printer friendly version

Providing real-time visibility

The cybersecurity environment today is vast, complex and always changing. What is considered secure today may be an open door tomorrow as new vulnerabilities emerge and cyber criminals continue to develop their malicious software at an astounding rate.

This keeps IT departments on their toes, but many companies don’t have the required skills to keep their security posture at an acceptable level alone, a task made much harder with the lack of cyber skills we are faced with globally. Just as the cloud and cloud-based services have changed the way technologies are implemented and used in organisations around the world, the security industry has also taken advantage of services with many companies offering cyber solutions as services hosted and run remotely.

The benefit of these managed security service providers (MSSPs) is that they can afford to focus on cybersecurity and retain the best skills and manage the costs since they offer their solutions to multiple clients. In our first Smart Cybersecurity Handbook, Hi-Tech Security Solutions asked three local MSSPs for their take on what a managed service offers and the benefits the end users should expect, as well as what services they offer.

The four people we posed our questions to are:

• Edison Mazibuko and Adri Faasen from DRS (we will refer to them simply as ‘DRS’),

• John Mc Loughlin from J2 Software, and

• Ethan Searle from LanDynamix.

Hi-Tech Security Solutions: Why would you say a managed service is a better cybersecurity option for customers today? Does this apply to all companies or is it more effective for small- or medium-sized businesses?

Edison Mazibuko.

Adri Faasen.

DRS: Managed services are a cost-effective option that provide customers with best-in-class resources at a fraction of what the resources would cost. It is normally best suited to mid-sized businesses, but some enterprises also prefer to outsource IT services to a professional managed service provider.

The skills shortage compounds the issue. An outsourced managed service aids with compliance as it becomes an extension of an organisation’s IT resources. There is a strong trend towards the use of managed services across the board.

Mc Loughlin: In my opinion, a managed security services provider allows the client business the capability to achieve more with less and it also ensures that their lack of cybersecurity resources does not prevent them from being secured.

Our team, for example, provides our clients with a diverse range of security specialists at a fixed fee. In small- and medium-sized businesses, it is impossible to put together the same team, infrastructure and group of skills at anywhere near the price of bringing on our managed service. Our service allows the customer to have an almost immediate multi-disciplinary team that can enhance their security posture and address their current and future security gaps. We believe that your MSSP must evolve and be dynamic to provide you with a solution that fits your organisation and we do not provide a single one-size-fits all approach.

Searle: It depends on the customer’s requirements; the security-as-a-service model is probably a better fit for small-to medium-sized customers who don’t have the resources, processes and IP [intellectual property] to manage cybersecurity internally. A managed security service gives the customer peace of mind that all the best security processes are being implemented, monitored and actively managed. All at a fixed monthly cost with no key-man risk.

Hi-Tech Security Solutions: What services do you supply to customers ‘as-a-service’? What software needs to be installed on-site on PCs, laptops and servers (and mobile devices)?

DRS: DRS offers a complete 360-degree managed service offering: security awareness campaign management, SOC (security operations centre), monitoring, onsite and project-based engineers.

We offer various solutions as a service, including SIEM, SOAR and SOC. The SIEM service contains an onsite relay that must be deployed inside the network for us to collect all the necessary information. As for any agents, we can also deploy some agents to those endpoints that do not have built-in logging capability.

John Mc Loughlin.

Mc Loughlin: The need for on-site deployments are far less necessary today, especially as most businesses have very small parts of their team and infrastructure onsite. Sadly, many businesses (not just small ones) believe that a firewall and antivirus is all they need. This is only one part and what good does the firewall do when nobody connects through it?

J2 works on the premise that we cannot focus on only the network because most modern businesses do not work in a single network. People are accessing systems from numerous networks in coffee shops, homes and over mobile connections. You cannot focus purely on the perimeter because the perimeter is where your users and systems access information from. Your perimeter is not the edges of your neatly defined network any longer.

User-centric security is key, working from the user or accounts that have access to systems and interact with your data. Visibility of activity (data, machines, applications and people) provides the capability to detect and respond. Every service we provide is delivered with a level of management, whether this is a full security SOC service or starting from a patch or EPP offering. This depends on what is both suitable and practical for the customer.

The J2 services builds out a cyber resilience strategy and allows us to act. Our preference is to provide visibility, which gives us the ability to respond; we automate what we can, monitor and this allows us to provide continuous improvement. EDR (endpoint detection and response), XDR (extended detection and response), RDR (rapid detection and response), MDR (managed detection and response), MSOC (managed security operations centre), whatever you want to call it, any service is only as good as the surface it covers. We also provide a comprehensive account takeover monitoring service which monitors and matches breached credentials to active accounts with the ability to remediate when lost credentials are identified.

This, in conjunction with our Mimecast and Microsoft 365 advanced security monitoring service, gives our clients the peace of mind that when something goes wrong, and it will, our managed security services team has the visibility to allow for almost immediate remediation, before the damage is done. The deployment of user-centric security requires a micro-agent in some instances, but this is driven by the specific service we start our customer’s security journey on.

Ethan Searle.

Searle: We provide a fully managed security offering where we provide professional services such as firewalling, patch, antivirus and email security to look after all of the customer’s security needs. A combination of hardware and software is used to build out maintenance windows for patching, monitoring antivirus applications, inspecting traffic for malicious code and phishing attacks.

These services can also be purchased independently of each other, for example, a bigger corporate that has an internal team might outsource the firewalling to us and purchase our firewall-as-a-service offering. It often doesn’t make sense for an internal team to keep every IT skill in-house.

Hi-Tech Security Solutions: Is the service a ‘full service’, meaning is your company all they need from a cyber defence point of view, or will they need to install other software or add other services?

DRS: We implement your chosen platform and manage the console from start to finish, including simulated phishing campaigns, training, videos, games, desk drops and activations. If you are using your own LSM (learning management system) we can manage the yearly training plan for you. The DRS campaign is designed as an extension of our customers’ businesses with monthly updates and reports on progress and improvement.

DRS covers the entire range of cyber defence and whatever is not covered by us is organised through a partner. DRS tries to ensure a full 360-degree cybersecurity service depending on the customer’s needs. We do extensive training and development to ensure that our resources are up to par with regards to our strategic partners, as well as our additional supported partners.

Mc Loughlin: The simple answer is yes, no and it depends. We can be the entire cybersecurity defence system. It will be determined by customer capacity and their will to improve their security posture beyond a simple tick-box on a cyber insurance application form.

The deployment of tools will depend on the client environment and J2 tailor-makes its solution to current requirements, with a plan to continually bolster its resilience capability. It is impossible to go from nothing to level 10 000 in one step and we make sure that the most basic security steps are taken before we do something more complex. Without taking the individual customer circumstance into consideration they will be deploying tech for the sake of tech and this is like purchasing a truck to go down an alleyway. It can lead to massive waste of time and money and failed projects with no positive outcomes.

There is no happy pill or silver bullet, cyber resilience is a journey and you cannot get there in one step. If someone says you can, you can tell them that I say they’re lying. This journey is ever changing and demands we evolve all the time.

Searle: Yes, we offer a full service. User behaviour is starting to play a bigger role in cybersecurity. For example, we are now deploying software at a network and endpoint level, which analyses how the user interacts with their data and uses AI to pick up and automatically resolve any anomalies that could be security threats.

Hi-Tech Security Solutions: What happens in the event that your operations centre finds a problem – malware, ransomware etc.? Can you deal with it directly or do you first need to notify the client? Does the client have full transparency in terms of setting and managing their own systems and access rights?

DRS: As part of our standard operating procedure, we must notify the customer the moment we identify an incident, then, depending on the service level, we can respond directly or provide the most accurate recommendation on how to remediate. Transparency depends on the customer and which functions they need the SOC to cover.

Mc Loughlin: The response will be determined by the individual customer. It is also often driven by the size and internal capacity of the client’s team. Each one of our deployments is different and each has different procedures. Ideally when there is a problem, we are given the ability to remediate and only report later.

The response is also determined by what is found, we do not want to switch off a new business system that one department has taken into production themselves, so verification is part of the process. If a new service is deployed that is public facing and uses poor authentication or standard admin credentials, these will be immediately fixed.

In terms of ransomware, by the time the payload is detonated it can be too late. Our teams would identify the behaviours long before the actual event. A cyber-attack does not generally start and end immediately. The criminals are patient, taking small steps to learn, identify vulnerabilities and then the malicious part of the attack starts. By this time, they should have been identified, isolated and then removed before the damage is done.

The cyber crime syndicates are trying to get at the heart of your business. Our service is in place to identify and stop the gangsters when they are at the fence, not when they are in the bedroom. Complete prevention of all incidents is impossible. Rapid identification of problems, changes in behaviour or anomalous activity is not.

Searle: We deal with it directly and as quickly as possible. We have a process that notifies the customer of the incident while we simultaneously work to firstly contain the risk, understand the root cause and then remediate. It is all about transparency, not only while an incident happens, but this transparency also needs to be in place upfront.

Cyber risks are continually evolving and there is, allegedly, always the latest and greatest product out there that will solve all these cyber problems. The truth is, there is no silver bullet to manage all these risks. There is a fine line between too much security that becomes costly and cumbersome for users and managing some of the risk with DR (disaster recovery) and backup. It is all about managing the cost of downtime, risk and the actual solution cost.

A formal process is followed to help customers manage and review access rights.

Hi-Tech Security Solutions: How do you identify and handle false alarms? What types of logs do you keep and supply to clients as reports?

Mc Loughlin: This is done by combining numerous feeds to build into a single alarm, it is impossible to look at every log or event, it is only when these are correlated that the risk is noticeable.

There are occasional false alarms and it is important that you have a single high-level view of the alarms which must be centrally managed. With the ability to centrally respond, we have the capability of ensuring that false alarms do not continue to make noise across any of our customers.

We provide a diverse range of reporting today. This has evolved a great deal and we have invested a great deal of time and money in ensuring our customers retain visibility with reports that are suitable for the audience. This means we can rapidly provide weekly and monthly reports for operational, management and internal audit teams. We discovered a while back that a monthly report detailing what happened three or four weeks ago provides no value. Ongoing, relevant and important information is shared in our reporting process. We take in as many logs, feeds and behaviours that the client can provide. It does not only come from machines and on-premises devices, but cloud services, workloads, open-source tools and systems.

Searle: By flagging false alarms and using human intervention to update the algorithm to better manage or limit noise, getting anomaly and breach reports. We also examine feedback on investigations conducted due to false alarms and the process followed to define what went wrong.

Hi-Tech Security Solutions: What happens to the service when Eskom fails and/or the Internet connection goes down?

Mc Loughlin: We do not go down. All of our teams, in office or remote, are provided with alternative methods to keep the lights on, so to speak. The services we provide are driven from redundant cloud-based services. If a client loses connectivity and is inaccessible, this means they are inaccessible to everybody – including the bad actors.

Searle: Logs would still be collected locally and synchronised up to the main reporting engine once the power comes back online. This would have more of an impact on the business in terms of lost profitability and productivity as opposed to increased security risks.

Hi-Tech Security Solutions: Do you combine your cyber services with ‘normal’ IT technical services? The question is asked because many cyber vulnerabilities or even breaches are due to configuration/setup/patching errors by the client. Does this include backup and recovery services – online and on-site?

Mc Loughlin: J2 does not provide managed cybersecurity services as it has always been done. This is not effective in the modern world. I believe, as stated elsewhere, that we provide the capability to build out cyber resilience with our customers, not just provide a single product or service and send an invoice.

We partner with our customer to ensure their resilience improves. Resilience requires patching, web security, monitoring, backup and management of all related items. Some of these we do for our customers, others we monitor and work with their other service providers or internal teams to ensure all the bases are continually covered.

J2 provides tailor-made services and this covers many realms of technology and is dependent on the customer requirement. Our service provides visibility. Visibility provides capability to respond. If the response is removing local admin rights, patching and tweaking configurations on cloud platforms, collaboration tools and email gateways, then we are here to help our customers, their partners and suppliers to become more cyber resilient.

You cannot manage what you cannot see and you cannot fix what you do not know is broken.

Searle: Yes, we provide a fully managed IT solution for customers who are highly dependent on IT to generate revenue, but can’t or don’t want to commit to the cost and time to build processes and hire people internally to manage IT.

Backup and recovery are both included and services are consumed onsite and remotely. The solution designed would depend on the customer’s appetite for risk and how negatively an IT failure effects the business in terms of lost productivity and profitability.

Share this article:

Further reading: