Notes from RSA: the tough economics bridging from prevention to detection

In his opening keynote this week, RSA President Amit Yoran emphatically delivered one key message: prevention is no longer good enough and security practitioners, industry and vendors need to embrace a detection and response approach.

This is good news for eSentire clients. Detection and response has been our approach to cybersecurity since day one. It assumes the stance that compromise from unknown threats is inevitable, and to focus efforts on rapid detection and response upon breach, such that damage can be mitigated. This approach has greater integration and dependence on the human analyst to augment behavioral and machine learning technology. We couldn’t be happier that the infosec industry is pushing in this direction. In addition to validating the approach we’ve used for over a decade, the approach comes down to doing whatever best protects people and organizations from our constantly evolving adversaries.

Amit also pointed out that Gartner predicts spend on detection and response to quadruple over the next few years, rising to account for 60% of IT security budgets by 2020. A shift like this does raise some concerns, specifically highlighting the need for more security analysts and Security Operations Centers (SOC). A “hunting” approach is less automated and fundamentally places a greater emphasis on skilled humans as part of the detection and response equation.

Most of us are aware that there is a global cybersecurity talent epidemic. In the United States alone, 200,000 cybersecurity jobs are unfilled today. And by 2019, estimates tell us that there will be 1.5 million unfilled positions. This talent gap will become amplified as industry and vendors make the shift from prevention to detection.

Here are a couple of things that small-to mid-sized organizations looking for cybersecurity services might see in the future:

1. Vendors that lack experience: Expect to see a flood of new vendors offering detection and response security services. Many existing MSSP’s will introduce these types of services to augment existing portfolios. eSentire has spent over a decade operationalizing the detection and response process, tools and technology within our global SOC.
2. Limited access for mid-sized organizations: There’s already a major labor shortage in IT security. Vendors will look to secure talent to build-out operations that target large enterprise to maximize revenues, leaving small-to-mid sized organizations with fewer qualified vendors to turn to for help.

To summarize, make sure you understand how both technology and human analysts are involved in the detection and response process for any vendor you’re interviewing. What does the Service Level Agreement (SLA) for detection and response look like, or does the vendor even have an SLA at all? What technologies are being used to detect or signal an analyst investigation and response? What actions does the vendor take to “respond” to a breach?

If you’re a small to mid-sized organization looking for a cybersecurity solution, make sure you ask the right questions to avoid headache down the road. If you’re not sure where to start, we can help.