Securing the MSP: best practices for vetting cybersecurity vendors

Securing the MSP: best practices for vetting cybersecurity vendors

Ironically, to keep costs low for their enterprise and mid-market clients, managed service providers (MSPs) are some of the most reliant on third-party vendors—including those providing security. While this is generally not an indication of dysfunction or vulnerability, the responsible MSP will be looking with a critical eye while vetting cybersecurity vendors to evaluate how they might increase the organization’s attack surface—especially with the uptick in targeted attacks over the last few months.

So how should an MSP—or any organization, for that matter—evaluate cybersecurity vendors not just for budget and effectiveness, but also security posture? And how can MSPs continue to monitor their security partners as product features and organizational needs change over time?

What’s concerning from a Chief Security Officer’s (CSO’s) perspective is the veneer of legitimacy many cybersecurity vendors are capable of producing: Scammy security companies generally have slick, professional websites, convincing sales engineers, legions of onshore support administrators, and almost invariably, one or more executives with ties to a government intelligence agency, whether in the US or abroad.

Given that almost all cybersecurity companies on the market strive to project an image of professionalism, how can a CSO sort out companies that are a value add from those with a less than legitimate business model? And what about the companies that are above board, but just not very good? Let’s take a look.

The ugly cybersecurity vendors

Most harmful to a business in the long run are the cybersecurity vendors who either don’t do much, or have a business model that skirts the edge of the law. The simplest and most cost effective way of avoiding these companies is conducting a community temperature check.

Bad vendors tend to acquire a collective disapproval in the infosec community long before their business model fails. A quick Twitter or Google search of the vendor name can often reveal detailed accounts by analysts who have used them and can provide candid assessments.

But the gold standard for a temperature check is to ask your own team. Cross-pollination of infosec personnel is at an all time high. As such, your team most likely has a broad range of experience with multiple vendors on a host of platforms.

Your team can provide invaluable data, like added operations costs over the long term, company billing practices, and interoperability with existing systems. They can also tip you off on issues with vaporware; generally defined as giving the appearance of having a product/feature, which is in reality much more limited or even non-existent.

Like most vendors of higher quality, the ugly will also have former intelligence agency personnel to give themselves a veneer of authority and competence. A question that rarely gets asked, though, is “Which agency?” Is it an agency with a formal mandate for addressing cyberthreats, with an established university pipeline and well-regarded reputation? Is it an agency whose cyber division was stood up relatively recently, with repurposed employees from other departments?

Further, how relevant is that experience to your business needs? If the majority of your security losses are coming from phishing and malvertising, is having access to analysts experienced in state-sponsored intrusions really relevant?

The bad cybersecurity vendors

Some infosec vendors really do try their best to provide a valuable product to the end user, but still fall awfully short of the mark. The problem here isn’t that they’re not trying to deliver a good product—it’s that they don’t necessarily understand what “good” is to you.

In the public sector, intelligence is often defined as information that is timely, accurate, and relevant. This applies to cyberthreat intelligence derived from security products as well. If you kick out any one of the legs on the threat intelligence tripod, you’re left with a platform too unstable to make any reliable judgement on cyber risk.

An organizational threat delivered to SOC personnel in a timely manner that hasn’t been vetted (i.e. is inaccurate) is not intelligence. Threat data that is timely and accurate, but not adapted to your business vertical (i.e is irrelevant) is also not intelligence.

What these threat alerts amount to tends to be a drag on organizational resources, as in-house security personnel are tasked with vetting ever-increasing quantities of data that don’t address business needs. Don’t those tier-two SOC techs have better things to do than retrace vague, un-targeted analysis?

Bad cyberthreat intel vendors often correctly identify the desired end goal of intelligence, but lack an understanding of appropriate methodology. Again, these companies often out themselves as undesirable with a quick community check.

A poorly-sourced, unreviewed report using inflated claims will quickly reveal itself as such when the infosec community reviews the content. Timely, accurate, and relevant threat data will be shared, retweeted, and commented upon much more frequently then less useful sources. Pausing for a moment to see how other organizations have integrated threat data being offered to you can provide a valuable check against letting a bad vendor slip through the cracks.

Some questions to ask the sales engineer:

  • How will this data be tailored to my organization?
  • How is the data delivered to us, and if it’s a portal, what is your upgrade release schedule?
  •  And most importantly: How do you vet your sources?

Note: do not accept “We have to protect our sources and methods.” This is a phrase borrowed from government intelligence, who generally uses it in situations involving threats to human lives. More commonly, it’s used to express sentiments akin to “I’m not going to tell you because I don’t want to, don’t know, or it would embarrass me.”

The good cybersecurity vendors

unicorn

Here’s the most difficult category and the holy grail for augmenting your security team: a company that delivers well-targeted services to your organization in a manner that is timely, accurate, and relevant. The catch here is that to properly spot the good company, your own organization has to have timely, accurate, and relevant defined down to a T. This brings us to the last and most important aspect of vetting: metrics.

Certain companies can provide an awfully impressive “real-time demonstration” of the product, sometimes offering you a head-to-head with competing products. They might reference the number of threats detected, speed of detections, analysis, or number of endpoints providing data.

There is a barrage of cybersecurity metrics available to benchmark performance, so how do you know which are valuable? The answer is: none of them. The only metric relevant to evaluate security performance is that which has been generated by your own team against a mature risk tolerance posture. Vendor metrics can’t possibly address the various risk tolerances of all their customers and therefore can’t be relevant to how they would perform for you. Once you know your own metrics, evaluating vendors can be a piece of cake. (And requires much fewer meetings.)

Some questions to ask the relationship manager for a great vendor:

  • How can I share feedback from my security team?
  • When can we revisit my business needs?
  • What improvements do you have planned for next quarter?

To sum up, vetting vendors doesn’t have to be painful—as long as you know your own risk tolerance posture, and have a mature communication channel with your own security team.

ABOUT THE AUTHOR

William Tsing

Breaking things and wrecking up the place since 2005.