As a Managed Security Service Provider (MSSP) accomplishing things is great, but you need to have a solid design and plan in place before achieving them — otherwise, you will start hammering away at things that are very definitely not nails. In a recent blog, we talked about using the maturity of the organization’s architecture as a metric for cyber security preparation and compliance. This article will extend that idea by talking about the efficacy of that architecture.
Compliance does not necessarily equal security, and you need to make sure that your customers’ tools and processes are actually working in order to provide the best service and close any gaps. To do that, you need a list of metrics that are correlated with the effectiveness of an organization’s cyber security policies. The seven indicators listed below will help you build a cyber security dashboard for assessing your customers’ security posture.
Key Cyber Security Metrics
What vulnerabilities are you susceptible to, and what steps do you need to take to resolve those issues?
The key here is not to bludgeon or overwhelm your customers with problems. There might be dozens of new vulnerabilities being discovered on a daily basis, but only one or two of them are actually relevant to the customer’s IT environment. (On the other hand, if all of them really are noteworthy, then you have bigger issues to deal with.)
What threats in the wild are you susceptible to, and what steps do you need to take to resolve those issues?
Your approach to threat intelligence should be very similar to how you approach vulnerabilities. Customers should be able to easily answer questions such as:
- Is there any evidence that I have been breached by one of the well-known threats?
- Does my MSSP regularly conduct threat-hunting missions on my network? How many of these missions have occurred in the past week or month?
- Is my MSSP finding evidence of data breaches such as the Sage insider attack, or other persistent methods of attack?
What are the most recent threats to appear in the cyber security landscape?
One extremely important IT security metric is the number of new threats that the customer has faced recently. If this figure is steadily increasing or has seen a rapid spike from normal levels, it is a strong indication that the customer is on the receiving end of a targeted attack, or will be in the near future.
Are attempts to shut down a threat or vulnerability effective?
When you try to patch a security flaw, you need to know that you have resolved the problem and that it will not continue to resurface every few days or weeks. Just like treating an illness, successfully handling cyber security issues means that you identify the root cause of the matter, instead of just addressing the symptoms, then remove it.
Severity and Velocity
Is your environment getting better or worse in terms of the pace and intensity of threats?
Of course, any company above a certain size will be the target of probes and attempted attacks from malicious actors, and many of them will already have fallen victim to a breach. However, an increase in the leading indicators of attack activity, such as the pace or severity of events, is a clear sign of a targeted attack campaign. For example, customers may suddenly be assaulted through a variety of mediums and channels, or they may experience a swarm of attacks that are of high and critical importance. To fix this issue, first find out what sensors are reporting these anomalies, find out where they are pointing and go close the holes that you discover there.
Is there a dramatic increase or decrease in the number of hosts showing activity on your network? Are there any major critical or high events against my critical monitored assets?
A significant spike in the number of active hosts, such as a tenfold increase from 100 to 1,000, could indicate that attackers are broadening their scope. Of course, it could also be due to a benign event, such as the acquisition of a new company and the merger of the two networks. Whatever the reason, such an anomaly needs to be examined by security experts.
Another consideration for surface area is the location of your critical assets. You would expect that parts of the network such as the DMZ are more susceptible to would-be attackers trying to expose issues and create holes. These events are definitely important, but far more important would be something like a sudden increase in the number of high and critical events against your customer’s financial data. In this case, you should look into the problem immediately and find out what’s going on.
Are your tools working to identify, detect, protect, respond and recover as you need them to?
Good MSSPs will have their customers fill out an OWASP Cyber Defense Matrix to keep track of how well each customer’s compliance framework is being covered. This will give you a clear picture of where you are, what you are missing and how you will resolve it along the way.
Who Cares About These Metrics (and Why)?
Key figures on both sides of the aisle have reasons to pay close attention to the metrics outlined above. The four most relevant roles are:
- MSSP Analysts: Typically responsible for identifying potential threats and communicating them to the customer.
- MSSP Relationship Manager: Manages your various accounts and is the primary point of contact for your customers.
- Client Stakeholders: Executive and managerial positions who are preoccupied with cyber security as it pertains to the business as a whole.
- Client Engineers: Responsible for much of the sweat and tears that go into IT security.
To understand how the metrics above impact each of these people differently, look at a RACI matrix (responsible, accountable, consulted and informed) that assigns roles to these different figures:
MSSP Relationship Manager
C, I, R*
- In general, MSSP analysts are responsible for finding threats and taking steps to address them.
- MSSP relationship managers are accountable because they will be the ones getting screamed at when a data breach exposes millions of customers’ information.
- Client stakeholders are consulted when it comes to matters of cyber security, but do not typically have to get their hands dirty.
- Client engineers usually bear the brunt of the work. They are both consulted and informed when it comes to cyber security issues at their company. Depending on how much infrastructure has been transferred to the MSSP, client engineers are also responsible, especially for implementing the cyber security roadmap that emerges from planning sessions.
Managed security service providers are currently enjoying something of a renaissance as cyber security becomes ever more important within an enterprise setting. For one, MSSPs have long since stopped being an easy way for customers to offload all their IT security issues. These days, they are more accurately described as strategic partners who are expected to render significant value and services to their clients.
Using the metrics enumerated above will help you build better relationships with your customers. By tracking them over time in a cyber security dashboard and addressing any anomalies, you will form strong bonds and alliances by proving your worth and value as an MSSP.