Big Data or Smart Questions for Effective Threat Hunting

Advances in data analytics and increased connectivity have merged to create a powerful platform for change. Today, people, objects, and connections are producing data at unprecedented rates. According to DOMO, 90% of all data today was created in the last two years with a whopping 2.5 quintillion bytes of data being produced per day. With more Internet of Things (IoT) devices being produced, new social media outlets created, and the increasing number of people turning to search engines for information, the numbers will continue to grow.

So, what do we do with this overwhelming amount of data? Big data may be analyzed to reveal patterns, associations, and trends. Big data is the engine of data analytics growth and in most big data circles is defined by the Four Vs below.
  1. Volume: massive and passively generated
  2. Variety: originating from both individuals and machines at multiple points in the data value chain
  3. Velocity: generally operating in real time
  4. Veracity: referring to the uncertainty due to bias, noise or abnormality in data

Smart Questions

In a reasonably sized network, log data can be big data, but how do you extract value or intelligence from it? That has more to do with analytic capability and the ability to ask smart questions. Known Data Known Question, the lower left quadrant, is for optimizing data standardized processes and procedures. The data sources are known, leaving the only question of timeliness and data quality.

The Known Data Unknown Question, the lower right quadrant, is best suited for domain experts such as our SIEMphonic SOC team to discover questions they didn’t know to ask. It’s part of the “threat hunting” model. You go into the known jungle but cannot say what you will find. Once you stumble upon an anomaly, you move up/down and sideways to outline the contours and study the adjacent data till the entire kill-chain is revealed.

The Known Question Unknown Data, the upper left quadrant, is about pre-defined queries and reports that have been learned from past experiences or at other installations. They produce questions that are worth asking and in search of data to be asked against. A value-add of a co-managed SIEM is community intelligence. Once the community is aware of a certain pattern of attacks at one installation and uncover it, the lessons are rapidly applied to others to determine if similar attacks have or are occurring there.

The Unknown Data Unknown Question, the upper right quadrant, is the domain of machine learning or explorative or predictive computing. EventTracker uses the same Elasticsearch engine as a data store. Work is underway to leverage this investment to automatically model the behavior of your data – in real time to identify issues faster, streamline root cause analysis, and reduce false positives.

As the saying goes, it’s not what you have but what you do with it, that counts. Our SIEMphonic Co-managed security service extracts actionable intelligence from big data for more effective security monitoring, threat detection, and incident response. Unlike other solution, you don’t just get technology, but outcome!

Master the Art of Selling Managed Security Services as an MSP

Contributed by: Lily Teplow, Content Marketing Manager at Continuum
When it comes to selling security, one of the major challenges faced by managed services providers (MSPs) is changing the mind set of small- and medium-sized business (SMB) owners. With massive breaches hogging news headlines today, security is hard to ignore—yet many SMBs choose to do so because they don’t realize how “at risk” they may be.
Oftentimes, MSPs can’t progress in their sales conversations because of this mindset. But as you look to break further into the security space and offer clients with a reliable solution, your journey will start with how you position yourself. In this post, we’ll share important tricks of the trade to help you master the art of selling managed security, starting with these tips.

Redefine Cybersecurity and Risk

Generally, small businesses assume they’re already protected from cyber attacks. With basic protections like anti-virus and firewall, they should be completely covered, right? Wrong.
Cybercriminals and their attacks have grown more sophisticated in recent years, innovating their attempts to evade basic protections and legacy solutions that most SMBs rely on. What’s more, cybercriminals recognize that this is a vulnerability and continuously look to exploit it. It’s exactly why 61 percent of SMBs were the target of a cyber attack last year.
When first approaching sales conversations with SMB clients or prospects, it’s best to re-set the standard of how they might perceive cybersecurity and its associated risks. This doesn’t mean hitting them over the head with scaremongering statistics they’ve probably seen before. It means putting into perspective the threat landscape and the level of risk they’re willing to accept.
Ask them: “what security threats are you most concerned about?” Simply posing this question will get them thinking about what they’re up against and what they need protection from. And, their answer may be that they’ve struggled with ransomware or their employees need better security training—giving you even better ammunition when proposing your solution to address these specific needs.
Then you can ask them, “are you equipped to handle these threats on your own?” If the answer is “no”—which it likely will be—it means that their level of risk is higher than they might’ve thought. However, by partnering with the right managed security services provider, they’ll have access to a more advanced security solution to stay protected against these threats and substantially lower their risk level.

Build Trust

An SMB won’t put their business in the hands of someone they do not trust. Therefore, it’s important to present your services—and your relationship—in a way that establishes and builds trust.
This all starts with transparency. Provide peace of mind by keeping clients updated on major vulnerabilities and help them deploy an effective and secure plan of action. Also, discuss how you’re committed to keeping lines of communication open with your clients and meeting with them on a regular basis. You can even give examples as to how you’ve helped mitigate active threats for clients that are similar to them.
The next step in building trust is accuracy. A trusted MSP will be able to confirm the accuracy of threats and have the tools necessary to remain protected. Conducting routine network assessments, for example, will reassure your clients that the solution you’re providing is working and that they can rely on your partnership to keep them secure.
Lastly, showcase how you’ll be part of their team. Position yourself as a true security advisor, providing both the technical support and the security expertise they need to maintain their ideal level of protection. For many, knowing that they have a team of security experts watching out for them 24/7/365 is enough to get them to listen and seriously consider investing in your services.

Focus on the Business Benefits, Not Tech Specs

In any sales conversation or proposal, you want to stray away from concentrating on the technical features of your solution. This may be difficult for many MSPs because these features are what make the solution work, but that doesn’t necessarily resonate with the person or prospect sitting in front of you.
Instead, highlight the business benefits. How does your solution solve some of the pain points they’re experiencing? How does it align with their key business initiatives? Essentially, what’s the benefit of them doing business with you?
Let’s look at one example, with the business benefit being a more comprehensive security strategy. You could say something along the lines of:

“How do you fight an infection you may not even know you have? Your business needs to be able to address infections that aren't as blatant as ransomware—ones that are instead getting increasingly stealthy and evasive. Your security strategy needs to adapt, and the best answer is to partner with us.
Our cybersecurity solution can provide you with both the foundational and highly advanced protections you need. Together, we’ll be able to establish a unique protection plan for your specific environment—protecting you from the cyber threats that you’re most concerned about. Additionally, our services are backed by our team of highly-skilled security experts who take care of the analysis, monitoring, and threat intervention needed to stop attacks in their tracks and keep your business safe.”

When selling security services, keep in mind that it’s no longer a question of if businesses need security; it’s a question of what level of security they need. With these selling tips, you’ll be better equipped in your sales conversations to convince prospects and clients that you can provide the level of protection they seek.

Three Causes of Incident Response Failure

 Breaches continue to be reported at a dizzying pace. In 2018 alone, a diverse range of companies — including Best Buy, Delta, Orbitz, Panera, Saks Fifth Avenue, and Sears — have been victimized. These are not small companies, nor did they have small IT budgets. So, what’s the problem?  
Threats are escalating in scope and sophistication. Often times, new technologies are added to the enterprise network and not fully tested for security flaws. This creates issues for security teams, making it difficult to defend gaps and protect against persistent threats. Another issue facing security team is over emphasis on prevention has caused an under investment in security monitoring and incident response. 
Is your team faced with any of these three issues that can lead to failure to respond to incidents, malware, and threats properly?
1: Alert fatigue- multiplying security solutions to tackle the threat avalanche causing a large alert volume.
Even when centrally managed and correlated with a Security Information and Event Management (SIEM) solution, the workload of verifying and triaging an alert often overwhelms an in-house security team. The harder parts of research and enrichment come after the alert is verified, defining the who, what, where, when, and what to do about it. In the meantime, more alerts continue to pile up, making it difficult for an in-house security team to keep up with the everchanging threat landscape. 
2: Skill shortage- everyone has a limited security budget.
Even if budget was a non-issue, skill shortage continues to be acute globally. Where can you find a mass of capable people? And how do you train and keep them? By the way, did you notice that management seems to be somehow more amenable to buying yet another tool than adding headcount? Artificial Intelligence (AI) continues to be a mirage, self-driving cars anyone?
3: Tribal knowledge- security processes require a transfer of knowledge from senior to new or junior resources.
Incident response requires a deep knowledge of existing systems and reasons why things are set up the way they are. Even when highly documented policies and procedures are in place, companies often rely heavily on their most senior analysts to make decisions based on their experience and knowledge of the organization. 
Throwing money at this problem is not the answer, working smarter is the better answer. If you have problems with alert fatigue, skill shortage, or tribal knowledge, Co-Managed SIEM can help you. According to Gartner’s How and When to Use Co-Managed Security Information and Event Management report, “Co-managed SIEM services enable security and risk management leaders to maximize value from SIEM and enhance security monitoring capabilities, while retaining control and flexibility.”
Download the full report to gain insights including how to identify current gaps, project goals and use cases, as well as guidance to help you evaluate and select the right provider.