While managed security services providers (MSSPs) have been remotely managing firewalls and anti-virus software deployments for years, it’s become clear over the past 12 months that new classes of threats are doing an end run around those core security technologies. For example, ransomware, which is usually downloaded by an end user who has been tricked into thinking a particular email is a legitimate message, is not something a traditional firewall alone can defend against.
Because of the rapidly evolving threat landscape, a new survey of 591 IT and security professionals conducted by the Ponemon Institute recommends that IT organizations begin to employ cyber threat monitoring tools that keep track of, among other things, social engineering attacks that are starting to proliferate across various social media networks.
The study finds that just over half of the respondents (51 percent) say they intend to increase usage of cyber threat monitoring in the next 24 months. From an MSSP perspective, the most significant aspect of that increase is the fact that 35 percent of the respondents already outsource this activity, while 40 percent say they are not interested in outsourcing.
And yet, 83 percent of respondents believe their organizations are not effective in monitoring the Internet and social media. According to the survey, the main barriers to achieving a more effective monitoring approach are insufficient risk awareness (50 percent), lack of knowledgeable staff (45 percent) and lack of technologies and tools (43 percent).
There is, however, more interest in specifically outsourcing the monitoring of threats as they appear on social media outlets (39 percent). In fact, 79 percent of the respondents described their security processes for Internet and social media monitoring as non-existent (38 percent), ad hoc (23 percent), or inconsistently applied throughout the enterprise (18 percent).
What makes that troubling is that these types of attacks now make up 30 percent of the external threats IT organizations contend with, but only 17 percent of respondents say they have a formal process in place that is applied consistently across the entire enterprise. Well over a third (38 percent) say their companies do not monitor the Internet and social media to determine external threats their companies face.
Keeping up with evolving threats
Both IT professionals and the business leaders they serve are starting to recognize that something has fundamentally changed across the IT security threat landscape. While AV software and firewalls continue to play a critical role in protecting businesses and their data, it’s apparent that multiple forms of malware are now being delivered, so new types of IT security need to be put in place.
In terms of how critical those defense mechanisms are, respondents ranked monitoring mobile apps as most important (62 percent), monitoring for social engineering activity or reconnaissance (61 percent), monitoring cyber incidents (60 percent), monitoring branded exploits (59 percent), monitoring for spear-phishing infrastructure (58 percent) and monitoring phishing scams (57 percent) as being their top priorities.
A full 60 percent also say that tracking phishing IP addresses is considered essential or very important to reducing external threats. Respondents pointed to malicious mobile app details (59 percent), rogue domain data (54 percent), and malicious Twitter handles (52 percent) as key threats to track.
Challenges for MSSPs
Of course, therein lies the rub. With 40 percent of the respondents not considering outsourcing IT security, that leaves another 60 percent that either already have outsourced (35 percent) or are open to the concept (25 percent). For MSSPs to really grow they need to get more of 40 percent that don’t plan to outsource IT security to change their minds.
In many cases, that will mean going around clearly conflicted IT and security professionals to some extent. They clearly recognize that the scope of the threat is well beyond anything they can handle. At the same time, many IT and security professionals are simply afraid to give up control of the task, mainly out of fear of being made redundant. As a result, many of them try to play a cost card that winds up leaving the business exposed to a level of risk that is several orders of magnitude higher than the cost of a managed security service.
For most MSSPs, this isn’t a new conversation. But as the IT security threat landscape continues to rapidly change, it’s apparent that many of those internal IT and security professionals know in their hearts that they now have even less of a leg to stand on than ever.