Small and large businesses have been subject to successive waves of malicious cyber-attacks and accidental data breaches, which have spurred heightened spending and hasty decision-making on cybersecurity.
Weak cybersecurity practices or relying on a provider in its entirety aren’t wise. Even if you have the “gold” package, you should still perform vendor assessment, internal review, and further validation of your security.
Are you watching the watchers?
With no signs of stopping, the number of data breaches and ransomware attacks is increasing, and the number of entrants in the space is soaring. Since the Covid-19 pandemic outbreak in March 2020, 15 new unicorns have emerged in the cybersecurity sector, six last year and nine this year. Gartner predicts $150bn will be invested in cloud cybersecurity in 2021.
Clearly, there is a need for greater cybersecurity (as well as venture capitalist funding), but are we in the best position to judge how well third-party cybersecurity providers are protecting clients and themselves?
Although we assume our cybersecurity vendor is highly competent, secure, and effective, we should not forget that vendors also have vendors. The supply chain ecosystem has become more complex and interconnected as X-as-a-platform and software companies have enabled outsourcing and simplified various processes for businesses of all types.
Outsourcing part or all of your proactive cybersecurity efforts should still be considered with the understanding that all activities are ultimately under your scrutiny. Regardless of how capable a vendor appears, it only takes one slight, barely noticeable kink in the process for everything to come crashing down, meaning claiming ignorance is no longer an option.
The security gaps and the scramble to cover them
Businesses are scrambling to find add-on solutions for the latest malware protection and opting for the enterprise-grade tier features, but these still do not render a system impenetrable.
Security gaps will forever remain because there is no perfect technology. Continual updates and system changes can lead to new bugs that hackers might exploit or a data leak that goes undetected. Add-ons can create complexity within a system, potentially causing other security measures to switch off without explicit instruction.
It can be common for organizations to rush the implementation and deployment of new security tools in response to industry news and stakeholder panic. Still, even the most expensive solution will be useless if the configuration hasn’t been followed correctly.
In light of this, it’s essential to thoroughly test your defensive perimeters for any gaps after deployment so you get there before any attackers do.
How to know if your cybersecurity vendor is protecting you
Most organizations have a Security Operations Centre (SOC), which comprises teams, processes and technologies. Their primary focus is to detect, prioritize and mitigate cyber incidents and risks.
In its simplest form, a SOC should:
- Monitor and manage: firewalls and unified threat management technology, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), web and email gateways.
- Conduct short-term analysis and logging of real-time data feeds for potential cybersecurity threats.
A business’ SOC may be entirely in-house, entirely outsourced, or a hybrid of the two. However, the most critical aspect of a SOC, no matter its makeup, is its appropriate and relevant services to the organization it serves.
Here is a good way to check and review this:
- Determine which cybersecurity controls exist but are not being effectively employed. There might be technical difficulties, a lack of expertise, or even failure to deploy.
- Identify the services your organization wants (i.e. threat intelligence) but can’t implement due to a lack of qualified staff or an inability to meet the scale needed.
Using this quick two-step analysis will show the gaps you have, so you can start moving towards filling them in. You might find, as a result, that more advanced settings are needed, such as:
- Long-term analysis of data from monitored devices and incident responses.
- Management of vulnerability scanning tools and customer-deployed SIEM technologies.
- Threat intelligence.
Getting back to the credibility of a SOC vendor and assessing their own security and client security, here are some fundamentals to look out for.
- They provide a customer portal using MFA and role-based access control for entry, showing various analyses and reports customized for different user types.
- They provide a 24/7, 365 service via multiple communication methods.
- Their services can be integrated into your business’ security incident response.
- Their own services are distributed from a minimum of two geographically distanced sites to ensure redundancy and quick disaster recovery.
- Their own staff is certified in the cybersecurity technologies they’re offering.
- If compliance requires, they can offer services from a specific location.
Further security validation
While having a SOC vendor can reduce some of the time-consuming, admin-heavy elements and lighten the overall load of cybersecurity, performing additional security validation will give you confidence in your security posture.
Vulnerability scans essentially hunt for vulnerabilities within your system and report back on them. This is usually a passive activity completed by software, which can be automated for regular checks.
Penetration Testing (or PenTesting) is more active in that a “hacker” will attempt to find the vulnerabilities and exploit them as a malicious attacker would. PenTesting usually starts to validate the vulnerabilities found from the scanning process and then will use reconnaissance tools to go deeper.
Breach and Attack Simulations (BAS)
BAS combines the DIY model with some additional help from software as a Service (SaaS) technology as a mix of the two. The BAS software sits on your network and simulates attacks using malware and hacking tools. The primary focus is to trigger and monitor responses from your security solution without the damage of an actual malware attack.
BAS helps to:
- Identify gaps in your browser, email, and website defenses
- Check the strength of your firewall
- Test common social engineering tactics
- Test your endpoint security solutions
- Identify potential network attack vectors
Blue vs Red vs Purple Teaming
A game of opposition but with a twist to bring the enemies together.
As defenders, the blue team gathers all data and analyses it to defend against the attackers. A company’s own SOC or cybersecurity personnel usually handle this.
The red team uses ethical hacking methods to break into the system, discover vulnerabilities and exploit them. Red teams are often independent security teams brought in to test the security and response capabilities of the internal team in the event of an actual attack.
The purple team is the negotiators, made up of members from both red and blue teams. The aim is to share insight from each side to strengthen the organization’s overall security posture and facilitate better communication and collaboration.
Cybersecurity responsibility is both shared and individual.
Evaluating SOC services and providers to ensure they’re meeting the needs of the business and requirements of the industry falls on the individual company. You are at the same risk of having no protection if you are not reviewing this regularly.
Knowing how your SOC provider implements and ensures their own security will give you the confidence and firsthand knowledge that you, as the stakeholder, have done all you can.
Despite its length and specificity, your provider’s tick sheet is your ultimate line of defense.