The word “prevention” is broadly applied in cybersecurity. It can refer to the responsibility of a technology stack to block, an analyst team to detect, or a security team to respond. Historically security prevention budgets have been dedicated to point solutions installed to keep the bad guys out. As organizations mature their cybersecurity programs they are looking for ways to leverage intel gained at the detection and response stages to enhance prevention efforts across the board.
According to RSA sponsored research, the trend in security budget spend has been moving away from a historic split of 80% prevention, 15% detection and 5% response to a more equal allocation of funds – 33% for each initiative.
While the new math seems to indicate a departure from heavily funding prevention it’s actually indicative of a more radical shift. Traditional prevention measures represented in the RSA stat – building defenses to keep everything out – are not working. Spending the majority of the budget building ever-bigger, ever-higher walls are not keeping sophisticated threats out. So assume they’re getting in – you will be compromised. The new spend strategy proposes security and risk professionals allocate more budget for faster detection and rapid response programs to directly affect preventative outcomes.
The real question is how do you manage to make faster detection and rapid response capabilities a reality with no increase in your overall cybersecurity budget? Can you internally grow your existing team’s monitoring, detection, analysis, and response skills simply by moving money? In our experience, the key to prevention success is directly related to how you spend the budget you’ve re-allocated.
“Counting attacks is a fruitless effort.
Taking action based on threat trends is the best step.”
How to Respond to the 2017 Threat Landscape
– Gartner Research; published 8 December 2016
Mind the Gap
According to Gartner research the overall budgets for IT funding in 2017 are up about 2.2% over 2016. Although cybersecurity is still in the top five priorities for CIOs it remains the number one priority for CISOs. That said, the research indicates that CISOs are not likely to see a trickle down or net in their cybersecurity budget. Therefore a potential new axiom for CISOs is to prioritize improving enterprise visibility and building advanced threat activity analysis skills to outpace cyber-threats and prevent incidents.
Historically, organizations have turned to solution providers for Managed Security Services (MSS) and Incident Response support to fill their process and skills gaps.
Traditional MSSP’s provide a well-honed mix of management services for security devices and the monitoring of logs from those devices via SIEM technology. The service typically has limited visibility into what is really happening across the enterprise which results in missing attacks altogether or finding them too late. In addition when an MSSP is able to detect an attack from log sources there is not usually enough information to determine exactly how it occurred or what the response should be. After the detection is escalated Incident response teams must utilize other systems to make those determinations. The budget impact for using an outsourced MSSP is usually less than the 3 year annualized cost of the prevention equipment required, the team of cyber engineers to run it and analyst headcount for an average Fortune 500 organization – roughly $1.41M of OPEX expense over 3 years. However, current MSSP offerings – even at this price point – do not provide the necessary visibility for endpoint and network monitoring or enhanced analysis support for incident prevention. Technology investments may help the former but most MSSPs lack the strategic, “big picture” analysis skills to create processes for faster detection and execute more rapid response. Prevention requires contextual and actionable intelligence gained from continuous, skilled analysis. In the MSSP model you’re paying for management services or detection, not analysis and without analysis there can be no prevention.
Embrace the Shift
“By 2020, 65% of worldwide managed security service providers (MSSPs) will offer managed detection and response (MDR)-type services.”
Gartner January 2017 Magic Quadrant Report
In mid-2016 Gartner produced a report entitled, “Market Guide for Managed Detection and Response Services”. In it they described the emergence of a new set of service providers that support organizations seeking to improve their threat detection and incident response capabilities – MDR services. MDR services balance the equation for CISOs looking to move to equal parts monitoring, detection and response for a holistic incident prevention strategy.
Gartner predicts that 65% of MSSPs will offer MDR by 2020. Leidos is leading that market today. Partner with our MDR team to turn incident response into incident prevention.