MY TAKE: The case for assessing, quantifying risks as the first step to defending network breaches

By Byron V. Acohido

It’s clear that managed security services providers (MSSPs) have a ripe opportunity to step into the gap and help small- to medium-sized businesses (SMBs) and small- to medium-sized enterprises (SMEs) meet the daunting challenge of preserving the privacy and security of sensitive data.

Related: The case for automated threat feeds analysis

Dallas-based Critical Start is making some hay in this space — by striving to extend the roles traditionally played by MSSPs. The company has coined the phrase managed detection and response, or MDR, to more precisely convey the type of help it brings to the table.

I had the chance to meet with Randy Watkins, Critical Start’s chief technology officer at Black Hat USA 2019. Since its launch in 2012, the company has operated profitably, attracting customers mainly in Texas, Oklahoma, Louisiana and Arkansas and growing to 131 employees.

With a recent $40 million Series A equity stake from Bregal Sagemount, and fresh partnerships cemented with tech heavyweights Microsoft, Google Chronicle and Palo Alto Networks, among others, Critical Start is on a very promising trajectory. It wants to grow nationally and globally, of course.

Even more ambitiously, the company wants to lead the way in pivoting network security back to a risk-oriented approach, instead of what Watkins opines that it has all too often become: a march toward meeting controls-based checklists. We had a fascinating discussion about this. For a full drill down, give a listen to the accompanying podcast. Here are excerpts, edited for clarity and length:

LW:  What’s the difference between taking a ‘risk-oriented’ versus a ‘controlled-based’ approach to security?

Watkins: Security really is the art of handling risk. We used to enumerate the risks that exist inside of an organization, try to assign a value to the impact it would have, if that risk was exploited. And then we’d assign either mitigation or acceptance or transference of the risk, based on potential impact and the probability that it would happen.

What security has turned into – and not for the better, in my opinion, — is more of a controls-based model where if you have certain technical controls in place, then you’re considered to have this inherent level of security. But we never went back and quantified what you were secured against.

LW: Why is that not working, especially as we’re undergoing digital transformation?

Watkins

Watkins: There’s no way to avoid technical controls . . . but a controls-oriented model won’t necessarily be tailored to your organization. We’ve got plenty of good frameworks, from SANS Institute, NIST and ISO, that give long prescriptive lists of different controls that should be in place. But if you look at how your business operates and ask if it makes sense to put in some of those controls, ultimately what it comes back to is: ‘is the juice worth the squeeze.’ Or did you spend a lot of money to mitigate something that may never happen, or it’ll be a very low impact if it does happen?

LW: What approach do you believe would be more effective in today’s environment?

Watkins: Let’s revert back to risk-based. So let’s start off by identifying what would really hurt your organization? And then let’s decide what the probability is of that actually happening. And if that were to happen, what theoretically would it cost? CFOs are very good at assigning dollar amounts to potential risk. You can then decide, ‘Are we mitigating? Are we accepting? Or are we transferring risk?’ Every organization should understand their footprint and what would adversely affect their ability to generate revenue.

LW: Will this approach also help an organization anticipate evolving risks?

Watkins: Nailed it. Yep. You should always be looking at different threat vectors. If there is a successful attack, was that on your risk mitigation list? Did somebody sign off on accepting that risk? Or was it just absent? And if it was absent, how come? Is it new, or is it something that we just missed? And then quantify all of that. Do we spend the time and resources to mitigate, or do we just accept the risk, or transfer the risk, based on probability and impact?

LW: How does Critical Start put this into practice?

Watkins: This was the foundational approach that we started off with. We didn’t want to just go in and push a bunch of boxes that may or may not help an organization. We wanted to go in and understand what keeps the organization awake at night. We recommend prescriptive controls based on what they can put in place and what they can operationalize that will actually help.

LW: What’s the strategy behind your recent partnerships?

Watkins:  We’ve had historical relationships with Cylance, Carbon Black, Open DNS and Splunk. And now we’re starting to explore other partnerships as well. Namely Palo Alto Networks, Microsoft, and Chronicle, which just got spun out of Alphabet and back into Google Cloud Platform. We’re excited to be working with these guys. We’re looking at who’s really doing something new, different and interesting —where we can add value.

For instance, Microsoft E5 licenses are becoming popular, as a one-stop shop to get everything from Windows and Office to communication and security. So, we’re going to be performing our managed detection and response services around their security portfolio. . . Chronicle is disrupting the industry with their pricing model and their delivery speed, which drastically lowers the dwell time for attackers. We’ve been working with their product team to go through the usual workflows of an incident responder, everything from detection all the way through remediation.

LW: I didn’t realize you guys mainly operated in the Southwest. With this new funding, should we look for your services to be made more widely available?

Watkins: We’re based in Dallas. Our 24 by 7 by 365 Security Operations Center is in Plano, that’s where our MDR services are rendered, and it’s growing. We see a need in the market lingering out there, with customers unsure of how to get past this issue of false positives . . . and really having no ability to detect and respond to attacks that are already being detected by their endpoints, but just buried amongst a litany of other alerts.

We’re approaching the market with a new way to resolve the problem of reducing false positives at scale. And that’s not a localized problem, it’s a global problem. So, we want to make sure that we could go to market across the U.S. and really help companies coast to coast.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone