Questioning the value of the security you have is a necessary and valid exercise, especially when coupled with a detailed understanding of its effectiveness. As a cyber security vendor, we’d be remiss if we didn’t regularly ask this question of the things we do for clients, as well. This blog is about what happened when we thought about the value of our own product when the things it defends are not being attacked. We call this Peacetime Value.
Peacetime Value is multi-faceted, containing more insight than we can fit in a blog – so note this is a high level view, and the devil truly is in the detail. Look out for more on Peacetime Value over the next few months – or get in touch via the email address at the end of this article to find out more.
Security insights and threat research
Peacetime Value helps customers understand their estates better, see and manage risk, and generally improve their organization’s security posture. What do we mean? Security insights use the data Countercept collects to provide better visibility of the risks associated with the misconfiguration of existing security controls. These insights become more valuable when combined with threat research – intelligence on what’s taking place outside the customer’s immediate environment. Combined, these two things give people visibility of risks relevant to their organization’s profile, location and industry vertical.
Part of this is also about providing the insight that helps security teams climb over that steep, treacherous ridge that sits between reactive and proactive measures. In a situation where you’re forced to react to change, it’s almost always the case that becoming proactive takes significant effort. Ensuring the basics are there and that learning occurs during peacetime are both valuable – whether you’re batting away attacks or enjoying a respite.
Don’t rely on incidents for education
Similarly, you shouldn’t wait for an incident to occur before pinpointing potential weak spots. Searching for the gas leak with a lit match is effective in that you’ll definitely find it – but it’s by far from the best way to do it. Plenty of advice organizations receive from existing MSSPs is based on lessons learned from the customer’s security incidents, after the event rather than before it.
While it’s vital to learn from events when they occur, it shouldn’t be the only source of insight, and you shouldn’t have to rely on incidents that might not ever happen in the first place. Assessments take place at the end of a process that begins with an attack.
This is where our security insights come in: using all the data we collect we can identify and quantify misconfiguration before it ever leads to an incident. The data we collect as part of our service doesn’t always show anything inherently malicious is happening, but we can use it to spot potential risk.
Understanding your organization’s security posture and risk profile shouldn’t be dependent on getting attacked.
What does this look like?
One example might be Remote Access apps and tools. We’ve alerted customers in the past to a huge variety of this sort of software installed by users without permission. This security rule is often with the best intentions to get a job done, or as a workaround. Another might be a prevalence of local admin rights on user systems. Then there’s checking security tooling is up to scratch and searching for outdated operating systems or other software. Alerting and risk scoring at the right point in time can be worth its weight in gold.
Putting it in Business Language
It’s one thing to provide this sort of insight for a technical audience, but it’s another to explain it to a typical board of directors in a way that they can use to make informed decisions. Security controls like MDR ultimately help manage business risk. If what they do cannot be articulated without jargon to a business audience, then it can be hard to fight to retain valuable tools in the face of so many competing business priorities.
This isn’t just about identifying areas of investment and building business cases, either; often existing systems, teams and investments can be harnessed for further value.
This ‘translation’ work can be time consuming, and conveying business risk, prioritisation and (if needed) budget spend needs useful insight into business value, risk and opportunity. This also has an impact on the reactive / proactive challenge I mentioned earlier: moving from the mindset of cybersecurity as an insurance policy to and understanding of the insight and intelligence it can bring to the situation to guide wider business, technology and security decisions.
Risk scoring your organization
The long term aim of what we’re doing with Peacetime Value is to develop a way for our customers to see at a glance what risks their organization faces – and how well their security posture adjusts to threats and adapts over time. Our customers already benefit from Peacetime Value and are using the insights we provide to make better business decisions – as well as better articulating their role and the role of MDR to the wider business. Get in touch with us at mdr@f-secure.com to discuss what you’d like to see from a Managed Detection and Response service when it’s not defending your organization from a live attack.
Categories