By Byron V. Acohido
All companies today are exposed to intense cyber-attacks. And yet the vast majority simply do not have the capability to effectively defend their networks.
That’s where managed security services providers, or MSSPs, come in. MSSPs monitor and manage cybersecurity systems as a contracted service. This can include spam filtering, malware detection, firewalls upkeep, vulnerability management and more.
Related: Delivering useful intel to MSSPs
Companies are gravitating to MSSPs in a big way. The global market for managed security services is expected to rise to $48 billion by 2023, up from $24 billion in 2018, according to ReportLinker. That’s a hefty compound annual growth rate of 14 percent.
But not all MSSPs are created equal. And, in fact, it can sometimes be a challenge for a company to find a good fit with a MSSP.
Critical Start, a new MSSP on the scene, is striving to advance the tradition MSSP model. I had the chance to visit with Jordan Mauriello, Critical Start’s Chief Technology Officer, at Black Hat 2018. He told me an interesting tale about his role in helping launch Advanced Threat Analytics, the underlying technology for Critical Start’s MSSP service.
For a full drill down, please listen to the accompanying podcast. Here are the key takeaways:
Rethinking the platform
Five years ago, Mauriello was working at a large global credit bureau, managing the credit monitoring giant’s in-house Security Operations Center. He went shopping for a MSSP to come in and help to reinforce certain security functions. Try as he might, Mauriello couldn’t find precisely what he was looking for.
In 2014, Mauriello joined Critical Start, Inc., a Dallas-based value-added reseller. One day his CEO, Rob Davis, asked him to plan and launch a MSSP practice from scratch. Jordan initially declined, citing his frustrating experience trying to retain a viable MSSP at Experian.
Mauriello
Challenged by Davis to rethink the platform, Mauriello came up with three ingredients to build a truly effective MSSP. He opined that it takes a never-trust-anything, or zero-trust, approach to security; be 100 percent transparent to its customers; and be deliverable via a smartphone app
Davis told Mauriello: “Ok, let’s hire developers and build that.”
Mauriello took the ball and ran with it. Advanced Threat Analytics, or ATA, launched in 2015, is the managed detection and response, or MDR, engine he envisioned. Shortly thereafter Critical Start acquired ATA so other providers wouldn’t be able to leverage the technology.
Eroding effectiveness
ATA is a cloud-based security service designed to eliminate malware, and also respond quickly to breaches, when attacks do slip through. This approach addresses a core struggle companies face in trying to achieve robust security monitoring.
The vast majority of companies simply don’t have the wherewithal to build and staff in-house SOCs, much less keep dedicated security teams equipped with the latest, greatest tools.
“We continue to need to increase the power, the capability and therefore the complexity of security tools to meet the complexity of attacks,” says Mauriello. “As the attacks evolve, the tools evolve, and as tools evolve, they become more complex.”
The rising complexity that is part and parcel of digital transformation not only makes it impossible for companies to directly deal with security, it is also eroding the effectiveness of MSSPs following the traditional approach of managing multiple customers’ random infrastructures.
No two organizations are the same. And over the course of a week, an organization will get thousands upon thousands of alerts of different severity, flying in from myriad sources. Typically, an a MSSP might be retained to respond only to critical alerts and high alerts. It’s not untypical to take an hour to respond to a critical alert and eight hours for a high alert.
Vetting alerts
Meanwhile, an entire tier of lesser alerts can get completely ignored. “If we look at the breaches that happened in the last couple of years, they weren’t all critical and high alerts,” Mauriello points out. “In fact, the vast majority of them were a combination of medium alerts and breaches happening through trusted access inside the network.”
Critical Start seeks to make quicker, more effective use of the rich data sets flowing through its MDR technology. Traditionally, MSSPs derive alert criteria only after a suspicious incident has been detected and confirmed.
Critical Start flips that around. It takes a zero-trust approach under which everything is assumed to be malicious until it can meet criteria proving that it is safe.
Only after failing to meet the safe criteria does an investigation begin. “This leaves us with the ability to generate high fidelity alerts – alerts that are vetted — that we can focus the right amount of time on,” Mauriello says.
It’s an approach that’s working. For example, over a sample span of a week, 12 million alerts came in to the platform. “With the baseline and decision trees that we’ve built, we filtered out about 11.99 million of those,” Mauriello says.
And thanks to the mobile app platform, response time between customer and Critical Start’s team is quick. The mobile app means no one has to scan through dozens of emails about alerts, but rather they are contacted via the app when something looks suspicious. The customer can respond, and take action, immediately.
“Our response time is 12 minutes. We’re taking action on incidents in 12 minutes or less on systems that’ve been compromised,” says Mauriello. “That’s how you prevent a compromise from turning into a breach.”
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
Last Watchdog’s Sue Poremba contributed to this report.
(Editor’s note: LW has provided consulting services to Critical Start.)
