Risk
3/11/2014
07:57 PM
50%
50%

Security Services Cater To SMBs

Cloud and managed security services are headed down market with simpler interfaces masking their enterprise heritage

Small and midsized businesses will gain more choices in 2014 for securing their data and networks using cloud and managed services, rather than buying and installing products inside their perimeters.

A handful of security firms have announced simpler versions of their enterprise cloud security services, slimming down the signup process and removing complex configuration options to make the offerings more useful for smaller companies. In other cases, security vendors traditionally targeting larger firms have provided the infrastructure for managed security service providers to step in, set up and maintain digital defenses for smaller companies.

Cloud security firm Zscaler, for example, is beta-testing a slimmed-down version, dubbed SHIFT, of its enterprise security offering, limiting the dashboard to a single page and aiming to get companies "up and running in 5 minutes or less."

"If you are doing it right, security should be on or off," says Patrick Foxhoven, chief technology officer for emerging technologies at Zscaler. "They need the technology, but they don't need all the complexity."

SMBs are among the largest adopters of cloud services. In 2014, the average SMB will spend 14 percent of its information-technology budget on cloud, and another 11 percent on managed services, according to information-technology managers surveyed in the 2014 State of IT Budget Report (registration required) published by SMB information services firm Spiceworks. While many smaller businesses are hesitant to use cloud services, 94 percent of firms say that moving to the cloud had a positive impact on security, according to a June 2013 Microsoft survey.

Because many SMBs do not understand their security needs, they put themselves at risk, Stephen Cobb, a security evangelist for antivirus firm ESET told attendees at the RSA Conference in February. Cybercriminals are finding the combination of valuable assets and lack of security awareness in smaller businesses to be a sweet spot for attacks, he said.

[New study highlights uncertainty among small to midsize businesses on cyberattacks and threats. See SMBs Unsure And At Risk, Survey Finds.]

SMBs that want to harden their business against attacks should follow a process of ABCDEF, according to the company: Assess the business's assets, risks, and resources; build a policy; choose the security controls; deploy security measures; educate employees and vendors; and further assess the company's security.

Yet, many small and medium business want simple security measures that give them visibility into what risks may be affecting their networks, whether an attacker compromising computers or a rogue employee exfiltrating data. Getting rid of the complexity is important, says Wolfgang Kandek, chief technology officer at Qualys, a cloud security provider.

"From a philosophical point of view, I think the problem is that security is very complicated," he says. "So we have been trying to make it easier and make it very approachable."

When Qualys aimed for the small- and midsized business market, the company decided to strip out the more complex functionality from its service. Last year, the company announced its vulnerability management offering for smaller firms, QualysGuard Express Lite. At RSA in February, the company went even simpler, announcing--in conjunction with the SANS Institute and the Council on CyberSecurity--a service to scan for the Top-4 Critical Security Controls, which, historically, could have prevented 85 percent of breaches.

Many smaller companies do not have the expertise to assess whether their network is at risk or what policies might help them secure their data. For those companies, a managed security service provider can be the expert to offer advice and manage the security of the network, says Seth Geftic, associate director of RSA Security Analytics. A number of firms have targeted the SMB market, including Dell SecureWorks and Trustwave.

In February, security firm RSA announced it had partnered with Verizon Enterprise Solutions to make its enterprise-focused products available as a service to smaller companies as well. Those companies can benefit from an experienced security consultant, Geftic says.

"Partners can really help out by providing the skills," he says. "Not just be a service, but analyzing the data and telling the customer what they should be going after and what they should be doing."

Whether they choose a cloud service or a managed provider, SMBs looking to improve security will have a lot more options in 2014.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.