Appointed director of security services at Yorkshire-based services provider, Boxing Orange, earlier this year, Martin Dipper spoke to Paul Fisher about how the market for security services is changing, along with the threat landscape.
As someone who is quite new to Boxing Orange, what is your take on the MSSP market?
It tends to be segmented between the really big players and a range of what you call ‘boutique players', geographically and globally, such as ourselves. The boutique players have become more important in the age of persistent threats. I joined Boxing Orange because I think boutique MSSPs can get closer to their customers.
We are now at a watershed – a move from the perimeter and network to the OS and applications. The smaller players are better positioned, they're more agile and they can react more quickly to the SIEM-type services by focusing on user activity and servers.
But the big players are able to do that too, surely?
I'm not saying the big guys aren't doing their job, they are. But we need to move to dynamic security and that means understanding in real-time the state of all your systems.
It used to be that when you signed up an MSSP, you ran the service and you got a monthly report, but there was nothing played back in real-time.
With an agile MSSP, you put a dashboard in front of the customer. We've created a live PCI dashboard for one of our customers that shows all of the 12 components of PCI at green or red to determine PCI compliance.
If it goes red, the customer can find out why they're not compliant. That's the future of MSSPs, that any real-time information responds to dynamic threats, understanding in real-time the status of your security posture in your server.
What about malware? Should we forget about it?
We get obsessed with malware. There's a lot out there, a lot of compromises, but there's always malware plus – often an internal user who is either in collusion with the malware provider or, by mistake, compromises internal systems.
People are being hit by malware, but you also have to examine users' behaviour once they've actually been compromised: why, for example, are they downloading large files?
Most malware is trying to compromise a system to get information. If you don't spot the malware, you can at least spot the data leakage and information leaving the company – or any unusual behaviour by the user, which is maybe more important to identify.
How would you sell security information and event management (SIEM) to SMEs, considering it would be quite an investment for them?
If you look at mid-sized enterprises or even large companies, they form two camps. The security-conscious buyer buys security because they know what they're up against – but there's also the compliance officer ticking the box.
What we're seeing now is people moving from compliance to using SIEM for log management, for forensics and also for looking for events. So even in mid-sized enterprises now, we're seeing a movement to using an SIEM product for looking more for events, and correlation of events, rather than just compliance.
Secondly, you don't have to buy the whole sweetshop. You can just buy the sweets. If you go to a provider that has got an SIEM product, you can roll out the service quite cheaply, without a massive investment in the SIEM product itself or the accompanying logistics.
You have been in security for some time. How has the industry changed? Have professionals changed with it?
It has improved. CISOs tend to fall into two camps: the ones who are security experts and the ones who are compliance experts. And each approaches the job in different ways. The security CISO wants to know about threats, how you detect them, to make sure their security posture is 100 per cent safe from the latest threats. The compliance CISO wants to tick the box. They want to know that for that regulation, PCI DSS, for example, they are safe. They'll want the dashboard safe: it's all green and it's good to go.
What we are seeing is that security affects all of our lives now, everyday lives, political lives and governmental lives. Security makes the headlines everywhere: it is now a global phenomenon, where you have governments involved.
Security is such a big topic that every CISO has to be aware not just of what's happening today, but must also look to the future, to where the compromises are coming from. So they're very aware now – more than they were five years ago.
Will Boxing Orange and its rivals have to be certified in some way by a government agency?
Even now, you can't say you're an MSSP without going through some [industry] certification to prove you're qualified.
The point is more what kind of industry the MSSPs serve. Those that serve the government and national infrastructures will be logging vast amounts of data and trying to correlate that data, as opposed to focusing on customers' needs.
I don't know that MSSPs will be certified, but they will be regulated in some way in different markets, simply because of the national implications of failure.
Are you worried by government legislation proposing that all electronic communication must be stored by ISPs and others?
If I'm running a business, I don't want to be forced to put in a terabyte of storage every year just because the government tells me to.
I think there will be a butting of heads soon between some of the providers and the government, with providers demanding payment for all this storage. But if they get paid, then they become a quasi-governmental body. I'm not a civil liberties lawyer, but I don't think it's necessary for anyone to keep my emails for seven years.
Even so, if it's not this UK government, it will be the US or it will be Germany. It will be somewhere else where it happens. It's still a naïve world right now, but if you look ahead, say 30 years, we may have chips in our heads containing all sorts of information.
We are heading that way, so you have to address personal liberties and personal freedom. Right now, we're really at the bottom of the curve in how to address freedom on the web and online.