Cybersecurity landscape: The state of managed security services, 2022

Stretched thin with supporting cloud infrastructure, digital-first business initiatives and ongoing virtual workforce projects, IT and cybersecurity departments are turning to managed security service (MSS) providers to help close gaps in their cybersecurity infrastructure. In one year alone, the MSS industry grew 9.8% [subscription required], reaching $13.9 billion in revenue. A core segment of MSS is managed detection and response (MDR), which grew 48.9% last year. 

Cybersecurity strategies are business decisions first 

MSS providers provide a wide variety of third-party professional monitoring and management services designed to protect their clients’ IT infrastructures from breach attempts and cyberattacks. Their services provide 24/7 protection of all client IT assets, and many have developed unique approaches to identifying, isolating and neutralizing risks and threats. 

The exponential increase in threat surfaces created from more machine identities being created faster than many organizations can track, combined with new digital-first business initiatives, has made cybersecurity a business decision first and an IT one second. As a result, an MSS solution is designed from the ground up to provide the operational, management and security technologies needed to drive business outcomes. 

Leading MSS providers have solid track records delivering log management, exposure assessment and management, monitoring, endpoint security and implementation security technologies. However, their perspective on zero-trust network access (ZTNA) is tempered by their clients’ pragmatic needs to achieve business goals while adopting the framework. MSS providers are also seeing strong demand from all customers for virtual workforce support, as many IT and cybersecurity departments face burnout from the fast-growing volume of complex work that needs to be done.

The state of managed security services 

Of the many MDR providers competing in the managed services arena today, Pondurance stands out for its innovative use of artificial intelligence (AI), full transparency and range of cybersecurity services, all strengthened with trained, expert threat hunters. The company’s threat analysts have thwarted breaches, ransomware and sophisticated social engineering attacks simultaneously aimed at multiple threat surfaces. 

VentureBeat recently talked to Pondurance’s Ron Pelletier, founder and chief customer officer, and Lyndon Brown, chief strategy officer. Pondurance’s focus on highly regulated industries – including healthcare and financial services, which are under attack by cybercriminals, organized crime gangs and advanced persistent threat (APT) organizations – provides them with a deep understanding of the specific threats facing organizations in those industries. The company also has insight into the systems those organizations have to protect, and the ongoing risks they need to manage. 

VentureBeat: Which cybersecurity threat factors are most influencing the current and future growth of the MDR and MSS marketplace?

Ron Pelletier: We have to consider two factors driving the MDR market – the business aspect and the threat aspect. On the business front, one of the risks, believe it or not, is related to understanding who your MDR or MSS provider is because MDR is a hot topic, and some providers out there want to capitalize on the term to be relevant. Just because a vendor says they do MDR, do they? I think companies must go through a due diligence process to know they’re getting a true MDR solution. From a cyberthreat perspective, what’s interesting is that we’ve seen controls like multifactor authentication, or MFA, be very effective, which has led threat actors to demonstrate that they’re enterprising.   

Lyndon Brown: They want to find ways to get around MFA or other effective controls like EDR [endpoint detection and response] and ensure they can still monetize and succeed in their efforts. We see a couple of different things here: Advanced attackers are putting much effort into zero-day type exploits, trying to reverse-engineer technologies and conduct direct exploits. Whether it’s an edge device or a security solution like MFA, if they can get through that, they can circumvent the controls that have been stopping them from breaking in previously. Lately, VPN appliances are getting attacked and undermined, providing a direct path to the inner systems, especially if MFA hasn’t been implemented across the organization. So, we continue to see the true enterprising nature of threat actors.

VentureBeat: How will MSS evolve its approach in future service offerings to respond to current and future threat factors?

Pelletier: So one thing we know is that as long as threat actors are living, breathing, human beings, you’re always going to need human beings on the defense side. Technology has certainly advanced over the decades, specifically in MDR over the last few years, and our platform has advanced, too. We’ve built it to be extensible, cloud-native and scalable to expand and meet our customers’ future needs. We know that threat actors, techniques, tactics, et cetera, will change over time, so being able to have durable security is critical. Machine learning and other capabilities help to ensure our MDR service is resilient, and our team is always learning and training for greater resiliency when detecting today’s threats and anticipating how they are evolving.      

Brown: Machine learning and automation for us always encompass technology and people development simultaneously. On the people side, enabling and training our analysts to further their knowledge and apply it to securing clients is key. We need analysts who can connect the dots between disparate pieces of information and efficiently apply their intuition. Some things we know will remain a challenge, particularly around threat actors being motivated to gain access to networks. Furthering our risk-based approach and continuing down the path of applying machine learning in combination with human intelligence remains core to how our MSS and MDR service offerings address current and future threats.

VentureBeat: How is MDR maturing in response to the growing number and threat of ransomware attacks today?

Pelletier: The key for an MDR and MSS solution is that it’s got to be flexible and dynamic. It can’t be static. The end state is not simply deploying an MDR solution. Lyndon mentioned the human element, and both the technology and the humans using it have got to evolve and continue to intake all kinds of data. And not just the technology feeds flowing in from the embedded machine learning and AI, but also threat intelligence that may be ascertained through other channels. I’ll give you an example. I just presented to a board today about an incident in which a cryptomining attack was underway. This was before they had fully deployed an MDR solution. We were able to take action on a piece of intelligence and get rid of [a threat] before it effectuated into something more of an incident.

VentureBeat: Can ransomware be thwarted by AI machine learning and threat hunters with expertise in identifying and neutralizing threats?

Pelletier: It can, and AI has come a long way. In the true sense, it’s still fairly narrow in its capability. It’s extended programming. Bringing better visibility to threats is how we compete and is core to the future of managed security services. The bad actors are also going to start employing technologies like AI. And so we almost have a countering effect where, as Lyndon stated, human health becomes much more important. So yes, I think that there is merit in using AI. We’ve proven that with EDR solutions, we’re now surpassing 90% effectiveness in preventing malware. However, we must remember that bad actors use the same techniques to get around them.

VentureBeat: How is Pondurance capitalizing on its approach to MDR and MSS to help clients quantify and reduce risk better?

Pelletier: We’re making sure that the end state is not simply deploying a solution or deploying technologies for the sake of it. We have to make sure we right-size the environment. What we bring to the table is a very astute and competent advisory program in terms of a virtual CISO, or vCISO, a true security competency that can help establish and understand what our clients have to protect so the right technology can be pointed at the most valuable assets. So this advisory service component becomes very important and highly complementary to MDR.

VentureBeat: How are you assuring operations leaders, including COOs and CEOs, that your approach to MDR fits well with their changing cybersecurity needs and even their legacy tech stacks?

Pelletier: We’re stressing the dynamic nature of our MDR service; not resting on what’s deployed but continually taking in a lot of different threat-data sources, whether it’s threat bulletins or certainty indicators of compromise, feeding these into the solution and then making sure that there’s visibility. We also provide an additional advisory component to look at and evaluate risk, including extending the solution to ensure we’re covering all points of a customer’s data assets. Making sure we have a full inventory of the systems and all of the components that comprise your extended network, assuming that there could be changes, is critical. 

Brown: Structurally, we acquired a product and technology called MyCyberScorecard last year, and this is now part of the solution we offer to help customers understand their cybersecurity gaps, any compliance shortcomings and why it is worth protecting what their policies are. We can also help them benchmark their security posture against their own past security assessments or their results against their peer group to help them understand what is at risk.

VentureBeat: Do your customers ask you to design metrics on risk management into their implementation so they can build their business cases with the data to justify spending more?

Pelletier: We’ve found that attempting to quantify risk can be overburdening. We use the CSF framework, the cybersecurity framework, as a good baseline because we can map various control elements from regulatory mandates and other things, looking at it from a qualitative perspective. We also try to rate maturity based on implementation factors and the way the control works, and how quickly the customers’ operations are maturing or not. The key is not getting mired down too far on quantifying risk likelihood and impact. If you can qualitatively assign risk with terms like “likely” and “high,” then you can still measure the outcome based on the effectiveness of controls. That’s where we feel metrics come more into play in more pragmatic terms.

VentureBeat: What are the most valuable lessons you’ve learned from integrating MDR technologies, including AI machine learning and your unique approach to professional threat hunting?

Pelletier: Technology alone can’t solve cybersecurity; it takes human judgment, too. We continually train and grow our elite set of threat hunters operating with data in real time. Our ability to identify previously unknown threats, leverage machine learning or use it to surface things of interest is also the other piece of it. Customers are partnering with MDR providers to focus on their core business and be good at what they’re doing. Whether it’s a hospital, manufacturing plant or financial services company, their business is not secure, and our business is. It’s not feasible for every organization to know all the technical nuances of threat actors and their campaigns and the nuances of the various technologies and capabilities to which machine learning models might apply; that’s our job. And that’s why it’s very important to partner with the right organization. They should become an extension of your team with the specific competencies required to be effective.

VentureBeat: And how flexible are your customers about bringing new security technologies to you and asking them to be integrated into your MSS framework?

Pelletier: A good example is endpoint security technologies. MDR customers generally select EDR providers and then select us because we will help them make the best cybersecurity design decisions to drive their business growth. So we’ve made many design decisions and done much analysis, and we’re bringing a core tech stack to the table – often a combination of our technologies and best-of-breed solutions – designed to address what they need. At the same time, we give them flexibility in terms of assimilating and using the data from existing technologies.  

Brown: I can highlight one area of cybersecurity that helps or makes us stand out, be differentiated, and add value: data lakes and their implications on clients’ cybersecurity. We want our clients to see it in the same way that our analysts see it so that they can make data-driven decisions. They may use a data lake for operational purposes, but our focus is on securing it. Consistent data is key, so we’re all looking at the same results through the same pane of glass.

VentureBeat: What types of SLAs do you operate regarding service continuity, reliability and customer satisfaction? 

Brown: Yes, we do a couple of things there. The first thing we do is put our money where our mouth is. In our contracts with our customers, we credit them if there’s a scenario where we cannot meet their stringent availability requirements. As a result, our internal requirements are far above industry average as measured by availability, responsiveness, ability to reduce downtimes, and how quickly we flex or adapt to our clients’ changing business requirements. To exceed those numbers and stay excited about our ability to achieve our internal benchmarks, we leverage our platform to measure the different aspects of client engagements while seeking new ways to streamline our teams. This ensures the right information is available to analysts at the right time, and we make sure that the information is presented in an easily consumable way. All these aspects of our business are achievable because we built them into our platform; we have visibility into how we’re performing and can ensure that we’re continually moving the needle to make our team more effective in meeting and surpassing client goals.

VentureBeat: What are the most significant challenges in providing MDR services to clients with extensive multicloud architectures?

Pelletier: We’ve seen a couple of things regarding the growth and rapid acceleration of cloud adoption over the last few years. Clients are more focused on multicloud configurations, recognizing that an outage in one cloud can be a security risk across the entire infrastructure. We’re seeing customers define cloud roadmaps with greater precision, too. An area of specific focus is getting more value from their AWS investments, specifically in packet mirroring.

Brown: We’re seeing a different feature set for what cloud platforms will need to provide four years from now. The shared responsibility model is core to defining cybersecurity business cases in the cloud. However, the cloud is inherently insecure and needs to clearly define how the shared responsibility model will be used on a customer-by-customer basis. Having shared, hybrid clouds secured at the infrastructure and API level is also essential. We’re investing in R&D to ensure our customers can have secured hybrid cloud configurations, and it’s an area paying off today.

VentureBeat: Why are AI and machine learning so well-suited for the future of MDR/MSS, and what needs to improve these technologies to make them more valuable for solving complex MDR challenges?

Brown: AI and machine learning are well-suited based on the volume of data that exists in security. As organizations adopt more controls in a more diverse infrastructure, attackers get better at hiding between the seams, making visibility and observability critical across our platform. There’s so much data that it’s just not plausible [or] reasonable to expect the human to be able to sort through all of it. So that’s where these statistical-based methods, such as machine learning and AI, come into play. 

Many threats leverage heterogeneous methods, making multiple inputs and data sources necessary. Making it more challenging, the logic behind each potential threat is conditional. What humans are good at is making complex logic trees and applying intuition. And that’s an area where machine learning is still early in its evolution and overall adoption rate, but we’re very excited about what we’re seeing in research and development today.

VentureBeat: No interview about cybersecurity is complete without zero trust. So what’s the future of zero trust related to the MDR landscape?

Brown: Our customers see value in the concept because of the visibility and control it brings to diverse networks, and the concept that implied trust creates network weaknesses. The more trust there is in any network integration point, the more fallible and breachable it potentially becomes.

The least privileged access granted per resource, per session, is the way to go. Assuming trust across networks, apps and cloud platforms allows bad actors to attack valuable resources. However, we’ve learned that we can’t be complacent with cybersecurity technology and zero trust. We have to assume that attackers will gain access through business, email compromise or other means. How companies work with MDRs and MSS providers to solve that challenge will make the difference between ending up in a headline or not.