Tom: Hi, I’m Tom Field, Senior Vice President of Editorial with Information Security Media Group. My topic of conversation today is risk-based security, specifically what to look for in an MDR (managed detection and response) provider. I’m delighted to welcome to the virtual studio Lyndon Brown, Chief Strategy Officer with Pondurance. Lyndon, it’s a pleasure to see you again.
Lyndon: Great, Tom, thanks for having me.
Tom: So Lyndon, we continually hear now how threats are changing, evolving at rapid speed, and we know organizations struggle to keep up. So, what should organizations know about the different approaches to cybersecurity?
Lyndon: It’s a very great question, Tom. I mean, the reality is most organizations today are fighting yesterday’s cybersecurity battle. The threats of today, the infrastructure of today, the challenges of today don’t look much like they did a decade ago. If you think about infrastructure, DevOps, and the growth and the change in how we deploy IT infrastructure and other infrastructure, has really made things move a lot faster with a lot less seatbelts, I will say. Another aspect is the IoT environment. We recognize, and it’s well documented, the number of things that are simply online now within an organization or potentially bringing external threats to an organization are just dramatically different. Additionally, the threat actors, the human beings who are out there often on other sides of the world but could even be next door, have changed their motives, have changed their mechanisms, and as humans do, they adapt.
The last thing I will mention as well is the cyber insurance market looks a lot different than it did even 10 years ago. It’s much harder to get cyber insurance and to prove that you’re doing all the right things, and these are all things that play a role in terms of how organizations have to think about security today. I would say it’s not just one thing specifically that is really changing things for an organization, but it’s really a confluence of these things all working together. And the way I would sum it up is that every organization’s risk profile is fundamentally different, and for too long, we looked at it as if the definition of good security or great security was a monolithic thing, and the fact of the matter is that it simply isn’t.
Tom: I hear lots of security leaders pay lip service to the risk-based approach. Not sure they have a common definition. Tell me from your perspective what the risk-based approach is and what do we need to do to get there?
Lyndon: To define risk-based security, I’ll start by defining what it’s not. Many organizations are doing one of two things. There’s one strategy that’s called, I like to call it, random acts of security. It’s effectively playing whack a mole, putting new things in place and reactively adding things to the basket but not really having a strategy behind it. Another approach I look at is really generic security program building. Downloading a framework from NIST or somewhere else and effectively checking off boxes related to different capabilities, etc. But both of these options completely ignore what the business cares about, what the business is up against, and the components and infrastructure that an organization has to actually defend. Risk-based security really turns things around and starts with the business, starts with what would be the biggest and greatest risk to an organization. What is actually worth protecting? What is the business trying to accomplish? Which risks are acceptable? Which risks are not acceptable? Then, really building the security program from there. Risk-based security really requires that mentality but also requires the capabilities to actually support and drive that forward, so understanding your risk internally, understanding the threat landscape, understanding your assets, and then actually being able to apply that knowledge once you have a handle on it.
Tom: Let’s talk about managed detection and response. As you know, many organizations are turning to MDR providers now to be able to get the 24/7 security operations they need and to deal with their internal resource gaps. If a customer wants to implement a risk-based security approach, is the MDR space evolving sufficiently to support them in their desire?
Lyndon: Unfortunately, Tom, I would say, simply put, no. I would say most categories in the security shopping cart have not as well. These technologies and capabilities were designed for yesteryear with a strategy that really is outdated. If you think about the experience that a customer has with a traditional MDR provider, it’s deploy its generic technologies capabilities, configure it to some substandard, start monitoring, and really not having any knowledge or any insight into what’s being protected, why it’s being protected, what it impacts, and lacking complete context on visibility. One metaphor I think about is, with most MDR providers, it’s really like going to the DMV (Department of Motor Vehicles). You take a number, you sit down, and you kind of wait your turn until they call you. That’s really the experience that customers have with these providers, so it’s not something that you can really bolt on. It’s really something that has to be core in your strategy and core in how the platform is designed. A provider that takes a risk-based approach, you’ll know it by what they provide, the capabilities that they’re able to show and demonstrate throughout the process.
Tom: You’ve got great analogies by the way. Everybody knows exactly what you’re talking about. Now let’s talk about midsize organizations. With so many technologies and services available, how do these midsize organizations get started with evaluating the option that’s right for them?
Lyndon: The way I would look at it from a selection criteria perspective is I would ask my provider: How do they assess or determine my risk profile? What drives the set of detections, preventions, or other capabilities that you’re going to apply to my business? What level of flexibility, customization are available? I believe you can’t really apply a risk-based approach unless you have visibility, so transparency and visibility are also core. The last thing I’ll ask my provider would be: Are the controls you’re putting in place risk aware? So whether it’s prevention, detection, or response, how do any of those things differ depending on what I care about, what’s at risk, and what I’m trying to accomplish as a business? Those are quick and easy signs to determine if any provider, but particularly in the MDR category, is really taking a risk-based approach or if they’re more so taking up kind of an old-school approach to it.
Tom: Let’s get back to the topic of risk-based. What questions should these organizations be asking potential MDR providers to ensure they are taking a risk-based approach to cybersecurity?
Lyndon: One question I would say is: How do you map my policies? How do you take into account the specific policies that I have in my business, which is truly different from a business down the street? How do you provide data transparency so I know what’s going on behind the curtain and have confidence in the approach that’s being taken? What are my options for really customizing service components? Do I have to take everything that you offer or can I specifically slot in capabilities that fit something that’s on my priority list? Additionally, there are absolutely things in this world that you just want to block and you just want to prevent, no discussion and no conversation. I would want and I believe organizations should ask the provider: Do they have the ability to do those things? Is there prevention? Is there a bite or is it just all bark?
Tom: As you know, in our profession, we’re great at bolting on. What are some of the barriers, some of the issues you see with trying to bolt on to MSSP (managed service security provider), whether it’s organizations on their own or by adopting an MDR provider?
Lyndon: So, a number of things. First is really the expertise, the tooling, and the capabilities to actually be able to understand their organization’s risk. If you’re effectively just trying to latch on something after the fact, it’s really not informed by any of those aspects. I’ll give a good example. Let’s say an organization really cares about a given server or a given component in their infrastructure, and they want to make sure that it is deeply interrogated, protected in a variety of different things. If that context isn’t leveraged in the deployment, the instrumentation, the prevention, the detection strategy around that capability, simply latching on the fact that it’s an important device as an enrichment, as a post-processing enrichment step, really missed the whole point upstream or the opportunity upstream to change how you’re actually defending or protecting that particular asset, etc. So that’s an example of where you could have good intent but really miss the mark in terms of the real opportunity here. You know, the spectrum of organizations out there, there are not many organizations that are doing nothing in security, but there are some that are effectively trying to hide the noise and do almost nothing. There are some organizations that are also effectively treating their whole company like Fort Knox. You can’t do anything unless you have all these different controls, etc. The reality is most businesses have to live somewhere between those two edges. You have to be able to enable the business to grow, to transform, to take on projects to meet your customers where you are, etc., but you also need to be able to secure all of those activities, and without a risk-based approach, it’s impossible to get it right if you’re just throwing a variety of security controls in place without that being informed by the business you’re in and what you’re trying to accomplish.
Tom: You know I’m gonna bring it back to Pondurance. How are you helping your customers embrace risk-based security and get the most out of MDR?
Lyndon: Pondurance is the first and only MDR provider to be built around a risk-based approach. It’s not an afterthought, it’s not something we’re bolting on. It’s core and foundational to how we actually deliver our service. One of the capabilities that we have that’s very unique in the industry is a capability called MyCyberScorecard, and that allows us to understand the organization’s policies, their concerns, their priorities, and we enrich that with threat information, control information, etc. to help an organization really design a security program and put detection and response in place that is customized for their specific needs. So, no more generic security, no more random acts of security, but it’s really about having a security program that’s purpose-fit for your business but still enabling rapid deployment and 24/7 response.