Getting Proactive: How Managed Security Providers Boost Preventative Security, Too

Originally written and published by Manoj Srivastava for Forbes here.

My previous Forbes Technology Council article explored the rise of managed detection and response (MDR) services, and the growing number of organizations, especially mid-market and smaller, choosing to outsource real-time threat protection to a specialist cybersecurity partner.

That article detailed the different flavors of MDR services, but you might have noticed something they all had in common: As powerful as the “DR” elements of MDR might be, they’re fundamentally reactive, responding to problems during and after they’ve occurred. Ideally, a comprehensive managed security offering would include proactive components, too, to prevent breaches from happening in the first place.

Those proactive elements of cybersecurity are now becoming an important part of MDR services. What kinds of services focused on “cyber hygiene” are MDR providers folding into their offerings, and how can you identify those most relevant to your business? Let’s take a closer look.

Building Proactive Protection

Managed security providers have gotten very good at detecting and remediating threats for customers. But a truly robust cybersecurity program should anticipate and prevent them as well. Now, security leaders are advocating a more comprehensive approach to cybersecurity, placing more emphasis on preventative interventions. These efforts draw on the context of what organizations know today—about the threat landscape, past breaches and their own environments—to reduce the likelihood of successful breaches tomorrow.

Gartner’s framework for “continuous threat exposure management” (CTEM) details how organizations can expand cyber efforts beyond the merely tactical. It recommends things like proactively identifying potential entry points, developing risk profiles and prioritizing threats most likely to target your business.

Gartner estimates that by 2026, organizations that prioritize security investments based on these approaches will be three times less likely to suffer a breach.

This shift to more holistic approaches is great news—at least for organizations with in-house experts to staff proactive threat management programs. For everyone else, managed security providers are stepping up to fill this void, adding proactive exposure management to MDR portfolios.

Forward-Looking Protection

Preventative security offerings can encompass services to improve cyber hygiene. These can include:

• Vulnerability Prioritization: A typical enterprise SOC might see tens of thousands of alerts daily. Winnowing those down to the subset that represents a clear and present danger to the business is immensely difficult, even for enterprises with expert analysts on staff.

For those without, vulnerability prioritization services can help. These services collect threat data from a variety of sources and apply various techniques (such as the MITRE ATT&CK matrix, or prioritizing exposures being actively exploited in your industry). In-house staff still typically perform the actual patching, but with a partner analyzing and prioritizing vulnerabilities, they can focus on the most urgent issues first.

• Security Control Effectiveness: Originally part of advanced attack simulations, security control analysis has become a critical element of proactive cybersecurity approaches. That’s especially true for scenarios where organizations choose not to patch a vulnerability, such as when bringing down an older system would be too disruptive. In these cases and others, you may choose to put security controls around a system instead.

This makes it essential, however, to continually verify that those measures remain effective over time. Do you still have the right access controls in place? Are firewall rules configured properly? Are policies revoking access for employees exiting the company consistently enforced? Forward-looking MDR providers can now help answer these questions.

• Phishing Awareness Training: People remain one of the biggest parts of the attack surface, with phishing and social engineering attacks increasingly targeting employees within an organization. Some MDR vendors now offer security awareness services to prevent phishing attacks. These can include education and automated incident response, where their offering detects (or even simulates) phishing attacks and identifies employees who need additional training.

• Threat Hunting: Threat hunting has existed for years, though usually only in large organizations with sophisticated cybersecurity programs. Here, a vendor analyzes your infrastructure, either through its products or its team of analysts, or takes a hybrid approach to identify cyber threats you might not be aware of.

Traditionally, threat hunting has revolved around using known indicators of compromises or attacks (IOCs/IOAs) to identify relevant threats. Additionally, understanding patterns of attackers and verifying those behaviors in the context of an organization’s environment can help prioritize which threats to focus on. Vendors can use advanced machine learning approaches to help accelerate that prioritization, and this is becoming a standard component of MDR services.

• Cloud And Identity Misconfigurations: As enterprises move more of their IT stack to the cloud, we need to evolve how we think about “vulnerabilities.” Traditional network and software vulnerabilities don’t necessarily apply in these environments. However, businesses should absolutely be concerned about cloud access and identity misconfigurations, which could allow attackers to steal data or launch attacks inside the environment.

These threats are growing, with 90% of businesses reporting identity-related incidents last year. Now, security partners can analyze configurations across an enterprise’s cloud and identity infrastructure, even including Docker images and containers through their entire development life cycle and into production. Bringing identity into the context of those environments is key to narrowing down critical misconfigurations.

Closing The Circle

Each of these proactive services offers important protection, but none represents “the” intervention to prevent future threats. A comprehensive cybersecurity program should encompass multiple preventative approaches, alongside multiple layers of traditional defenses. But how can staff possibly keep up with all those layers and approaches?

Ideally, cybersecurity should function as a platform—ingesting signals from diverse best-of-breed tools via a common data fabric, building out context and then layering proactive and reactive measures on top (such as introducing anti-phishing training for employees as a value-added service to further strengthen the cybersecurity program). This approach would simplify how enterprises operate security tools, without compromising on capabilities.

What would such a platform look like as part of a managed service? And how might it help address business elements of cybersecurity, such as risk management, compliance and communicating with senior executives? I plan to explore those questions next.