Hi! I am Nick Gipson, the Director of Cyber Operations here at Pareto Cyber. This is Part 5 of my 10-Part series on “10 Things I Hate About Cybersecurity: A Love Story” where I dissect the problems within this industry and my personal encounters with them. You can find the other parts of this series here.
I’ve already discussed the concept of “ticket mills” in a previous post. These Managed Security Service Providers (MSSPs) tend to generate tickets for security alerts without providing any context or delivering those reports in a helpful way.
Today, I want to discuss another layer to the issue with these types of service providers – detect-only services.
A shocking number of MSSPs offer only threat detection without any options to assist clients with remediating those threats. I’ve started calling them “check the box” vendors because with such a bare-bones offering, they are only there for compliance reasons.
You hire a cybersecurity firm to be able to say that you’ve taken care of it, when in reality your security operations have not been improved. The MSSP is entirely there to let you keep up appearances and check off that box in your compliance reports. Meanwhile, the actual security alerts generated by that vendor sit in your email inbox unopened since you don’t have time to even look at them.
Why It Matters
Some of our clients at Pareto Cyber outsource different aspects of their cybersecurity operations to other vendors at the same time while working with us.
Typically, this setup is meant to split security service providers between specific aspects of the client’s network. We might handle one part, while an MSSP vendor might handle another. In theory, this can be a logical way to outsource security operations.
In practice, the client can end up worse than they were before they hired any cybersecurity services at all. I see the same pattern all the time:
- A client has another vendor detect threats on a specific part of their infrastructure.
- That vendor sends out emails listing out alerts with no recommendations for what to do next.
- The client panics, realizing that they have no idea how to remediate any of those detected threats.
I get panicked calls from these clients, telling me, “Nick, I don’t know what to do with this case.” The MSSP detected threats and sent an inadequate report, causing fear. Yet, they won’t do anything to help alleviate those fears.
The clients that talk to me usually end up hiring Pareto Cyber to take over and actually help with the necessary remediation steps. But not every company has that option, so what happens then? A business stuck with a detect-only MSSP is forced to deal with threat remediation internally. Yet most internal teams don’t have any security or incident response background.
How can a client possibly be expected to remediate threats when they require outsourcing for detecting those threats in the first place?
What Can We Do?
Threat detection and remediation services should always be offered together.
Sending the email reporting on threats is the easy part. What happens AFTER that email goes out? How does a service provider make sure that the activity detected is taken care of?
At the end of the day, we are here to help protect our clients’ data. Simply pointing to a problem doesn’t do much to achieve that goal. If a breach occurs, how much consolation will the client have from knowing that they were alerted to that breach a month before?
That’s why at Pareto, we always work on actually taking the necessary action to resolve any threats we detect.
Even if we have not been hired to do remediation directly, we make sure that it’s handled correctly. We follow up with the client and provide recommendations, confirming that threats have been addressed in some capacity.