Vulnerabilities / Threats

10/5/2016
11:00 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

20 Questions To Explore With Security-as-a-Service Providers

This list will help you leverage the niche expertise of security-as-a-service providers, and assess which vendor can best meet your needs

Security-as-a-service is a topic on the minds of many people these days. It’s not difficult to understand why. More and more organizations are becoming aware of the need to run security operations and incident response on a continual basis, in addition to a traditional compliance-based frequency. At the same time, many organizations today are realizing that building out a mature security capability to counter the modern threat landscape is not a simple exercise; it is a complex and ongoing endeavor that requires considerable effort and continual attention as risks and threats develop and change.

Security feels different than it did even just a few years ago. Many auditors now want to know whether or not an organization has an incident response plan, and whether it is effective. With organizations moving parts of their business and infrastructure to the cloud, they are looking for security solutions that will move there with them. And, as if all that were not enough, customers now routinely scrutinize the data custodianship practices of their vendors, suppliers, and providers. This comes just as attackers are getting better and better at stealing credentials and masquerading as legitimate users when accessing data, often using no malware at all.

Given all this, it’s no surprise that organizations are looking to leverage the niche expertise of security-as-a-service providers to help them meet a wide variety of needs in a short period of time. Where the market is looking for solutions, the hype and noise has quickly followed. How can organizations see through the hype and noise to understand the true capabilities of security-as-a-service providers and assess which provider best meets their needs?

By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons
By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons

Let’s begin another game of 20 questions, only this time about the issues you should explore with vendors before considering a security-as-a-service play. As noted before, this is not an exhaustive list of questions, but a good place to start.

  1. What is the vendor’s overall philosophy and vision? I don’t think it’s unreasonable for a potential customer to ask for one or two sentences explaining what drives and motivates a Security-as-a-Service vendor to strive for greatness.
  2. What does the vendor offer beyond compliance? It’s easy to collect data required by various regulations but doing something valuable with that data is another matter entirely.
  3. What issues drive the content development process and the day-to-day operational workflow? Please tell me it is driven by understanding the risks and threats my company faces, prioritizing them, and helping me mitigate them.
  4. How is alerting developed, implemented, and maintained? If you’re going to monitor my organization, I deserve to know how exactly you will produce timely, actionable, high-fidelity, low-noise alerting to do so. The last thing I need is for you to deluge my already resource-constrained staff with false positives and busy work.
  5. How will you instrument my network? After all, even the best content development process and alerting logic needs network data to operate on.
  6. How will you instrument my endpoints? This includes traditional endpoints, such as desktops and laptops, as well as newer endpoints, such as smartphones, tablets, and thin clients. Visibility across a wide variety of devices is extremely important to me.
  7. Can you monitor web applications and servers for me? Attackers are opportunistic and won’t merely attack endpoints. If a web application or a server is vulnerable, they will attack it. If this happens, I want to know as soon as possible. Better yet, do you also offer services to help me proactively identify these vulnerable assets before I have an issue?
  8. How will you provide visibility into the infrastructure I have in the cloud, which needs to be monitored just as much as my traditional enterprise does?
  9. How will you provide visibility into my outsourced Software-as-a-Service (SaaS) applications? If there is crime, fraud, data theft, or an insider threat issue, I need that visibility. I can’t be in the dark.
  10. Do you have a centralized portal where I can interact with my own data in an easy-to-use and meaningful manner? Help me see and understand the state of security within my own organization quickly and easily.
  11. What type of data reduction, aggregation, and visualization do you support within this portal? Will you allow me to identify patterns and dig deeper if I want to or need to?
  12. What tools do you provide to allow me to create my own alerting and do my own hunting and investigating if I desire?
  13. What can you offer to help me prevent compromise, in addition to detecting and responding to it?
  14. How can I be sure that you will quickly detect compromise within my organization given the volume and complexity of the data I am providing you?
  15. How do you analyze and investigate alerts? I want to make sure you have good methodologies, firm techniques, and sound expertise.
  16. What process do you have documented around which types of incidents? I want to make sure that if one of many different scenarios were to occur, you are prepared to handle it.
  17. If you do detect a compromise, how will you contain and remediate that compromise? Response procedures are important here, but more than just that, technology to make response as smooth as possible is also important.
  18. What type of reporting do you offer? I need relative metrics that communicate the value you are providing to my leadership. How many tickets you opened and how many AV alerts fired isn’t going to help me here.
  19. How do you provide lessons-learned post-incident to help me learn from my mistakes and continually improve my security posture?
  20. How do you continually iterate, improve, and mature your own capabilities as a provider to ensure that I receive a Security-as-a-Service offering that keeps pace with the changing threat landscape?

There is certainly no shortage of Security-as-a-Service providers. Where the business need has emerged, the marketing has followed. Business and security leaders need a clear-cut way to cut through the hype and noise to make educated and informed decisions. As you might expect, I’m a big fan of playing a game of 20 questions to get there.

Related Content:

Josh is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA. Prior to joining IDRRA, Josh served as vice president, chief technology officer, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
SEC: Companies Must Disclose More Info on Cybersecurity Attacks & Risks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/22/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.