at what's happening in the environment, and that didn't work. Then they bought software to do the same thing, and that didn't work. The reason was the large volume of data that was coming through 24/7 and they didn’t have the resources to analyze that data. The C-level executives were asking about the situation in our environment. Why am I not getting the alerts? We bought the product. So they're trying to solve the problems, the security risks that we are facing in real time. That's something that an MSSP or a solution provider that's focused on security can resolve easily because they are focused on delivering that 24/7.
JR:That's very important from an executive standpoint which is what we deal with for the most part—whether it be audit committee, any C-level executive, including a chief risk officer of a larger enterprise. They have the issues of receiving a very pointed executive dashboard and looking at that dashboard and the threat analysis that's around the organization. Again, what is the process in place to look at 24/7 and can they do that without actually having an MSSP? I know that’s very difficult for the smaller and mid-sized organizations. That's usually what the value add is, being able to see a 24/7. I'm looking at the threats, alarms, alerts, and incident responses. That's what the team and the security analysts are doing for an organization.
KN: The way we resolve this issue is by giving the same access that our security analysts have in our security operation center so that our customers actually get to see what we see. That includes every aspect of the platform, from executive dashboard to incident management, to a drill down all the way to the actual log to see what happened 24/7. They have access to that console and they could see whatever we see, the differences we have and expertise. We look at it very carefully and go into detail. We give the customer the alerts and alarms that they want to see so they don't focus on the large amount of data. So what's actually security related and important to the customer so that they focus on their core competency and we take care of the security for them. That's how we could remove some of the issues related to what's my visibility? Can I see everything that's going across my network?
JR: What I hear a lot is the issue of fear that we're looking at the data the wrong way because there's so much data and there's a lot of false positives. What ends up happening is, if it's done internally, we ended up spending time. The team, let's say it's an internal security team, will spend time on things that don't matter. In essence, that could also be the fear that we think we're having an issue but it's actually not an issue. We've had clients that have a sequel server on the back end and they would come up with different aspects of the fact that there's an issue in vulnerability and sequel, but it's actually not. Or we've had it where there was an issue with a sequel server and the client never even had a sequel server. It’s just a total false positive and it has security folks internally focusing on that. That's just not a good scenario because what if they raise that up to executive teams? You see that on the dashboard and it's not something we should be focused on, it's just a false alarm. We have to be really careful of that, and it's just another fear.
KN: You're absolutely right. First of all, we adjust the level of threats or incidents that are coming through the network. We actually have our security analysts responsible for filtering the white noise out so the customer gets specific dealers that they want to see. We've had customers that come back and say, login failures in our environment is very common because our staff forget their passwords. So we don't want to get all the login failures at all levels, but we want to get it if it's at the C-level. If a CEO’s login is repeatedly failing, we want to know that. But we don't want to know if somebody who’s a receptionist, for example, if they forget their password. That's not as important. The adjustment of alerting is any important part of grading. What's important for the C-level is to be able to get the right information at the right time.
JR:And that can be customized to each organization.
KC: Jerry and Kevin, thanks for your expertise and this great insight. And thank you for listening to the EisnerAmper Cloud Access podcast. In our next podcast, we're going to address what clients should do before they engage an MSSP. We hope you'll join us. In the meantime, visit eisneramper.com for more information on this and a host of other topics.