Ahead of RSA, SECDO has announced the availability of the SECDO Platform for Managed Security Service Providers (MSSPs). It is designed to provide MSSPs with an underlying platform for the Security Operations Centres(SOC) that many are now developing. This is a growing market and in a blog on the SECDO website they cite a Frost and Sullivan report that says this will be a $3.25 billion market by 2018.
Driving this growth is the fact that enterprise customers of all sizes are beginning to realise that they are unable to deal with cybersecurity and want to outsource the problem to their service provider. The challenge for the MSSPs is how to scale their services as they attract new customers. Few want to develop a solution from scratch given the cost and complexity of doing so and this is what SECDO is targeting.
What does SECDO for MSSPs deliver?
The challenge for any SOC is response time. What SECDO is focusing on is improving the ability of the SOC to improve its overall ability to detect, filter, assess and remediate attacks. With the scale of attacks continuing to rise this means being able to not only tell false positives from real attacks but to be able to do so while managing increasing levels of alerts.
Once an alert is detected it is not enough to just mark it for investigation. Many attacks are multi-layered so it is important to be able to track the alert and see if it is related to other attacks. At the same time the use of peer-to-peer distribution once inside an enterprise means that any attack must be fully mapped. This enables the security team to discover the initial point of infection, uncover the way the attack is spreading and to ensure that they can clean every infected device on the network. To do this SECDO provides a visualisation engine that allows security teams to see the impact of an attack.
Visualisation is also useful when it comes to decomposing a multi-layered attack as it will often show unexpected relationships between attacks and infections. SECDO keeps 100 days of thread-level endpoint and server activity live in its system. This is not about tracking Advanced Persistent Threats (APTs) who operate over longer timescales but about dealing with new types of attacks.
Earlier this week Dell Security researchers talked about their detection of an exploit kit called Spartan. It is worrying for researchers because it never writes the exploit code to disk. The base code is a highly encrypted package that creates threats in-memory on the local device. This evades the vast majority of protection software. By having the thread-level history SECDO is providing the SOC with a deeper insight into endpoint devices and attacks by this new generation of shape-shifting malware.
According to Shai Morag, CEO and Co-Founder of SECDO: “With SECDO’s endpoint analytics, MSSP SOC teams can now understand the full context of every alert, visually investigate, and reduce the time and resources needed to identify and eradicate a breach.”
Developing a SOC by an MSSP is an expensive undertaking. They need to build the software capable of detecting what is happening on client devices and at the same time they are in a war for the best talent in the cybersecurity market. Last year IBM announced that it had added over 1,000 security researchers worldwide to its security team. Scale that by the number of security companies in the market and the lack of available skills and it is easy to see why the cost of attracting staff is a major problem.
The interesting part of this announcement is the retention of thread-level data. This will give SECDO customers an edge over other security offerings in the market. Being able to visualise attacks will also make it easier to understand the impact of an attack and help MSSPs remediate customer systems faster.
What is missing from this announcement and is not clear from the SECDO website is how they are working with the rest of the threat industry. Over the last year there has been a lot of work to share threat data through common approaches such as STIX and TAXII. SECDO do not appear on the user list for either of these and do not list any other threat exchange group that they are a member of. This is something that cannot be left to the MSSP as the integration and sharing of threat data is a platform issue. Hopefully this will be solved in future releases.