How an acute shortage of cyber talent gave rise to 'spooks as a service'

spooks 620x465
flickr/Martin Fisch

At the RSA Security Conference last year, companies large and small were trumpeting the spy agency connections of senior staff as never before. Startups in areas like 'threat intelligence' and endpoint protection touted their executives' experience at three-letter agencies as a precursor to conversations about the scourge of advanced threats and attacks.

Yet the big story about cyber talent that emerged in 2014 — at the RSA Security Conference and elsewhere - was of scarcity rather than abundance. Finding experts with experience identifying and analyzing sophisticated cyber threats is a herculean task. Hiring them is even harder, and few organizations can afford an internal team of cyber forensic experts to stand at the ready.

In its Annual Security Report for 2014 (reg required), Cisco Systems found that problem of sophisticated and stealthy compromises is exacerbated by a shortage of more than one million security professionals worldwide. "Most organizations do not have the people or the systems to continuously monitor extended networks and detect infiltrations, and then apply protections, in a timely and effective manner," according to the report.

"The number one issue I hear is 'we can't find the people,'" said Mike Rothman, an analyst at the firm Securosis. "And I'm talking about guys who can configure IPS (intrusion prevention system) boxes, not malware analysis," Rothman said. He was speaking on a panel discussion focused on incident response at an event hosted by the investment-banking firm Americas Growth Capital.

The answer, increasingly, is to turn to the cloud for help. Recent years have seen the rise of companies like CrowdStrike that marry endpoint- and network-behavior monitoring for 'indicators of compromise' with data analytics services hosted in the cloud.

That approach has merits – especially as IT environments have become more open and where user activity is not constrained to a limited set of endpoints deployed behind a corporate firewall. But threat intelligence services have their limits – especially in the area of threat mitigation. Security pros note that meaningful recommendations for mitigations demands context about the environment being protected.

"There's a lot of interesting innovation of what's going on with threat intelligence," said Ted Julian, the Chief Marketing Officer at Co3 Systems. "But all of that only matters if you can act on it. This is complicated stuff, and it requires a very different set of skills.

Co3 offers a web-based software platform that allows companies to take threat intelligence and inputs from other security tools, such as security information management tools, and create a detailed incident response plan that is specific to that company.

A number of other security firms address different parts of what's generally termed 'incident response.' These new offerings – think of them as 'spooks as a service' – typically combine some degree of network and endpoint monitoring with a cloud-based management platform to gather and analyze data against data aggregated from other customers and third-party threat intelligence. Advocates see the new services as one way to address an acute shortage of cyber talent.

The endpoint security firm FireEye is one of the most prominent security players to pursue the 'spooks as a service' model. It made headlines when it tapped some of the equity from its recent public offering to snap up managed security services firm Mandiant for $1 billion. Mandiant made a name for itself pursuing so-called "advanced persistent threat" (or APT) actors for the government and other high profile firms.

In early 2014, FireEye unveiled a hosted security service, the FireEye Security Platform, that combines endpoint- and network-based protection with cloud-based "monitoring and protection services" in which security analysts from FireEye will "actively hunt for adversaries to find and stop attacks as they begin to unfold."

But smaller, startup firms are getting into the business, also.

J.J. Thompson of the IT risk management firm Rook Consulting, based in Indianapolis, said he has seen his company's business expand rapidly in recent months from tailored consulting engagements to more standardized endpoint monitoring for malicious activity and hands-on incident response.

Rook's customers – many of them large companies – simply don't have the staff or expertise to be able to conduct sophisticated investigations of malicious software on their networks, Thompson said.

Cambridge, MA-based Cybereason is another firm promising companies help with cyber threats that befuddle so-called 'border defenses' and that can lurk undetected for days, weeks or months on compromised networks.

The company launched in early 2014 and is headed by Lior Div, a former Israeli intelligence agent. He says that most current cyber security products are focused on addressing either the early stages of an attack – as attackers try to penetrate a company's defenses – or the final stages of an attack - as hackers attempt to make off with sensitive data.

In contrast, Cybereason attempts to understand the entire 'malop' (malicious operation) using lightweight endpoint agents that continuously monitor endpoints. The data that is collected is channeled back to Cybereason's cloud-based platform where, Div says, the company analyzes it using proprietary data analytics and the insight of high-caliber malware experts and reverse engineers – many (like Div himself) trained in the Israeli Defense Forces (IDF).

Another, Cyphort, launched on February 18, 2014 and is being marketed as a tool to combine multi-platform threat detection with machine learning technology and other correlation tools to help security teams identify attacks and help fix them. CTO Ali Golshan said most of Cyphort's existing customers already own FireEye's technology, but are hungry for more context about an attack – is it nuisance adware or a data stealing Trojan – as well as specific instructions on how to remove the threat.

The appearance of hosted cyber forensics and incident response is another phase of an ongoing migration of security intelligence to the cloud, says Wendy Nather, an analyst at The 451 Group.

In some cases, the services are just an expansion of existing managed security services, or a formalization of the kinds of ad-hoc engagements that cloud providers would have with their customers. "Companies like Rackspace have been doing incident response for their customers forever," Nather said. "It wasn't part of their contract, but they did it because customers couldn't do it themselves."

Nather said that hosted incident response services definitely have an audience, but challenges remain. The services can be difficult to scale. And, while pretty much every company that's hacked is looking for help identifying and removing the threat, not all companies are as curious to do the kinds of extensive, root cause analysis that cyber forensic experts might prefer. "You need to figure out how far the customer is willing to go to deal with it," she said.

But Julian of Co3 said that even small firms need tools to help them fully understand the ripple effects of security incidents and how they can impact a company. "Our industry tends to focus on endpoints and malware, but even small organizations need to understand that that's not the beginning and end of the threat," Julian said.

This story, "How an acute shortage of cyber talent gave rise to 'spooks as a service'" was originally published by ITworld.

Copyright © 2015 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon