Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Five Questions to Ask When Evaluating Managed Security Services

It’s All About the Threat: Five Questions to Ask to Make Sure you Stay Focused

It’s All About the Threat: Five Questions to Ask to Make Sure you Stay Focused

Lack of cybersecurity talent coupled with the increasing complexity of threats and networks, a heightened regulatory environment, and an accelerating pace of innovation is driving many organizations to look outside their walls for cybersecurity protection. In fact, Gartner has predicted that the global market for security outsourcing will grow from $12 billion in 2013 to more than $24.5 billion by 2017.

However, finding the resources to address the evolving cybersecurity landscape effectively can be challenging. Today’s attacks are stealthier than ever. To understand and protect against them, organizations need to mobilize all aspects of their defenses to focus on the threat, including services. It’s about gaining visibility and control across the extended network and the full attack continuum – before an attack happens, during the time it is in progress, and even after an attack may have been successful, with information stolen or systems damaged. This new threat-centric model is driving changes in cybersecurity technologies, products and services alike.

Hand Asking QuestionsThe first wave of managed security service providers (MSSPs) focused on getting products and tools up and running, maintenance, upgrades, and training. But today, effective cybersecurity services need to be based on an in-depth and continuously evolving knowledge of the threats themselves, not just the operations of the technology. Reflective of a new era in how we must address cybersecurity, some industry analysts are starting to call this next wave of security services MSSP 2.0.

Based on in-house security skills, budget, and competing business priorities you may choose to outsource more or less of your cybersecurity needs. Wherever you fall on the outsourcing continuum, when evaluating managed security services the following five questions can help ensure you get the support you need to stay focused on the threat.

1. What types of telemetry data form the basis for your visibility and detection capabilities?

If the answer is simply flow or log data that isn’t enough. Other data, such as protocol metadata (i.e., data extracted directly from packets traversing the network) is a rich source of insights into today’s more popular attack methods like ‘watering hole’ attacks and phishing campaigns that contain links to malicious sites. In these cases, the ability to incorporate HTTP metadata in a telemetry model provides the depth of information needed to help detect web-based threats. With more data the more effective the MSSP will be in zeroing-in on anomalies and that’s a key capability to finding the needle in the haystack.

2. How are you performing analytics on that data?

With the introduction of more data, simple analytics models such as correlating log data against rule sets fall short, particularly if they do not function in real-time. Advanced, real-time big data analytics techniques are essential to leverage the large amounts of data gathered, not just locally across the enterprise but globally through community-based threat intelligence. This level of analysis isn’t based on rules that attackers can understand and evade, but is predictive and uses dynamic statistical modeling to identify anomalous behaviors from granular, customer network baselines and other indications of compromise (IoCs) to pinpoint likely malicious activities. Regardless of the number of telemetry sources used, applying robust analytics to data rather than simple correlation will make detections high-fidelity.

3. Where do you keep that data and how do you protect it?

You’ll need to understand if the data is held onsite at the MSSP’s data center or in the cloud. Depending on the type of data your organization has, the compliance requirements you face, and the guarantees the MSSP provides, you’ll need to decide if the answer is adequate or, if not, if they can offer an alternative approach. This is an individual choice for each organization and must be based on the comfort level of all parties affected from the technical, legal, and business sides of the organization.

4. What do you report on?

Data is great but you need to be able to understand and act on it. You need a level of assurance that the data is correlated to provide context so that the information you’re getting is relevant to your environment and prioritized. In this way you can focus on the threats that matter most. Time is of the essence when dealing with advanced targeted attacks with a specific mission. Understand if the MSSP is able to present you with only vetted, high-fidelity information versus an endless list of events that require further analysis and investigation only to find these were needless alerts.

5. How can you help protect my organization against unknown, zero-day attacks? –

To detect and protect against zero-day threats you need to be able to go beyond traditional point-in-time approaches with capabilities that let you monitor and apply protection on an ongoing basis across your extended network. That’s where the value of a large set of detection telemetry coupled with predictive analytics and statistical modeling really becomes apparent. This moves beyond mere event correlation that MSSPs have offered for years. In combination, these capabilities can pinpoint nearly imperceptible IoCs and anomalies to help you identify these particularly stealthy and damaging attacks.

Given today’s business, regulatory, and cybersecurity challenges more and more organizations are looking for outside, expert help to protect their environments from cyber attacks. By asking these key questions you can help ensure you’re staying focused on the threats themselves in order to gain the protection you need.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

CISO Conversations

In this edition of CISO Conversations, SecurityWeek speaks to two city CISOs, from the City of Tampa, and from Tallahassee. 

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.