Managed services benefits ease enterprise IT security woes

Transcript

Brien Posey: Hello, greetings and welcome. I'm Brien Posey, and today I want to talk about how managed services can help your organization to move fast while staying secure. So, just to give you a little bit of background about me before we get started, I am a freelance technology author and speaker with close to 30 years of IT experience. I'm also a 20-time Microsoft MVP and a commercial astronaut candidate. So, with that said, let's go ahead and get started.

You know, one of the things that I've noticed throughout my decades of working in IT -- and I'm sure many of you have noticed it, too -- is that IT moves at a much faster pace than it ever has before. Back when I first got my start, it was relatively common for the process of deploying a new workload or a new service to take weeks, if not months. After all, there was a lot of planning that had to be done. You had to acquire the hardware to run the workload on, and there were a number of other factors. And all these factors took time.

Today, however, you can deploy workloads in the cloud very, very rapidly. And in fact, we tend to hear a lot of talk about IT agility. Agility is the idea that as soon as an organization recognizes a business opportunity, then IT needs to be able to respond to that opportunity and deploy a workload very, very quickly. While there's nothing wrong with agility, there is a side effect to it. And that side effect is that IT pros almost always find themselves playing catch up, especially in terms of maintaining the skill sets that are needed in a rapidly changing environment. The especially frustrating part is that a lot of times there just aren't enough hours in the day to be able to do your job and to accomplish everything that's expected of you, plus learn all of the new skills that you need in order to adapt to this rapidly changing world. As if that weren't enough, we're in the era of ever-shrinking IT budgets. So, adding additional staff probably isn't going to be an option in most cases.

So, what's the solution to these problems? Well, one of the better options is to use a managed service provider to fill in the gaps in your IT environment. Now, IT pros are rightly skeptical about outsourcing. I mean, if you've worked in IT for any length of time at all, you've probably seen situations in which IT pros have lost jobs due to outsourcing. But having said that, outsourcing does have its place. The trick is to do it smart. You don't want to outsource your own job. But what you can do instead is to use outsourcing to a managed service provider to handle those tasks that you either don't have time for, don't have the skill set for or just don't want to be bothered with.

Outsourcing can have similar benefits to adding staff but without all of the bureaucratic hassles that you would typically get from HR. So, when it comes to IT outsourcing, one of your best options is to use a managed service provider -- which you often see abbreviated as MSP -- or a managed security service provider -- which is typically abbreviated as MSSP -- to handle your organization's security.

Now, one of the things that you have to understand is that there are differences between a managed service provider and a managed security service provider. A managed service provider is essentially just an IT outsourcing organization that handles general IT. So those types of organizations can do all sorts of things for you; they can do everything from setting up virtual machines to deploying firewalls. Now, a managed security service provider, on the other hand, focuses solely on security. And if you're going to be outsourcing security, it's best to use a managed security service provider because, generally, they'll have a greater degree of expertise than what you'll find with a managed service provider alone because security is their sole focus.

Now, one of the things that I want to talk about right off the bat is that it's easy to assume that by using a managed security service provider, you're going to undermine your compliance initiatives, or at the very least make compliance a lot more difficult. But, at least in some cases, the opposite can actually be true because one of the things that compliance auditors often look for is checking to see who in the IT department has access to which resources. And if you're outsourcing all of your security, then you may have a situation in which nobody in the IT department has access to sensitive information, such as security log files, and that can actually make your compliance initiatives a little bit easier. So, one additional benefit is that because a managed security service provider focuses solely on security, they're likely going to have skills and resources that are going to be impractical to develop in-house. Now, what do I mean by that? Well, if you stop and think about it, if an MSSP focuses solely on security, then they're going to be making a tremendous investment in security. It only makes sense. Now, in-house, security isn't your core business. It's just one of those things that you need to have in order to protect the core business. So, the business leaders are typically going to try to minimize the amount of money that they're spending on security. Conversely, an MSSP uses security as their total business. So, they're going to spend a lot more money on security and hence have additional resources that you're probably not going to have in-house. So, the bottom line is that you're typically going to get better security by going with an MSSP than by trying to take a do-it-yourself approach completely in-house.

One of the things that I mentioned several slides back is that if you are going to outsource a portion of your IT operations, it's important to be smart about it. And that means choosing a managed service provider or a managed security service provider that's going to be able to meet your needs. So, there are a couple of things that you need to think about.

First of all, make sure that you choose a provider who is reputable. Believe me when I say there are a lot of fly-by-night outfits out there. So, you want to choose a provider who's got an established track record because this is your organization's security that we're talking about. If something goes wrong, you're the one who's going to be left holding the bag. So, you never want to put yourself into a situation where you have to explain to your boss that you tried to save a few dollars by going with a cut-rate provider. It's extremely important to make sure that you choose a reputable provider.

Another thing to consider is the managed service provider's skills, resources and services, and making sure that those align with your organization's needs. That's one reason why I suggest using a managed security service provider over a generic managed service provider if you're trying to outsource security, because a managed security service provider is typically going to have greater resources at their disposal and they're typically going to have a much deeper security knowledge because that's their primary area of focus.

When IT pros begin looking at outsourcing various IT operations to a managed service provider or a managed security service provider, one of the first questions that they typically have is what types of IT operations can they outsource to these providers. Well, the services that are offered by the various providers vary heavily from one provider to the next. As previously mentioned, managed security service providers tend to focus almost exclusively on security, whereas managed service providers will generally offer all manner of IT services.

So, with that said, I want to spend the latter part of this presentation talking about some of the services that are more commonly offered. And I'm going to focus my discussion specifically on managed security service providers, rather than looking at managed service providers in general.

One of the most basic services that is offered by managed security service providers is a risk assessment. A risk assessment involves the provider performing a comprehensive audit of your organization's security in an effort to identify weaknesses and gaps in coverage. Now, in the past, a risk assessment was done by a team of consultants and conducted entirely on premises. But if an organization has moved everything to the cloud and is operating exclusively in the cloud, then there's no reason for the consultants to come on premises, and the risk assessment can be done remotely. Now, a risk assessment is one of those things that a managed security service provider will typically do before they agree to take on all of your organization's security responsibilities because, after all, they need to know where those gaps in coverage might be. But even if you're not willing to hand over all of your security-related matters to a managed security service provider, a provider might still be able to offer you a risk assessment just so that you know where you stand with regard to security and you can identify those gaps in coverage and know where to focus your security efforts.

One of the fundamental truths with IT is that good security involves a lot more than just purchasing a variety of security products and services and then deploying them throughout your organization. In order to have good security, you have to have a strong security policy because that security policy dictates how your security products and services ultimately end up being configured. Those security products and services are configured in a way that aligns with the policies that you've set up within your organization. And this is something that a managed security service provider may be able to help you with. If you don't already have a security policy, they can probably construct one for you based on your organization's security needs and operational needs. If you do already have a security policy in place, then they might be able to review that policy and just look for any areas where it might need to be improved.

Another service that some, but certainly not all, managed security service providers offer is total research and recommendation. So, let's suppose for a moment that your organization has a particular security challenge that it's trying to address. You might be able to reach out to a managed security service provider and get them to recommend a product, a tool or a service that can help you with that particular issue that you're trying to overcome. Now, you have to be careful with this one for a couple of different reasons.

First, not every provider offers this service. So, you have to see if that's something that your provider even offers. But if your provider does offer the service, then it's important to have a very frank conversation with them before accepting the recommendation at face value because some security service providers work directly with software vendors and they're earning a commission on the products that they sell. So, they've got an incentive to sell the product that may or may not actually be in your best interest. So, it's important to talk to your managed security service provider and find out if they're working on a commission basis with a software vendor before you accept the recommendation. Now, this certainly isn't an indictment of all managed security service providers. There are providers out there that will give you an unbiased opinion and will make a good faith effort at recommending tools and services for you. You just have to find out where your provider stands.

Another thing that a managed security service provider might be able to do for you is to help you to put various security solutions into place. Now, this can mean a lot of different things. It can mean something as simple as just installing or configuring a particular product or service. Certainly, that falls within the scope of solution implementation. But it can also mean something larger, like implementing an architecture such as zero trust. Because zero trust isn't really a product that you can purchase; it's a way of configuring your environment so that nothing is trusted without first being verified.

Solution implementation can also refer to helping an organization to become compliant with regulations. A service provider might, for example, work with the organization to establish their initial regulatory compliance, and then on an ongoing basis -- if necessary -- help that organization to maintain that regulatory compliance. So, these are just a few different ways that a managed security service provider might be able to help with solution implementation.

One of the things that I said early on is that every managed security service provider works a little bit differently. They all have their own unique list of services that they offer. But one thing that almost every managed security service provider offers is reporting and auditing capabilities. A good provider should be able to provide you with regular security health reports and security audits. And these types of reports can be extremely helpful for any organization because they can help you to understand where your risks lie, what threats are actively engaging the organization and things like that. But they can be especially crucial for those organizations with compliance requirements because, oftentimes, the compliance requirements will demand security audits. And that's something that a good managed security service provider can help you with.

Another thing that a managed security service provider might be able to help you with is IT training and certification. Now, certainly, this isn't something that every provider out there offers, but there are those that do. As a matter of fact, during the early part of my IT career, I got a lot of my IT training from a managed service provider. And that provider did a really good job, and they even helped me through the certification process. So certainly, that is something to consider if your provider offers those types of services.

Another service that some, but not all, managed security service providers offer is configuration drift monitoring. The idea behind configuration drift monitoring is that just because a server or a firewall or some other appliance is configured in a particular way right now, it doesn't mean that it's always going to be configured in that way. An administrator might make a change that alters that particular IT resource's configuration. Now, sometimes these types of changes are completely justified. But there are, on occasion, changes that undermine a particular resource's security. So, this is where configuration drift monitoring comes into play. It compares an IT resource's current configuration against a previous state that was known to be good and looks for signs that the configuration has changed. And in some cases, it's even possible to roll back to that prior configuration. So, detecting configuration drift might signal administrative activity, either justified or unjustified, or it might indicate that your organization has been infiltrated by an attacker who is working to weaken security on some of your resources. So, configuration drift monitoring is something that's very important to do, whether you do it through a managed security service provider or whether you use a native resource, such as the Microsoft Desired State Configuration tool.

Many managed security service providers will also offer services related to your firewall and your intrusion detection [IDS] or intrusion prevention system [IPS]. Now, these services tend to vary widely from one provider to the next. But, a provider might offer a service for setting these particular resources up. So, if you've got a new firewall and you need a little help deploying it, a managed security service provider might be able to help you with that.

They can also help you with maintenance. For example, any time a new firmware update comes out, a provider might be able to help you acquire that firmware update and apply it to the firewall or IDS or IPS appliance. Likewise, a good managed security service provider can probably help you with monitoring. So, they might be able to help you detect port scan attacks against your firewall, or they might be able to watch over your IDS or IPS logs for signs that signal an attack.

Another service that most managed security service providers offer is advanced endpoint threat detection. Advanced endpoint threat detection involves monitoring the endpoints that your users are working from and looking for signs that may indicate that an attack is underway. Now, this sounds great. But before you sign up for a service like that, you have to consider how your employees are currently working. Because prior to the pandemic, a lot of employees worked on premises from domain-joined desktops or laptops. But right now, almost everyone is still working remotely. And in many cases, they're working from personal devices. So, using advanced endpoint threat detection might not necessarily be an option if a user is working from a personal device. If, on the other hand, you have a lot of users who are working from company-owned devices, then this may be a service that you want to look into.

Another core service that most managed security service providers offer is security monitoring. Now, monitoring can mean different things from one provider to the next. But, in many cases, security monitoring is based on log file aggregation. So, what this means is that the managed security service provider collects all the log files that are generated within your organization, aggregates those log files -- so they bring those log files together -- and then from there, they analyze those log files to look for anything that just doesn't look right that may indicate a security problem. So that's great. But there are a couple of things that you need to watch out for before you sign up for security monitoring.

First, make sure that the monitoring services that are being offered exist for all the products that you use. It's very possible that you've got a key resource within your organization that generates log files that could conceivably be analyzed but that isn't supported by a given managed security service provider. It's also important to ask what a provider does to avoid false positives because some of the log file aggregation tools that are in use out there generate an overwhelming number of false positives. And if you have to go in and research every single false positive, then the events that actually mean something could slip between the cracks, just because there are so many false positives to sift through. So, it's very important that whatever tool the provider uses minimizes false positives.

Another service that a lot of managed security service providers offer is vulnerability management. Now, the term vulnerability management is kind of generic, and it can mean a lot of different things from one provider to the next. So, what is vulnerability management? Well, it can include anything from vulnerability scanning or penetration testing to patch management to web application scanning -- in other words, checking a web application to see if known vulnerabilities exist within it. Other services that might fall under the vulnerability management umbrella include DNS content filtering -- in other words, stopping users from visiting sites that are known to be malicious. It can also include malware protection or even file integrity monitoring.

One more thing that a lot of managed security service providers offer is post-breach services. In other words, if you do suffer a security event, the managed security service provider may be able to help you to deal with the aftermath. So, what types of things do they offer? Well, a lot of managed security service providers offer forensic analysis. They can help you to figure out how an attacker got in. Some also assist with breach reporting; in other words, if you have an obligation to report a security breach to your customers or to a regulatory authority, then the managed security service provider might be able to help you meet those requirements. Some managed security service providers also offer assistance with malware remediation. In other words, if you get hit by malware or ransomware, they can help you to clean up the mess that that malware makes and help you to make sure that it's fully removed from your environment. And a few of the providers out there also offer data recovery services. So again, if you were to be infected by ransomware, they may be able to help you to get all of your data back from that ransomware without paying the ransom.

So, those are just some of the many services that are offered by managed security service providers. I'm Brian Posey, thanks for watching.