Companies are now widely aware of the risk of a cyberattack, but they still do not know enough about the nature of this risk. This is why cyberattacks have continued to increase by 15% over the past twelve months, despite a flurry of press articles that had largely warned the victims. Companies have understood that they have to implement security solutions, but they do not know how to monitor what these solutions report. Their flaw is inexperience.
Indeed, despite increasing automation, the so-called “Detect & Response” tools remain a help, but they do not do the job on their own. They must be operated by humans, with expertise, with an expert background to make good decisions and provide appropriate responses.
And that’s where the rub is, because companies don’t have those resources in-house. The reason is twofold. On the one hand, there are not enough qualified profiles on the job market. The shortage of skills in this area does not only concern France, it is global. On the other hand, there is an economic problem. Apart from large groups and certain strategic companies, a company rarely has the means to dedicate even one person to these tasks.
Pooling to resolve inexperience
So the solution is to outsource threat monitoring. The service providers dedicated to this area are the MSSP (Managed Security Service Provider). The option of working with an MSSP is economically and technically interesting because its teams pool the supervision of several customers at the same time.
Technically, the threats are the same for everyone. Cyber-attackers have become industrialized, they rarely target a particular company and exploit vulnerabilities that exist among the greatest number. Cross-functional knowledge of security vulnerabilities in companies—and therefore of the common threats that weigh on them—makes all the quality of MSSP providers.
Let’s get rid of a legitimate fear right away: no, entrusting the monitoring of your information system to a third party does not pose another security problem. The probes that MSSPs use to extract metrics from an IS do not retrieve confidential information, only equipment operating data, their event logs, their time-stamped connections. These elements carry all the weak signals of an attack. This is the essential material for effective protection. After an attack, during a post-mortem analysis, companies realize that these weak signals had been in their IS for several months.
Outsource, but wisely
Would it therefore suffice to entrust the security supervision of its IS to an MSSP and the question of cybersecurity would be heard? No, the story does not end there. Effective protection detects the threat as early as possible, it allows knowing which corrective solutions to deploy as soon as possible, but the attack is not necessarily avoided. Zero risk is impossible. Moreover, no service provider will engage its responsibility to absolutely prevent any cyberattack.
The attack can occur despite everything and the challenge is then to prevent its negative impact. To do this, it is necessary to act without delay on the IS. Problem, knowing how to intervene on the site 24 hours a day, investigating, setting up incident response measures is not innate. Businesses should be prepared to follow a disaster recovery scenario.
Outsourcing all or part of this recovery after incident depends on the sensitivity of the DSI as to the control of its information system. That said, finding a service provider who could support a company in all the technical actions to be carried out is difficult. Indeed, security incidents will have impacts on the network, on servers, on backups, just as many areas that involve very different skills.
The expertise to seek outside is that of knowing how to synchronize the internal teams in the face of the incident. It works if every team has been trained in damage caused by a cyberattack. This training notably involves pentests (English Penetration Testing), intrusion tests also conducted by specialized service providers.
These tests highlight flaws that no one had thought of. They result from the unprecedented complexity of increasingly heterogeneous, hybrid information systems, with third-party services and functions in the cloud. Pentests allow companies to know where they are vulnerable and how their teams can together limit the consequences of an attack.
In short, going through an external service provider makes it possible to circumvent the difficulty of finding profiles on the job market with the expertise necessary to react in a timely manner. This also proves to be economically more interesting since a service provider pools tools and human resources, which allows it to offer optimized prices. On the other hand, if this service provider will effectively reduce the risk of a cyberattack, some may nevertheless succeed. At the same time, a company must therefore be trained to react, in order to limit the disastrous consequences. This training also relies on the assistance of service providers.
As we can see, the intervention at several levels by an external service provider makes up for the inexperience of companies in the face of the real risks posed by cyberattacks. But one last element should be taken into account: for the economic equation to remain favourable, it is interesting to look for globalized service offers. Which pool humans and tools, as we have said, but also which include both the supervision and remediation aspects.