Why today’s hybrid IT complexity makes 'as a service' security essential

Amid rapidly growing IT security costs and the added complexity of distributed workforces, the challenges facing IT services providers are clearly outrunning past practices. That’s why more automation, integration, and acquiring security “as a service” are in hot demand.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

Stay with us now as the next BriefingsDirect security innovations discussion examines how Heartland Business Systems is seeking such new ways and new partners to ensure that security incidents are kept in check across a variety of hybrid IT services and scenarios.

Here to share his story of increasingly embracing security-as-a-service Jason Nuss, Vice President of Cloud Services at Heartland Business Systems (HBS) in Little Chute, Wisconsin. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Jason, what are some of the top trends driving the need to do things differently when it comes to risk management and endpoint security?

 

Nuss: Endpoint security is getting more important and broader every day. Cyber insurance definitely has had a huge influence over the last several years. I can remember when cyber insurance applications were just a couple of questions. Now, in some cases, they’re a dozen pages long.

 

Nuss

That’s urging more requirements to tighten up security practices. At the same time, the hackers are getting smarter, and they’re moving to new techniques. You know, we’re starting to see more extortion as opposed to just encryption scams, which really has a much greater effect on not only on a specific customer, but sometimes that customer’s clients as well.

 

During the last few years of the pandemic, we’ve also seen a migration to a more mobile workforce. Some of the companies we work with have closed their office doors. They aren’t going back to physical offices, which has brought in other challenges when it comes to making sure their environments are secure.

 

Gardner: And how about the current hybrid IT environment? How is that forcing you to do things differently?

 

Data is everywhere, but is it secure?

 

Nuss: Data is now everywhere -- as is your staff. We used to be able to secure inside of your walls and you didn’t have to worry so much about external trends. But now we have people working from home and accessing home networks, which makes those endpoints even more vulnerable to more security threats than the ones behind your corporate firewall.

 

You also have more cloud data and cloud services applications. You need to make sure those are secure as well, which plays a huge new factor. One of the common misconceptions we see is that everything from the cloud is perfect.

 

A lot of people think that cloud-based software-as-a-service (SaaS) applications include everything and that they are fully secure and fully redundant. But that’s just not the case. People need to take more time to look at the services that we’re adopting and make sure the providers are on the up-and-up. Do they have all the proper security tools, backups, and disaster recovery? Should they have an outage, how will that impact our businesses as well?

 

Gardner: Right, we have to evaluate the security robustness, if you will, of our entire technology supply chains.

 

Nuss: Absolutely.

 

Gardner: How about rising costs, such as for labor? How is that affecting your ability to deliver security effectively?

 

Nuss: Security costs over the last several years have gone up quite a bit. I often tell customers that security costs have gone up 500 to 600 percent from what they were five years ago.

 

I’ve been around this industry almost 30 years now. Before, you only had to worry about an antivirus product and a modem for connectivity to the Internet. Then it moved into buying firewalls. But now you have things like endpoint detection and response (EDR), managed detection and response (MDR), and extended detection and response (XDR).

 

It’s very confusing. You have security information management (SIM), security operations centers (SOCs), privileged access management (PAM), and all these other new technologies that make the landscape very, very cloudy. No pun intended.

But you know, sometimes we have to right the ship for the customer to make sure that we’re looking at security from a proper rollout perspective. You’re starting with the most critical things, whether it be a backup or multi-factor authentication or endpoint security. And then maybe layering on some of the additional services. But it doesn’t make sense for our customers to start out with penetration testing if they haven’t secured their environment ahead of time. We’re going to find out holes, right?

 

Gardner: And why is SaaS and more automation generally attractive to folks like you as you’re specifying the next generation of security?

Expertise at scale

 

Nuss: Expertise at scale is very important -- and often overlooked. Just making sure you have a SOC, and maybe if it’s a guy or two, that is not good enough. You need to be able to react appropriately.

 

So having a larger staff, having a knowledge base behind that, is very important in solving the protection issues -- or even identifying the security issues quickly. Automation is critical to that. When you’re ingesting hundreds of thousands -- or millions -- of logs, you need to be able to comb through that data really quickly. So, automating that is critical. You’re starting to see more artificial intelligence (AI) and machine learning (ML) take over in that space. A lot of the more recent products are using those technologies to identify threats before an analyst would have caught them manually.

 

Gardner: As we mentioned before, we have to be concerned about our suppliers and partners --- perhaps more than ever. They can come under attack as well. How has that changed how you look at your suppliers?

 

Nuss: As far as our suppliers go, we’ve started to take a deeper look at the supply chain completely. There are a lot of smaller companies coming out with new technologies. As we look to vet things, not only are we betting on functionality, but we’re also vetting on security elements.

Just turning on an API isn't always a good thing. You want to make sure you're minimizing the impact should they have a breach and that it does not impact you as well. You have to look over the vendors and make sure they follow the best practices.

Just recently, we were looking at a product that would integrate into our customer resource management (CRM) tool to do better data mining out of Microsoft 365, Exchange, and Outlook. And, you know, we came to find out that, hey, that data is being stored overseas. They’re also injecting a bunch of email messages, and so we had concerns around those tools.

 

Just turning on an application programming interface (API) isn’t always a good thing. You want to make sure you’re minimizing the impact should they have a breach and that it does not impact you as well. You have to look over the vendors and make sure that they’re following best practices. If they’re not, I think it’s good to call them out and let them know. Such as, “Look, you don’t need access to all of these tables for the pieces that you’re trying to access. Let’s minimize the blast radius should you be compromised and so as to not affect us as well.”

 

Gardner: So, it’s services-subscriber beware, right?

 

Nuss: Absolutely. You know, with some of the other things that are playing into it as well, with the mobile workforce, you have to secure the edge and make sure you have good endpoint controls, firewalls, and other components.

 

That was one of the things where Bitdefender rose above the rest for us. They were able to store those things, looking at other cloud storage providers. You know, you also see shadow IT out there. I cringe when I hear people that don’t have corporate policy around cloud storage and where they’re putting up data using things such as Dropbox or Microsoft OneDrive. It’s okay to use those, but make sure you have a governance policy around them, such as a backup strategy and how you’re going to secure that data.

 

Gardner: We have seen a lot of cloud services use sprawl and ungoverned use, for sure. Eventually, you have to gain maturity about how you do that.

 

Let’s hear about Heartland Business Systems (HBS). Tell us about your company. What you do, and what do you think distinguishes you from other managed service providers (MSPs)?

 

Widespread, yet local service

 

Nuss: HBS is based in the Upper Midwest, we’re just south of Green Bay, Wisconsin. We’re now up to about 12 locations throughout Wisconsin, Minnesota, Illinois, Iowa, Nebraska, Missouri, Arkansas, and Arizona. We have been around since the 1990s, with around 650 total employees and about 350 technical service professionals across many specializations.

 

People often ask what sets us apart from the other guys in the industry. I think there are a couple of things. We have both breadth and scale. We also believe very heavily on having in-market expertise where we have a physical presence. We try to have expertise so that when our teams are going out on-site, we deliver a quality experience. We’re not always relying on engineers from the center of our company, so to speak, to roll that out.

 

Our expertise is widespread. So, we not only do the normal networking- and systems-type work -- with a robust Microsoft practice; we’re a gold partner in 16 of 18 different competencies -- we also have an enterprise security and risk management team. [They can also help when] you’re doing compliance audits, vulnerability assessments, and penetration testing. Just in December, we purchased another company, Pratum, that has a SOC-as-a-service offering. It will be interesting to see how that plays into our security offerings over the coming months.

 

Gardner: When you talk about breadth and scale, that sounds like you have to scale not just up but down and sideways, if you will. That means servicing a lot of different types of organizations across a lot of different industries. So how do you serve that variety? How do you scale up and down and remain efficient?

 

Nuss: It’s sometimes difficult to address all the different markets. Our total market is pretty much comprised equally and in thirds: of small-and-medium business (SMB), medium-to-large enterprises, and then the government and education spaces.

Sometimes those needs are very different. You have to have offerings that address the needs that they all want. In the SMB space, they typically don’t have security professionals, so we end up being the security professionals for them.

 

In the enterprise space, a lot of times it’s more of a co-managed solution set. You have to have solutions that address the needs of each of those different classes. For us, we have separate engineering teams in a lot of those spaces, where they focus on specific technology stacks for the specific market segment. They become more expert there, with a SMB-type engineering staff as well as an enterprise engineering staff. They focus on different manufacturers, in some cases, and more elaborate technology at the higher end of the spectrum.

 

Gardner: With a sizable public-sector business, and I have to assume quite a bit in education and schools, how is that a challenge for security?

 

Nuss: The biggest challenge in the public sector is often budget. A lot of times it is so focused on hardware migrations – the replacing of endpoints at the desktop, networking, or servers – that security gets overlooked, even though it’s more and more important.

On the IT side, we look at building best practices around policy. Everything starts with that policy, and then you can measure against that policy as you move forward. 

Also, for them, they’re trying to solve physical security concerns in addition to IT security. So, we work with customers on things like video surveillance systems, ID badges, and access control systems.

 

On the IT security side, we look at building best practices around policy. Everything starts with that policy, and then you can measure against that policy as you move forward. They are also moving to devices that may have less susceptibility, such as Chromebooks where they’re not storing data locally. They’re storing it up in the cloud so they can better protect those cloud assets. They are then less worried about the endpoints, but you definitely have to begin with that comprehensive policy and then obtain the tool sets that goes with it.

 

Gardner: Is there a positive pay back when you automate more, go policy-driven, and use cloud and multi-tenancy to their full effects?

 

Multi-tenancy critical in the cloud

 

Nuss: Yes. For us, multi-tenancy is absolutely critical. I run our cloud services division, our data centers. We have two data centers. As we looked to security tools like endpoint security, it was absolutely critical that these things were multi-tenant. We had products before we found Bitdefender to support 20,000 endpoints through a single management console. To roll out that type of scale, you have to have consistency. There are a lot of great security tools in the marketplace, but if they don’t play into your operational processes at scale, they really don’t do you any good.

 

As we evaluated for endpoint security, and EDR specifically, we needed to make sure that number one, it was a good product. We looked at MITRE ATT&CK trends and things like that to see where they were playing within the Mitre framework. But number two is how did it work into our processes and into our tool sets?

 

Could I have a global policy that I could roll out to everyone, so they knew that I had consistency? It’s inefficient for me to go touch 600 different customers within that portal to make one change. I need to make it at a global level and have that be inherited down the chain. At the same time, we have more enterprise customers who want control of those policies themselves. We were looking for a tool that would allow us to give them the access rights to customize the policy or manage their portal as they saw fit. So, we really like those aspects of it specifically.

 

Gardner: When you try all kinds of new services and products, one of the challenges in security is the sprawl of having so many tools. What do you look for when you’re evaluating your security suppliers and services when it comes to how well they integrate services, in how well they combine tools and meet more requirements, so that you don’t have to?

 

Tools and services work well with others

 

Nuss: A lot of times we’re looking for integration. We’re a ConnectWise shop end-to-end so we’d like solutions that integrate into that tool set. Whether it be pushing the software out through ConnectWise Automate and those kinds of deployment tools, or whether it’s alerting within the tool set to let us know that there’s been a ticket that’s been created, or better yet, even closing out that ticket once it’s been remediated.

 

Those capabilities are very important to us. You can’t just use email anymore to notify people of issues that arise. It just becomes noise and we’ve consulted with customers where they have things like monitoring solutions.

 

You can’t have a better example than we had when a city government here locally had a ransomware attack. They had security tools that actually notified them the day before that the hacker was in the system, but because of all the noise, they didn’t have the alerts tuned enough and the processes well defined enough so that they missed the alert. The next day, they were hit with ransomware and encrypted across the entire environment. So, you know, lesson learned -- it’s not just about having the tools to block attacks. It’s also about having the processes in place to react when the chips are down, right?

 

Gardner: Yes, and it integrates into your processes as you pointed out in your help desk or SOC and your other systems that are already in place. You have to take advantage of what you put in when it comes to fast remediation, fast alerts, and email just doesn’t cut it.

Okay, let’s think about reporting and data and understanding what’s going on. It’s about having information to the right in the right ways. What do you look for when it comes to reports for that that single view, or one throat to choke, if you will?

 

Nuss: We need to be notified of the alert immediately. We’ve created mechanisms that if there is a critical alert, it’s sending a page out to people that are on call and setting off other alarm bells for us to react very quickly.

 

From our SOC services perspective, we outsource much of our MDR services. So, we create workflows with those vendors that are overseeing some of those security aspects on who should they call first, and how that escalates through our system so we make sure that those can be addressed quickly.

From our SOC services perspective, we outsource much of our MDR services. We create workflows with those vendors that are overseeing some of those security aspects on who should they call first and how that escalates through our system so they can be addressed quickly.

I tell this story to a lot of our prospects. It was the Friday before Fourth of July weekend, and I got a call from one of the SOC analysts telling us that we had someone in one of our client’s environments They were making some lateral movements and they were pretty convinced it was a hacker.

 

Had that gone on for another three days, who knows how they would be? Now, the good news to the story is it wasn’t actually a hacker. They were having a penetration test done within their environment over the weekend -- so no harm, no foul there. But, you know, had that been somebody that was in there, you hate to even guess how far they could have gotten throughout the environment, how pervasive that could have been without having someone notified quickly.

 

Many of our clients have seen that in one of their portals. Had they gone in there, they might have seen it in an email when they got to it, maybe the next week when they got back from vacation. But when it comes to security time is money.

 

Gardner: Let’s look at your security solutions choices. How was your journey in terms of solving these issues?

 

Nuss: There are two aspects to it. As we looked at endpoint security, we spent more than a year analyzing different platforms. We looked at all of the major vendors out there, the Microsoft Sentinels, the CrowdStrikes, the Sophos, you name it -- we looked at all of them. We narrowed them down from their “based-on” capabilities, based on some of the tools set integrations, based on their go-to market strategies, some competitive natures. Then we went in and started doing field trial tests, so we put them in place. We would kick the tires, tested integrated to our tools, to make sure those workflows came through, and then we moved forward from there, rolling that into our offerings.

 

It’s a pretty detailed process -- one that was probably more detailed than many of them out there. That’s a big aspect of making sure you’re not just jumping in and saying, “Well, this one’s rated really well. Let’s just take that and move forward with it.”

 

One of the competitors in that particular space that we looked at -- we really liked the product, but we also looked at financial capabilities of the company. You know, they should be profitable. They shouldn’t be hemorrhaging cash left and right. You need to make sure that they’re going to be in there for the long haul. Having been in the IT space for 30 years now, we’ve seen a lot of great vendors come and go. And so that’s almost as important -- their financial viability -- as is the technology.

 

Gardner: How much further do you have to go to get to where you need to be?

 

Operational maturity for success

 

Nuss: It’s always a constant evolution. With security changing so fast, we try to look at what is  integrating more openly. Who has APIs to integrate into other tools?

 

Talking about Bitdefender, with this recent acquisition that we have had, they do a lot with Microsoft Azure Sentinel, so we’re working on an integration into Azure Sentinel so that we can have cross-platform capabilities and a layered approach.

 

We want to make sure the tools that we have can integrate with the overall platform so that we can pick and choose the right platform to deploy to our customers. The other piece of it is you really have to work closely with the customers to make sure they have proper operational maturity levels.

 

I look to five different levels of operational maturity, and you should move up and to the right in the levels. You should take that same approach with security. Make sure you’re starting with the core components to make sure that you have the big building blocks there first -- such as endpoint security, firewalls, advanced threat protection, on-site and off-site backup, and policy management -- before you move to some of the next-generation, such as SaaS technology, zero-touch network access, zero trust at the endpoint level, and DNS protection. You can go on and on and on.

Security awareness training is also key. For example, our enterprise security and risk management teams came up with a top 10 list that we present as a place to begin. And then we start to talk about where to go as your budget allows.

 

The other big thing is to get out in front of the process from a budgeting perspective with your clients. I tell them that security costs are probably five times what they were just five years ago, but we don’t necessarily see that in the budget. A lot of times, IT has a real struggle relaying the value of that to the business leadership.

Get out in front of the process from a budgeting perspective with your clients. Security costs are probably five times what they were just five years ago, but we don't necessarily see that in the budgets. IT has a struggle relaying that value to their business leadership.

I like to tell stories and relate things back to what I’ve seen in the past. For example, I was at a trade show and one of the security analysts was telling us about a letter he received the day before from one of his MSP clients. It was basically an extortion letter from a cyber attacker who said, “We’ve been in your business for the last 30 days. We have 300GB your files. Here’s the list of files we have. You can pick any three, and we’ll send a copy of the files just to prove that we have them.”

 

This was purely financial: “Here’s how much money we want. And by the way, if you don’t pay us, we’re going to start calling every one of your competitors and every one of your customers to tell that we have your data and then try to extort them in the same fashion.”

 

You tell that story to a business owner and it almost makes you sick. Those types of things are happening out there every day. A lot of times, I don’t think they’re very well publicized because people don’t want to know who has been hacked. But it’s real, and they need to react to it and take it seriously. By telling those stories, or if they know somebody who has been hit up for ransomware or extortion, whatever it may be, those stories make a big difference, too.

 

Gardner: On measuring that value, what are your most important key performance indicators (KPIs) to demonstrate to your leadership that you’re spending your money properly and wisely? When it comes to things like EDR and what Bitdefender is providing for you, how do you measure the value?

 

Nuss: That’s always a tough question. At the end of the day, we look at where we see threats and infections and the reactive support needs. We have an incidence response team here to help clients. And we try and track what’s happening there -- how many alerts, remediations, and things that are fixed on a monthly basis to prove value.

 

From an MSP perspective, we send out reports to our clients showing all the security events that we’ve seen. These are the things that have been blocked to make sure that they understand the value that’s there. Otherwise, the value is out-of-sight, out-of-mind, right? If they don’t have a problem, they don’t necessarily think that any problems ever existed because you’re blocking something. You’re doing a good thing, but they don’t always realize that.

 

Gardner: Of course, not being hacked or ransomed or extorted also factors pretty high up there.

 

Nuss: Yes, for sure.

 

Gardner: Okay, let’s look to the future. What comes next? What are you looking to do in the next three years?

 

Take down tool sprawl

 

Nuss: Some of the big things that we’ll look at include which tools are working better together and where we can consolidate reporting. So, combating tool sprawl. It’s a real problem out there, trying to bring reporting from the different tools together so we can show the overall, cohesive strategy. That is going to be more and more important.

 

We want to work with vendors that are really open. I would be surprised if we don’t see more of the security vendors adopt standards where they’re sharing things in a more cohesive fashion. Whether it’s endpoint security, DNS protection, or zero trust – ways that security threats can be more consistently delivered to reporting mechanisms to develop better overall dashboards.

You’ll start to see more API integrations, where you have reporting tools that now are able to work with vendors to block things. So maybe your endpoint security is integrated into your SOC services. You could, at the click of the button, have a disconnect or block of a particular event automatically -- or even manually -- when they see those issues without necessarily having to move into different tools.

 

That’s where you’ll see the automation components come in. And then they’ll start to create workflows that work with that, so if an event is triggered, they can use that to run scripts against things to start to shut things down or just connect them or remediate at inception to prevent it spreading. That’s where I think things will be headed more and more.

 

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Bitdefender.

You may also be interested in:

• For UK MSP, optimizing customer experience is key to successful security posture and productivity
• Defending the perimeter evolves into securing the user experience bubble for UK cancer services provider
• How A-Core Concrete sets a solid foundation for preemptive security
• How an MSP brings comprehensive security services to diverse clients
• Better IT security comes with ease in overhead for rural Virginia county government
• SambaSafety’s mission to reduce risk begins in its own datacenter security partnerships
• How MSP StoredTech brings comprehensive security services to diverse clients using Bitdefender
• For a UK borough, solving security issues leads to operational improvements and cost-savings across its IT infrastructure
• How an Architectural Firm Retains Long-Term Security Confidence Across a Fully Virtualized and Distributed Desktop Environment

Defending the perimeter evolves into securing the user experience bubble for UK cancer services provider

An underappreciated aspect of enhancing IT security is the impact on an end user’s comfort and trust in the services provided. In the case of health care services and support, making the patient feel welcome and safe can be a game-changer as they seek access to needed services and care. 

The next BriefingsDirect security innovations discussion examines how Macmillan Cancer Support in the United Kingdom (UK) places the ease of use and sense of security in the services provided as a top IT -- and community service -- requirement.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

 

Here to share their story on how to develop and deliver a cloud-ready security bubble around all users, their activities, and the sensitive data they share is our guest, Tim O’Neill, Head of Information Security at Macmillan Cancer Support in London. The interview is moderated by  Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Tim, tell us about Macmillan Cancer Support. It’s a very interesting and worthy organization. I’d also like to hear about your approach to securing a caring and trusted environment for your community.

 

O'Neill: We have a unique organization in that when people think of a cancer charity, they often think about the medical side of it and about the pioneering of new treatments. Every day there’s something new in the media about how swallowing a leaf a day will keep a cancer away, and things like that.

 

But we deal with the actual effects of having cancer. We help anyone who is affected by cancer. That can be a person who’s just had a cancer diagnosis. That can be the family of someone who has a diagnosis, or their employer, or other employees. Anyone who is affected by cancer can come to us for help.

 

O'Neill

We don’t do a lot in the medical sphere, such as creating new treatments or testing or anything like that. We’re here to look after the impacts that cancer has on your life. We help with the patient’s pathway; we help you understand it and what the implications are – and what might happen next.

We will help you financially if you need help. We believe that nobody should be cold or hungry because of a cancer diagnosis. We provide the cancer nurses who exist in UK hospitals. We train them and we fund them. We have specialist care centers. Again, we fund those. Our psychological care is done through a third party as well. But we manage that, we fund it, we maintain it. We also have an arm that lobbies the government. So, for example, in the UK we had cancer reassigned as a disability.

 

This means that as soon as you have a cancer diagnosis, you are legally recognized as disabled, and you have all the benefits that go along with that. The reason for that is that once you’ve had a cancer diagnosis, it affects the rest of your life. It does not matter if it’s gone into remission. It will still affect you.

 

The treatments are invasive. They affect you. We work in many spheres, and we have a lot of influence. We work with a lot of partners. But the fundamental core of what we do is that you can contact Macmillan when you need help.

 

Gardner: And to foster that level of support, to provide that trusted environment across the full experience, having six levels of authentication to jump through -- or not seeing your e-mails delivered properly -- can stop the entire process.

 

O’Neill: Oh, absolutely. And we have to be realistic here. We are talking at times of people phoning us at the worst moment of their lives. They’ve just had something come out of the blue or the treatments have gone badly, or they’ve had to have that horrible conversation with their loved ones. And it’s at that very point when they need to talk to us.

We have to be accessible exactly when people need us. And in that instant, we can be the difference between them having a completely honest open, and frank conversation -- or having to sit and suffer in silence.

Asking them, “Oh, can you go and grab your mobile phone? Yeah, and stick your fingerprint on there, and now that password was not recognized. You need to change it. And by the way, sorry, that password didn’t have quite as many exclamation marks as we need. And so, now if you’d like to turn on your webcam and log in using a photo, then we’ll let you in.”

 

You can’t do that. We have to be accessible exactly when people need us. And in that instant, we can be the difference between them having a completely honest, open, and frank conversation -- or having to sit and suffer in silence.

 

Gardner: Well, I don’t envy you your position, Tim. On one hand, you have sensitive healthcare and patient data that you need to protect. On the other hand, you need to make this a seamless and worthwhile experience.

 

How do you reach that balance? What have been some of the challenges that you’ve faced in trying to provide that proper balance?

 

Keep everyone secure by managing risk

 

O’Neill: Everything is risk-based. We look at where you normally phone in from, or if you’re a first-time caller, or “Are you in a location that we trust?” “Are you in a number range that we trust?” Things like that. What’s the nature of the conversation you’re having with us?

 

There are a number of parameters. Not everything is a high-level risk if you are just phoning us, and you simply want to talk. If you don’t want to impart any special information or anything like that, then the risk is low. Everything is measured against risk, which is a mentality change in the organization.

 

And, you know, I’ve been in conversations where people say to me, “I don’t like that idea … I think somebody got it wrong” without quantifying the risk. It’s not good enough.

 

But if we understand exactly what the risks are, then we can understand what controls can mitigate those risks. We can choose the effective controls for mitigating the risks. And then we can take the actions and do the tasks to enable those controls.

For example, with multi-factor authentication (MFA), if your workforce is five people working from one office and you have no remote connections, that’s potentially the wrong security control. Your controls could be completely different. They will have the same effect, but they will have a more positive impact on the end-user experience.

 

That’s the narrative change that you have to have. One of the most challenging things, when I first came into the organization, is when we were transforming IT systems. We were starting to understand how people wanted to interact with us digitally.

 

Historically, our interactions had been very much face-to-face, or through phone calls as well. And with COVID, obviously, all of a sudden, all of our interactions changed. So, it became, “How do we make it so that the legacy IT systems, users, and accounts can be migrated to new, safe methods without getting rid of the history of conversations they wanted to keep?” We didn’t want to lose the knowledge that we had and the relationships we had created with these individuals.

 

If you’re sending emails out to people saying, “Oh, we need you to change your log-on credentials because we’ve moved to this new IT system, et cetera, et cetera.” … If that person is sadly deceased -- we’re talking about cancer here -- then potentially sending something like that to their family is not great. So, there are lots of things to consider.

 

Gardner: It sounds like you’re approaching this from a fit-for-purpose security approach and then grading the risk and response accordingly. That sounds very good in theory, but I suspect it’s more complicated in practice and execution. So how, with a small security team such as yours, are you able to accommodate that level of granularity and response technically?

 

O’Neill: Everything starts complex. Every concept that you have starts off with a million boxes on the screen and loads of lines drawn everywhere. And actually, when you come down to it, it becomes a lot simpler.

 

When we get to the bottom level of this: What are the risks that we are trying to mitigate here? We are trying to mitigate the fundamental risk that an individual’s information may end up with the wrong person. That’s the most important risk that we’re trying to manage.

Start off complex, and then bring it all down to the simplest level, and focus on the one thing that actually matters, which is the risk.

And bear in mind that people will tell us about their cancer diagnosis before they’ve even spoken to their family, friends, … anyone. And they will phone us at the darkest moments and talk about suicidal thoughts. Those are conversations that you do not want anyone else to have visibility into.

 

When we get to such a stage that we are entering into something problematic on privacy or risk, at that point, we will do extra validations. Again, it’s all based around the particular risk. You have your conditional access element risk whereby you’re looking at where people are coming from. You’re looking at historical interactions from that location and you’re extrapolating that information to have a choice made automatically based on it.

 

But then you’re also talking about training of individuals where they don’t need to go through vetting questions at the start of conversations but once they get to a point where the nature of it changes, and the data risk of that conversation changes, at that point controls need to be applied.

 

Start off complex, and then bring it all down to the simplest level, and focus on the one thing that actually matters, which is the risk.

 

Gardner: Well, at the same time as you’ve been embracing this model of risk-balancing, you’ve also faced a movement over the past several years to more cloud-ready, cloud-native environments. And that means that you can’t just rely on programmatic web application firewalls (WAFs) or creating a couple of filtering rules for your network.

 

So, how do we move securely toward such a cloud or mixed environment? How is that different from just building a security perimeter? Previously, you’ve mentioned to me a “security bubble.”

 

Remain flexible inside your security bubble

 

O’Neill: The new models are different in a number of ways. What’s historically happened with information security is somebody says, “I have this new system.” Then you ask, “What’s the system? What’s the risk? What are you doing with it? Where is the data going?”

 

And so, you designed the security around that system – but then you get a new system. Is that one okay? Well, then you design a new bit of security. You end up with a set of tools that you apply to each one. It’s slow, and it’s prone to failure because people design the system first and its uses change. It can also lock the organization in.

 

If we take an incredibly simple thing, which is the storage of data, an organization might say, “We’re an Amazon Web Services (AWS) cloud house.” Wherein it’s your house, but as we mature with these cloud strategies, people are going to start leveraging economy of cost of storage by moving their data dynamically to the less expensive storage locations. And when one cloud storage offering is cheaper than another, then your data will fly across to that.

 

We can’t work in the old way anymore within cyber security and information security. What we have to do is create this security bubble that we’ve been talking about. It allows the organization the flexibility to change the security strategy.

 

For example, every year or two, we suddenly go, “There’s a new threat. Here it comes.” Yet every threat works in fundamentally the same way: You have to get in, you have to get the rights to see what you’re doing, and you have to be able to move around. If you break it down to those basics, that’s what everything in security needs to do, really.

 

If we can start to move to this bubble, to say, “We know what our data is, we know who our users are, and we know who they’re going to interact with.” Then we can allow people and organizations the flexibility to do what they want and only block the high-risk events within that.

 

If your data leaves the bubble, and it’s just, “Hey, do you want a cup of tea?” kind of communication, obviously you’re not going to worry about that. If it’s something that contains risky data, then we’ll worry about that. We’ll block that.

 

But we have to stop thinking about application-level security and start thinking a lot bigger and more strategically about security. We may have to stop and ask the business, “Where are you going? What are you doing?” But they don’t know yet. And also, as COVID has shown us, sometimes nobody knows where we’re all going.

 

Gardner: Right. We need to be prepared for just about anything and also be able to react quickly, so you can’t be knee-jerk and react to every app or system differently. As you point out, you need to be strategic.

 

And so, part of being strategic, for an organization such as yours, because you’re supported by donations; you’re a non-profit -- you need to be cost-efficient as well. So again, it’s a balancing act between cost efficiency and being strategic about security. How is that something you’ve been able to manage?

 

A wise spend supports smart security

 

O’Neill: Well, I don’t believe they’re in conflict. If we look at organizations -- I won’t name them, that are huge and have very big budgets, who spend tens of millions on their cyber security – they have huge teams, and they still get breached. The amount that you spend doesn’t necessarily create a graph to greater security.

 

Spending intelligently does, and it all comes from focusing on risks. If you sit there and you say, “You know what we have to do, we have to go through the top 20 NIST or CIS methods or recommendations,” or whatever, “and we’re going to supply the best product on the market for each of those, and check the box.”

 

Firstly, you potentially throw a load of money away because in the end you don’t actually need it all. The spec says, “Oh, you need MFA and a WAF.” Well, actually, it’s not an MFA that you need, it’s not a WAF that you need.

 

What are the risks that those products are mitigating? And then, what is the best way to mitigate the product risks? It all comes down to that, when you sit back and you look at what we do for a living in information security. 

We talk a lot about burnout in information security and wellness. It’s because people keep chasing their tails. Every day, there’s a new headline about a breach or a new zero day or a new technique -- or whatever it may be -- and everyone starts worrying about it. What do we do to protect against this?

 

But it’s about assessing the risk. And from a risk perspective, all the rest of it stays the same to a certain degree. It’s very rare that a new zero day fundamentally changes your risk.

 

Gardner: You bring up an interesting point. Not only are you concerned about the comfort and sense of security for your end users, but you also need to be thinking about your staff. The people that you just mentioned who are increasingly facing burnout.

 

Throwing another tool at them every three months or asking them to check off 16 more boxes every time a new system comes online, it’s going to be averse to your overall security posture. Is there something you look for on how you tackle this that’s also accommodating the needs of your security staff?

 

Monitor what matters

 

O’Neill: You’ll have to ask them -- but they all still have their hair. Yeah, organizations often talk about insider threats. I think it’s a terrible thing to be talking about because it’s such a small percentage. A lot of organizations treat their employees as part of the problem, or almost an enemy that needs to be monitored constantly. I don’t care if you’re on Facebook at all.

 

I care if you’re trying to download something malicious from Facebook or upload something like that to Facebook. But the fact that you’re on Facebook is a management issue, not a cybersecurity issue. We do not monitor things that we do not need to monitor.

 

For example, we were getting a weekly report from one of our security products. It was typically a 14-page report that basically patted itself on the back by saying how great it had been. “This is everything I’ve blocked,” it said. And a member of my team was spending pretty much a day going through that report. Why? What possible gain came from looking at that report?

I care if you're trying to download something malicious from Facebook. But the fact that you're on Facebook is a management issue, not a cybersecurity issue. We do not monitor things that we do not need to monitor. 

The real question is … Once you read the report, what did you do with the information? “Nothing, it was interesting.” “But what did you do with the interesting part? “Well, nothing.” Then don’t do it. Everything has to have a purpose. Even to the smallest degree. I had a meeting this morning about policies. Our acceptable use policy document is, I think, 16 pages long.

 

Come on. It doesn’t need to be 16 pages long. I want two pages, tops. “Do this, don’t do that, or absolutely don’t do this.”

 

We have a mobile device policy that everyone has to sign up to. … We have a mobile device manager. You can’t connect to systems unless your operating system is up to date, all of this sort of stuff. So why have we got a policy that is seven pages long?

 

Say what you can and can’t do on mobile devices. Then all we need to say is, “You’ll have to adhere to the policies.” All of a sudden, we’re making everyone’s life easier. Not just the information security teams, but the normal end users as well.

 

It is all about working out what’s actually valid. We’re very good in information security of doing things because that’s what we’ve done instead of thinking.

 

Gardner: I’m hearing some basic common threads throughout our discussion. One is a fit-for-purpose approach, sort of a risk-arbitrage approach, simplicity whenever possible, and increasingly having the knobs to dial things up and down and find the proper balance.

 

To me, those increasingly require a high level of analysis and data, and a certain maturity in the way that your platforms and environment can react and provide you what you need.

 

Tell me a little bit about that now that we’ve understood your challenges. How did you go about a journey to finding the right solutions that can accommodate those security analysis and strategy requirements of granularity, fit-for-purpose, and automation?

 

Streamline your team’s efforts

 

O’Neill: When we go to market for a security product, usually we’re looking at a specific issue that we’re trying to fix and control. A lot of the products will do the job that you want them to do.

 

But there are a few other things we look for. Can my team log into it and very quickly see what is important? Can we go from seeing that to the action that needs to be taken? How quick is that journey?

 

When somebody is demonstrating the platform, for me, my question is always, “How do I get from seeing it to knowing that it’s actually something I need to do, to then being able to do something about it?” That journey is important. Loads of products are brilliant, and they have a pretty interface, but then they fall apart underneath that.

 

And, the other thing is, a lot of these platforms produce so much information, but they don’t give it to you. They focus on just one element. What value-add can I get that the product might not deliver as a core element, but that actually enables me to easily tick off my other boxes as well?

 

Gardner: Can you describe what you get when you do this right? When you find the right provider who’s giving you the information that you need in the manner you need it? Are there some metrics of success that you look for or some key performance indicators (KPIs) that show you’re on the right track?

 

O’Neill: It’s always a bit difficult to quantify. Somebody asked me recently how I knew that the product we were using was a good one. And I said, “Well, we haven’t been breached since using it.” That’s a pretty good metric to me, I think, but it’s also about my team. How much time do they have to spend on this solution? How long did it take to get what you needed?

 

We have an assumed-breach mentality, so I expect the first job of the day is to prove to me that we have not been breached. That’s job one. Next, how quickly can you tell me that from the time you turn your computer on? How much of the time do you end up looking at false positives? What can the product do every day that helps us get a bit better? How does that tool help us to know what to do?

 

Gardner: We began our discussion today by focusing on the end user being in a very difficult situation in life. Can we look to them, too, as a way of determining the metrics of success? Have you had any results from the user-experience perspective that validate your security philosophy and strategy?

 

Inspect end-user behavior, feedback

 

O’Neill: Yes. Obviously, we interact constantly with the people that we support and look after. It is the only reason we exist. If I do anything that is detrimental to their experience, then I’m not doing my job properly.

 

We go back and we do ask them. I personally have spent time on phone lines as well. I don’t sit within my little security bubble. I work across the organization. I’ve been on the streets with the bucket collecting donations.

 

We have very good relationships with people that we have supported and continue to support. We know because we ask them how it felt for them. What works for them, what doesn’t work for them? We are continually trying to improve our methods of interaction and how we do on that. And I’m constantly trying to see what we can do that makes that journey even easier.

 

We also look at user behavior analytics and the attack behavior analytics on our websites. How can we make the experience of the website even smoother by saying, “We’re pretty sure you are who you say you are.” Are they going to the same places? Are you changing your behavior?

 

And I can understand the behaviors and even how people type. People use their keyboards differently. Well, let’s look at that. What else can we do to make it so that we are sure we are interacting with you without you having to jump through a million hoops to make sure that that’s not the case?

 

Gardner: You mentioned behavior and analytics. How are you positioning yourself to better exploit analytics? What are some of your future goals? What are the new set of KPIs a few years from now that will make you even more strategic in your security posture?

 

Use analytics to lessen user interruptions

 

O’Neill: That’s a really good question. The analysis of user behavior linked to attack behavior – that and analysis of many other elements is going to become increasingly important for smoothing this out. We can’t keep using CAPTCHA, for example. We can’t keep asking people to identify fire hydrants that are within 30 centimeters of a dog’s leg. It’s absurd.

 

We have to find better ways of doing this to determine the true risk. Does it matter if you’re not who you say you are until we get to the point that it does? Because, actually, maybe you don’t want to be who you are for a period of a conversation. Maybe you actually want to be someone else, so you’re disassociating yourself from the reality of the situation. Maybe you don’t want to be identified. Do we have to validate all of the time?

 

I think these are questions we need to be asking. I think the KPIs are becoming a lot more difficult. You have to base them around, “Did we have any breaches?” And I think with breaches we separate our information governance from the information security, but they’re brothers from one another, aren’t they?

We have to find better ways to determine the true risk. Does it matter if you're not who you say you are until we get to the point that it does? Do we have to validate all of the time? These are questions we need to be asking.

The information governance leak shouldn’t happen with good information cyber security, so we should expect to see a lot fewer incidents and no near misses. With the best interaction KPIs, we should be seeing people get in touch with us a lot quicker, and people should be able to talk to the right people for the right reason a lot quicker.

 

Our third-party interaction is very important. As I said, we don’t offer any medical services ourselves, but we will pay for and put you in touch with organizations that do. We have strategic partnerships. To make that all as smooth as possible means you don’t need to worry who you’re talking to. Everything is assured and the flow is invisible. That kind of experience -- and the KPIs that matter the most for delivering that experience – provides well for the person who needs us.

 

Gardner: Any closing advice for those who are moving from a security perimeter perspective toward more of a security bubble concept? And by doing so, it enables them to have a better experience for their users, employees, and across their entire communities?

 

Dial down the panic for security success

 

O’Neill: Yes. This is going to sound a bit odd, but one of the most important things is to conceptualize, and to take the time, to challenge my team. What is the gold standard? What is the absolute? If we had all the money in the world and everything worked, what  the perfect journey? Start from there and then bring it down to what’s achievable or what elements of it are achievable.

 

I know this sounds odd but stop panicking so much. None of us think well when we’re panicked. None of us think well when we’re stressed. Take the time for yourself. Allow your team to take the time for themselves. Allow their brains the freedom to flow and to think.

 

And we’ve got to do what we do better. And that means we have to do it differently. So, ask questions. Ask why do we have endpoint protection? I’ve got this, I’ve got that, I’ve got all these other things. Why have we got something on every endpoint, for example? Ask that question.

 

Because at least then you have validated what it is truly for and better know the amount of value it has, and therefore the proper amount of effort it needs. Stop doing things just by ticking off boxes. Because as an ex-hacker, let’s call it, I know the boxes that you tick. You tick all those boxes; I know how to bypass those boxes. So, yeah, just take time, think, conceptualize, and then move down to reality. Maybe.

 

Gardner: Be more realistic about the situation on the ground, rather than just doing things because that’s the way they’ve always been done?

 

O’Neill: Yes, absolutely. Understand your risk. Understand what you are actually having to support. The fortress approach doesn’t work anymore. The proliferation of software as a service (SaaS) application, the desire to allow everyone to perform to their best within and outside of an organization – that means allowing people flexibility to work in a way that best suits them. And you cannot do that with a fortress.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Bitdefender.

 

You may also be interested in:

• How A-Core Concrete sets a solid foundation for preemptive security
• How an MSP brings comprehensive security services to diverse clients
• Better IT security comes with ease in overhead for rural Virginia county government
• SambaSafety’s mission to reduce risk begins in its own datacenter security partnerships
• How MSP StoredTech brings comprehensive security services to diverse clients using Bitdefender
• For a UK borough, solving security issues leads to operational improvements and cost-savings across its IT infrastructure
• How an Architectural Firm Retains Long-Term Security Confidence Across a Fully Virtualized and Distributed Desktop Environment
• Regional dental firm Great Expressions protects distributed data with lower complexity thanks to amalgam of Nutanix HCI and Bitdefender security
• How MSPs Leverage Bitdefender’s Layered Approach to Security for Comprehensive Client Protection