Security Services Experts: 8 Ways Security Is Hot, But Chaotic, Market

Security Services: Some Solution Providers May Be Left Behind

Managed security services providers are building out more extensive professional services by adding on security design and architecture consultants, or building out a security operations center with specialized incident response teams. Smaller resellers and consultancies that have strong security practices may have to overcome some significant challenges, according to security services experts interviewed by CRN. If the obstacles can be overcome, the opportunity is there.

CRN spoke with Kris Lovejoy, a chief security officer at IBM, who now heads the company's managed and professional services organization and is looking to expand operations. At Intel Security's Partner Summit, CRN interviewed with Mark Behan, director of security at Dimension Data, North America, and Dan Wilson, executive vice president of partner solutions at Accuvant. Here's what they had to say about the chaotic security services market, how some firms are expanding and why some solution providers may not be able to keep up with the pace of change.

Managed, Professional Security Services Market Snapshot

Lovejoy said large managed service providers are growing larger. IBM and other large organizations with a mixture of managed and professional services can address architecture design services, implementation services, and security management and incident response.

Most organizations started solely with managed services. Large telcos, such as Verizon and AT&T, have specialized in security management and incident response, and are moving down the stack to implementation and design services, Lovejoy said. VARs and consultancies are in the middle, specializing in implementation and monitoring and are either moving up or down the stack, building in either a design practice or an incident response practice as a differentiator.

For Smaller VARs Finding, Retaining Skilled Staff A Challenge

The main barrier to entry into managed security or professional security services is expertise, said Mark Behan, director of security at Dimension Data North America. "There is no substitute for expertise in the security business. Whether it is professional or managed services, you are not going to bluff it and get away with it these days. The challenge for all of us is finding talent for established security solution providers like us. A smaller player to establish a team is a very tough thing to do," Behan said.

Clients are looking for consultative help that may be independent from a vendor solution. They want someone to help them lay out the road map of security activities. The clients want to tie the activities of the security organization to the overall goals of the business or the business unit. That takes a tremendous amount of experience, Behan said.

Solution Providers Can Assist Risk, Policy And Architecture Teams

The risk team does the identification of the threat landscape and the vulnerabilities to determine their impact, and define the requirements that need to be addressed. The policy and architecture team identifies the road map and proper architecture required for the implementation. They own the catalog of controls, such as the security technologies that should be implemented to address the perceived threats. Once the technologies are selected and implemented, then it is turned over to an operations team.

"In the past, clients would come and tell us exactly what they need. Now they don't know what they need. It's not even about the product side -- it's about taking a few steps back and doing that higher-level strategy, applying that and building an architecture out," said Dan Wilson, executive vice president of partner solutions at Accuvant. "Then you can get to the individual discrete service or product offerings to solve their problems."

Operations Team Chaos

The operations team involves a mixture of network professionals, application development staff and data specialists. It also includes infrastructure specialists, endpoint and social media specialists and even superusers that specialize in the organization's different lines of business, Lovejoy said.

Organizations are looking for new ways to help manage across these ecosystems. They are looking for ways to figure out what that operational model needs to look like and what additional capabilities they need to get everything to work together, Lovejoy said. It's a frequent problem area at most organizations. The opportunities are becoming more programmatic, said Dimension Data's Behan. Now clients are asking how to roll out a new application securely. It takes a person with business-function expertise to have the discussion with application people and the networking people, then bring it all back together in a secure way to meet the client requirements, Behan said.

Assistance Required With Metrics, Measurements

Businesses are increasingly requiring assistance to determine whether the security risks that have been identified are being effectively controlled with the implemented security technologies and policies, Lovejoy said. Most organizations aren't running an effective metrics and measurements practice, she said. The key risk indicators and key performance indicators need to be well-defined, and then determine whether the organization is doing a better job addressing risks.

If an organization wants to know whether it is getting better at blocking sophisticated attacks, a key risk indicator would measure the number of sophisticated attacks related to the compromises and determine if they are decreasing. The key performance indicators measure the controls that were implemented -- endpoint security, security awareness training and network monitoring -- to identify whether or not the controls are operating the way they were intended to. This team works with audit and compliance to gather data, and then reports results back to the organization.

MSSPs Doing Level 1 Alerting Seeing Declining Profits

Level 1 incident response consists of specialists that can look at alerts and determine whether they need to be investigated or not. Some security vendors are trying various ways to automate this area, but according to Lovejoy, "a good Level 1 guy knows how to find the patterns in the chaos." This is the market as it stands for most resellers and regional managed security services providers.

This is also a market that may be commoditizing with an influx of outsourcing to India that is cutting into profits, Lovejoy said. Patch management, application vulnerability scanning and managing identities may help offset the losses to offshore outsourcing, but what used to earn an MSSP $30 a device now earns about $10 a device, Lovejoy said.

MSSPs May Require Deep Forensic Analysis Knowledge

If a suspicious threat is identified, it escalates to a Level 2 responder within the organization, who can determine the severity of the threat. If it is indeed a serious issue, the security incident is escalated to Level 3 response, typically the digital forensics teams from FireEye-Mandiant, specialists at Accuvant-FishNet, IBM or KPMG and other large organizations.

These teams work with hunter teams that do vulnerability assessments and penetration testing, Lovejoy said. They can find all the systems within the organization that have been compromised, and trace the attributes of the attack from the first time a system was compromised to the time data was actually stolen and uploaded to a remote server, Lovejoy said. "These guys do a mixture of proactive work and reactive work, but they work together," she said.

Enter The Next-Generation Security Operations Center

Most organizations are trying to figure out how to create a new operational model that ties operations to incident response, Lovejoy said. Organizations typically see this problem tied to discrete requirements, such as data security, identity and access management, security infrastructure, mobile and endpoint security, network security, and critical infrastructure protection around supervisory, control and data acquisition (SCADA) systems that run power-generation plants, chemical refineries and other critical infrastructure facilities.

"At end of the day, the customers want a continuum of services; they want design, implement and run," Lovejoy said.