MSSPs Find Advanced Threat Services, Incident Response Tied To Log Analysis

Managed security providers say they have finally gotten the message.

Managing logs is no longer about the compliance checkbox, according to their clients, who say they want MSSPs to identify and help them contain threats before a security incident becomes a costly breach.

Countless data breach reports, including some of the security industry's biggest ones, consistently point to poor or underutilized log and event management systems that if proactively monitored would have spotted and contained threats before a breach became headline news. Now service providers that have made a living monitoring security information event management systems and issuing reports to satisfy their clients' compliance requirements are finding additional growth in providing proactive security services, said Brian DiPaolo, the assessment and compliance practice director at Houston-based managed services provider, AccuData Systems.

[Related: Internet Pioneer On Incident Response: Sorry, There's No 'Magic Security Pixie Dust']

"It's evolving into more of a security incident response, breach detection play," said DiPaolo, who is partnering with Alert Logic to sell its ActiveWatch managed service. "The capabilities are there for identifying issues and whittling them down to things that matter most."

DiPaolo said his company's original partnership with Alert Logic was driven by customers who were required to meet the payment card industry data security standard (PCI-DSS). The spate of retail breaches in the last 12 to 18 months placed increased attention on being proactive about identifying threats, he said.

"For them to engage a security solution that provides strong ROI and they don't have to hire staff is a win," DiPaolo said. "They are more forward thinking and not necessarily responding to breaches, but actively addressing risks in the environment."

Organizations are flooded with new technologies designed to detect so-called advanced threats, security appliances that can detonate and analyze suspicious files and analytical platforms that correlate information from a variety of sources to alert about activity that may be a potential attack. The right incident response people are not getting the alerts or, if they are, they don't have the ability to efficiently prioritize them to investigate the most serious threats, said Jamie Murdock, chief information security officer at Binary Defense Systems, a Hudson, Ohio-based managed security services provider that launched this week with incident response and alert validation services.

"The biggest complaint that we have heard is that there is often a communication breakdown between the MSSP and the contact on an account," said Murdock, who is a financial industry security veteran and incident response expert. "One of the biggest areas we are focusing on is our speed in alerting and sophistication in uncovering something that needs immediate attention. If we aren't getting through, we'll escalate it."

NEXT: MSSP Adding Ethical Hacking, Threat Intelligence Services

Murdock said Binary Defense Systems is vendor agnostic and will monitor just about any security appliance and perform SIEM platform management. The firm has an alert validation service to identify and prioritize alerts for customers and an incident response service when assistance is needed to contain and properly document a security incident. At the core of the company's new threat intelligence services is Artillery. It's a global alert system developed and maintained by David Kennedy, a former chief information security officer and penetration tester and a noted security industry expert who organizes the annual DerbyCon conference for ethical hackers held in Louisville, Kentucky.

Binary Defense Systems is targeting large enterprise clients and will move into mid-market businesses in the future, Murdock said. The company may also eventually add its own SIEM system that uses threat intelligence feeds more efficiently, helps the security operations center correlate activity and speeds up identifying and alerting capabilities, Murdock said.

"Technology is only as good as the way it is deployed, configured and maintained," Murdock said. "We're going in and asking the people defending organizations what they need the most to properly work an incident and come up with something that will help the entire market."

Omaha, Neb.-based managed security services provider Solutionary, an NTT company, uses its ActiveGuard log and event management platform to detect threats impacting its customer base of about 2,000 organizations. In the last several years, the company added a dedicated computer incident response team to build out its incident response and threat intelligence capabilities, said Don Gray, chief security strategist at Solutionary.

Gray said in 2014, the team has been engaged in seven incident response extended engagements that typically run up to 100 hours. It has also had 40 customer inquiries to help investigate threats, he said.

"Before now, we did some incident response but we didn't have a formal team. But now we have a consistent workload that allows us to keep a larger response team," Gray said. "Now if our customers have an incident they can call us up and say they need help and we parachute in and help them."

Solutionary offers on-demand incident response service in which its managed clients can phone for help when a crisis happens and a proactive incident response option, in which an organization's incident responders are validated and more involved with Solutionary's team.

The company goes into education mode often, according to Gray. The security team created information to help clients determine if their systems were impacted by Shellshock, some Bash command-line vulnerabilities that impacted Linux and Unix systems. The company also released a tool to help their clients determine their system risk, he said.

"We've seen clients go from that check box mentality to finally engaging us more seriously about security and reducing their risk exposure," Gray said. "There's more pressure from the public to be more aggressive about it and we're seeing more experienced CISOs who have been intimately involved with running security programs."

Irvine, Calif.-based managed security services provider Proficio is basing its business on its HP-Arcsight SIEM and company CEO Brad Taylor said the goal for his firm is to reduce the noisy alerts generated by security appliances. The firm will work with consultants to engage clients that need incident response assistance, Taylor said.

Proficio said earlier this month it is engaging resellers and consultants to sell its SIEM and security operations center as-a-service.

A midsize organization can get 3,000 to 5,000 attacks per day from known abusive locations, Taylor said.

"The first generation was definitely a compliance check box but we've entered an age where we are completely beyond that by now," Taylor said. "Organizations are standing up a much more conservative security posture and seeking round the clock services."

PUBLISHED OCT. 16, 2014