October is National Cyber Security Awareness Month. Start your awareness journey now. START 
Skip to main content

Q&A With Paul McKay: Outlook for EMEA’s Evolving Cyberthreat Landscape

 

Forrester and Arctic Wolf Logos

 

Discussion between Arctic Wolf Field CTO, Ian McShane and Forrester Principal Analyst, Paul McKay

In July 2021, Forrester Principal Analyst Paul McKay sat down with Arctic Wolf Field CTO Ian McShane to discuss the outlook for EMEA’s evolving cyberthreat landscape, and how to identify the key differences IT and security leaders should understand when comparing legacy Managed Security Service Providers (MSSPs) with today’s modern, SOC-focused Managed Detection and Response (MDR) solutions.
 

Ian McShane

 

People working in many areas of cybersecurity know that the misuse of words and terms is rife but for the readers not so quite as jaded as me perhaps we can start off with a really direct question - is an endpoint security vendor’s own managed EDR/XDR going to give me the same level of protection as a true MDR service?

 

Paul McKay

 

This is a very easy question to answer. The answer is no, the EDR or XDR depending on how your chosen vendor has branded it is just a part of the technology layer of the service offering. What categorises MDR offerings from previous managed services is the relatively high skill level of the humans who staff the SOC delivery centers for the provider. They do not fit the profile of traditional SOC analysts and are far more likely to have come from a background of performing threat hunting, red team work, penetration testing or incident response and forensics. The level of service customers should expect should therefore be more customised and response oriented, with response not simply limited to whatever the EDR or XDR solution can offer.

 

 

Ian McShane

 

..and then a follow up from that would be to ask you the easiest way to spot another tricky masquerade - an MSSP that’s just re-branded as an MDR?

 

Paul McKay

 

There are two easy clues, one is if they have rebranded within the last 1-2 years and you can find marketing on their websites from before then which refer to their “managed security services providers (MSSP)” service offerings (simply search on the Wayback machine). The other giveaway clue is if a firm says it has been doing MDR since 2001 or 2002, as a service offering it has only been defined as a separate category by industry analysts since about 2017 (when Forrester defined the term as a different category to traditional MSSP services). Anyone claiming they did it before then needs to be challenged as to the veracity of their claims.

 

 

Ian McShane

 

I’m often asked variations of the same question, “What’s the best way to see if I am really more secure today than I was yesterday?”, so what recommendations do you give Forrester clients that need to start measuring when their internal operations run through an MSSP or an MDR? What metrics should they start with and what should they measure?

 

Paul McKay

 

I’d recommend starting with something like incident positivity rate, which is the rate of true positives that you identify from your provider compared to others in the industry, this gives you a sense for how effective your optimisation and classification of events is. You can work with your provider on this. The other metric I would look at quite closely is mean time to detect and response which tests the efficacy of both your service provider and your joint response capabilities (given the MDR service will operate as a joint responsibility between the client and the service provider).

 

 

Ian McShane

 

Though there have been a few exceptions in the past couple of years, the headline making breaches and incidents are almost universally US-focused. Is the threat landscape and the risk to business in EMEA and the rest of the world truly any different to those within the USA?

 

Paul McKay

 

The risk landscape in EMEA does differ somewhat as we see some trends here that are different to what is seen in the US, mainly in terms of what is targeted. For example, we see a higher proportion of organisations citing that when they see breaches, they are more likely to target intellectual property in some European countries, particularly France and Germany for example. The other trend we see here in EMEA is that there are more localised and specific threats that crop up for example in the Middle East, for other ME countries in response to very localized geopolitical considerations, which are not necessarily seen elsewhere. Physical infrastructure is also more highly targeted in this region as compared to Europe.

 

 

Ian McShane

 

Our last question for today is about data storage and sovereignty as it relates to MDR. Our industry has come a long way in cloud storage governance in the last decade and a half so, outside of legislation and laws, how concerned should EMEA-based organisations really be?

 

Paul McKay

 

MDR log and event storage involves the processing of data that is considered sensitive in some jurisdictions. European organizations are subject to GDPR for personal data and in the Middle East for example there are increasingly rules governing sovereignty of data. From a technical perspective, organisations should ensure that they meet their legal obligations of course, but need to gauge their own comfort in using service providers with data storage out of their home country or region. The decision is part political and cultural as well as technical and legal. Most service providers will enable access to audit, maintain security certifications and have documented processes for responding to any requests for customer data. In addition some may be able to offer additional operational assurances (e.g. enhanced monitoring or define procedures to limit access to sensitive data) or set-up data residency in region (but not necessarily always in country) if this is a specific requirement to do so. The point here is to select the countermeasures from your providers offering you comfort to meet the needs of your security team and other stakeholders rather than ruling out a provider simply based on where its head office is.