MSSP Owner Questions Value of SOC Monitoring Alone

Mosaic 451 founder Mike Baker's controversial views on MSSPs are informed by his firm's experience protecting critical infrastructure.

Aldrin Brown, Editor-in-Chief

April 14, 2016

4 Min Read
MSSP Owner Questions Value of SOC Monitoring Alone
Mosaic 451 maintains SOCs that operate around the clock in Phoenix, Las Vegas and Portland, Ore.

Mosaic 451 founder Mike Baker knows he’s going to raise some eyebrows with his opinions about the state of the managed security services provider (MSSP) industry.

“I really sincerely believe the MSSP model is based on theft,” he said. “I think that people are buying magic.”

Ironically, Baker’s own firm provides advanced managed security services to clients who need to protect critical infrastructure.

Mosaic 451 customers include the Arizona Public Service Electric Company, that state’s largest electric utility and operator of three nuclear power plants, including the nation’s largest, the Palo Verde Nuclear Generating Station.

Others clients are financial operations, like the International Securities Exchange, which runs three electronic options exchanges.

Providing managed security services to high-stakes clientele has hardened Baker’s belief that to truly be effective, cybersecurity defenses must be customized and involve human on-site staff to manage the unique and constantly evolving threats facing each customer.

Monitoring the networks of numerous clients from a SOC is, Baker argues, largely worthless.

“This model where I’ve got hundreds of poor suckers in a fishbowl looking at blinking lights, they’re stealing from those customers,” Baker said. “The idea of a broad-market MSSP with 10,000 clients just flat does not work.”

“The easy thing to do in an MSSP is to monitor,” he said. “I do not want to monitor. I want to operate.”

When Cybersecurity is ‘War’

Too often, Baker asserts, those in charge of IT security recognize that engaging an MSSP is palliative.

He recounted a recent conversation with an IT manager at a major hospital chain about his rationale for hiring an MSSP: “If we get breached, at least we have somebody to blame,” Baker said.

Many of the clients who hire Mosaic 451 tend to be organizations where cybersecurity is a matter life or death.

“We have been on networks that very fundamentally have been at war since 2003,” Baker said. “Where we grew up, cybersecurity mattered – and it still matters.”

In addition to organized criminals and rogue hackers, many of the adversaries against which Mosaic 451 defends are state actors.

Russia is very active, he said, as is China, which was accused in the successful breach of networks at the U.S. Office of Personnel Management.

An attack by Iran stole sensitive information on U.S. dams, like how strategically over-spilling a particular dam on the Columbia River could cause a domino effect and the “the 20 downstream go down like matchsticks,” Baker said.

Each day, Mosaic 451’s nearly 100 employees – more than 90 of which are engineers – battle against would-be attackers seeking to gain access to network components that control vital activities, and seemingly innocuous functions, like facility lighting, water and HVACs.

Baker is a student of Lockeheed Martin’s “Cyber Kill Chain” framework, which calls for carefully evaluating each step an adversary needs to execute a successful network attack.

In each case, a cyber-attacker must perform reconnaissance, create a suitable weapon and deliver that weapon.

“This is really the anatomy of a hack,” Baker said.

Mosaic 451 assigns employees at clients’ premises, where they collect intelligence, perform constant threat recognition, spend a great deal of time at the endpoints and servers, and do what Baker describes as “baselining,” “trending,” and “visualizing.”

“Technology is a force-multiplier but you cant substitute technology for humans and expect a good outcome,” he said. “We basically say that we will provide that critical mass of smart humans.”

Not All Networks Worth Protecting

Baker acknowledged that Mosaic 451’s services are probably not the best option for a mom-and-pop business or other organizations that are unlikely targets of sophisticated attacks.

Owners of networks should first decide whether they truly have something worth protecting.

“Security fetishists will tell you that everything needs to be secure,” Baker said. “I don’t believe that.”

For example, a small retail business with an outsourced PCI provider likely faces limited liability and might need only simple security measures, like encrypted tunnels. In such a scenario, rudimentary remote monitoring can be a cost-effective approach.

“I think that’s a great place to use another MSSP,” Baker conceded. “If I’m under 100 people, there’s a huge argument to go to the cloud and be done with it.”

For networks where security is absolutely imperative, however, the defense must be customized, taking into consideration each customer’s unique threat profile, culture and actual practices and procedures, he said.

Enterprises’ growing use of hybrid networks, with components partly on the cloud and partly on-premises, means an expanded “threat surface” and further complicates the job of cybersecurity professionals.

Mosaic 451 maintains three SOCs that operate 24/7, in Phoenix, Las Vegas and Portland, Ore. Another facility is under construction in Boston that will house an SOC and separate NOC.

Those resources, combined with on-site security experts, offer the best chance at good outcomes and satisfied customers, Baker said.

“What we do is custom security operations with an outcome in mind,” he said. “We want relationships that last 10 to 15 years. If you’re going to have two or three full-time security staff, we can figure something out.”  

 

Send tips and news to [email protected].

Read more about:

MSPsMSP 501

About the Author

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.

 

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like