Security tools and service providers, specifically MSSPs have failed customers in spectacular ways over the last 20 years. One of the most obvious, that I can’t believe we collectively haven’t figured out how to address adequately yet, or at least not en masse, is the reporting of bad things.
On a recent call with a well-known industry security leader and friend talking about managed services, I heard this (paraphrasing):
“I’m skeptical of MSSPs, same problem as the tools vendors. Quit telling me what’s wrong! It’s not as if telling me what’s wrong will make me secure.”
That rang in my ears for the remainder of the day as I pondered the frustration this conveyed. He was right, though. I thought back to when I worked at HP and we were doing some managed services, getting more into security. It was exactly this. The customer would pay us to effectively stare at their dashboards and alert them when the system popped up a ‘critical’ or ‘important’ alert. Same at every MSSP I can think of. They all claim they’re different but it’s bullshit, they’re not.
So there’s this problem, then. While I absolutely understand the frustration, I’m hesitant to sign up to actually do the remediation and hell, in some cases that’s not even possible. Context, that’s why. So It feels like the best we can do is this half-solution that doesn’t really solve the problem a CISO faces (if you believe that outsourcing your operational functions is important, and I do) and only drives up complexity and cost. That’s crazy.
So now what? I’ve been thinking about this a lot. There are definite tools out there capable of remediation auto-magically. But there’s risk in that, too. There has to be this two-way contract between customer and provider. Customer trusts provider to identify and remediate risk above a threshold they collectively set. In an intelligent way, with escalations and such as needed. Sounds like a nirvana state you only see in marketing literature.
Well, maybe not.
Think cloud. If everything is code, we should be able to make changes on-the-fly, right? If we spot an issue, we should be able to make that change. So let’s take a simple thing… a template one of your IT teams has creates a bunch of virtual workloads (VMs for simplicity) that allow access to port 22 (SSH for management, I presume) from 0.0.0.0. Well, obviously that’s sub-optimal. If I know that the only admin IPs in your environment are on a list pre-defined, I should be able to change this without consequence. Right?
Now, this requires you to buy in. This also requires trust. But without those two frankly, why are we even working together? It’s also a lot of work on the provider side, but I believe it ultimately gets us closer to solving the above concern.
So here’s my proposal for better:
- Option 1: Acknowledge that the model you want (as a customer) is self-service and you just want your vendor to manage the complexity and cost of the tools you use. A very valid approach.
- Option 2: Buy the management and ‘advice’ tier. Basically alert and explicitly tell me what I should do, rather than just telling me what’s wrong. Another valid approach, but I don’t buy into this as something anyone actually wants because why would you want to staff for this?
- Option 3: Buy into the full service. Take the time to put in the work (on both sides of that aisle) to create a framework from which the provider can make sound decisions on your behalf that you the customer can trust. At scale, at speed, 24x7x365.
For the record, to quote one of my favorite old commercials: “Anything less (than option 3) would be uncivilized.”
I’m sure you’re thinking something …share it.