The security staffing landscape is changing – especially for cybersecurity. With a looming cybersecurity talent gap, more security-related areas of responsibility are being outsourced than ever before in order to keep up with the challenges. One emerging category of outsourcing lies in management of OSINT security deliverables for an organization. With each passing quarter, there has been an increase in OSINT-deliverables amongst the Managed Security Service Provider (MSSP) and Managed Detection and Response (MDR) service landscape. A quick win in this security deliverable category is in the area of Web Intelligence (WEBINT) and Investigation. A subset of the broader OSINT data spectrum it has become an effective ROI-offering for MSSPs and MDRs – that is, if it can be produced confidently and most importantly, quickly.
The security landscape as it stands – and going forward.
The scary fact about our modern world of security as organizations across the globe continue to undergo rapid digital transformation, it is forecasted that there will be an estimated 3.5 million unfilled cybersecurity positions worldwide (Deloitte, 2019). With a drastic increase in major cybersecurity events these days, especially in terms of State-level disruption efforts, think SolarWinds, NotPetya, and a recent report by CISA about Chinese MSS-efforts), you can begin to see why such a gap is “scary.”
To meet this challenge – more organizations than ever are turning to outsourcing many of their security functions in order to effectively secure their code, networks, executives, brands, etc. when resources or talent are internally spread thin. Deloitte surveyed many C-Level executive roles in 2019 on the topic of outsourcing. Of the CISOs that responded – a staggering 99% of them stated they outsourced some percentage of their security responsibilities to a third-party. 65% of those CISOs attributed almost ⅓ of their cybersecurity functions to service-providers.
In terms of exactly how Web Intelligence (WEBINT) fits into this trend, CISOs surveyed by Deloitte stated they dedicated about 10% of their budget on Threat Detection/Monitoring, and 11% for Incident Response, on average. Both of these security tasks contain large opportunities to supplement other forms of threat intelligence with WEBINT data in order to be more comprehensive and secure. This means that there is a rather large percentage of total organizational security budgets potentially up for grabs. So – then what IS up for grabs?
Below, Deloitte breaks down the percentage of tasks that are generally most outsourced, as per CISO responses.
Not only are these some of the top outsourced responsibilities – they’re all security tasks where OSINT collection and investigation overall greatly strengthen security findings and initiatives.
The story is clear: There are gaps that organizations cannot cover themselves, and they are planning for and willing to pay to outsource the solution.
How does OSINT fit into this puzzle?
What is the importance of the CISA advisory report about Chinese Ministry of State Security OSINT operations? At the end of the day – OSINT data is useful (given effective collection and analysis), and bad guys are using it against their targets. Full stop. So while it’s still slow in some areas to pick up steam – OSINT budget-allocation within security organizations is happening, and it seems to be growing.
Here is the challenge for MSSP and MDR organizations in taking on OSINT collection and analysis to help solve security problems. It’s not simply that an MSSP or MDR organization just takes over mature OSINT threat intel practices; the practice of OSINT in security management within the MSSP or MDR industry to date is not mature and dynamically evolving yet needs to be applied effectively to be both useful to the downstream client, and ultimately profitable to the MSSP/MDR org. It has to help deliver a return on value to the client.
The problem of “ROV” in OSINT programs.
Simply put: OSINT data can be so vast that it’s easy to fall into rabbit holes that will quite literally deprecate all ROV available in using it, if not carefully and strategically adopted. Daniil Davydoff recently wrote for Security Magazine that: “The reality is that most OSINT work in the corporate security environment is more akin to wading through piles of gems and the greater challenge for intelligence analysts is typically deciding how to arrange these gems into a coherent narrative.”
OSINT clearly requires a human behind the computer at some point; it needs a contextual narrative to be recognized and built up by a human in order to truly be valuable and actionable. When you looking into the security teams in the organization, the CTI Survey Report in 2020; 83% of cyber threat intelligence analysts in organizations perform open source intel as part of their workflow, 50% of them spend more than ½ their time on it and >85% received little or no training for their work. Let that sink in.
These takeaways present a fairly clear opportunity for MSSP and MDRS to fill a gap, or deliver a more cost effective option for the organization. This can be a compelling client return on value (ROV) proposition. But that doesn’t mean they have such a surplus of talent that they can still afford to ineffectively – or wastefully – apply those human resources. There is still the need to be profitable, that is, the ability to scale.
A first step lies with Web Intelligence (WEBINT) technology. Gone are the days of manually and independently searching Google, social media platforms, forums, and news sites. Sure – one could still do it this way; just boot up the OSINT Framework and go to town. But this is not effective or efficient in the corporate security and threat intel landscape – where speed and volume are constantly at odds. There are a growing number of WEBINT technologies that can help the MSSP/MDR provider address their two-fold challenge in offering it as a service in their portfolio, ie. client return on value and profitability through scale. In fact, at Media Sonar, a Web Intelligence and Investigations software provider, return on value for clients through scalability and efficiency guides our product mission and roadmap.
The need is there – WEBINT as a service is a step forward to secure the world.
But hold on there – it’s not as easy as an MSSP making the statement “we do WEBINT stuff now.” Without careful due diligence, planning, and incorporation of effective technology – like any unguided-application of threat intelligence, it can quickly become a time-sink.
In evaluating what is out there, there are a few key layers of efficiency that should be evaluated to support repeatable Return on Value (ROV) for WEBINT-related tasks:
At the task-level
The chosen technological solution needs to collect and display the data accurately, timely, and efficiently. WEBINT data is just like any other threat intelligence data stream, it’s just data, and it needs context and consideration in order to be actionable. An effective WEBINT-collection solution should at the task-level:
- have vast access to the most pertinent data streams to the mission;
- provide visibility into those different data streams in a clear, organized manner; and
- make the sorting, viewing, and reporting of data easy and effective.
- make collaboration and sharing simple but also configurable
At the analysis-level
The tool needs to provide capabilities that enhance and support the natural skillsets of analysts. A WEBINT-investigation platform won’t (or shouldn’t) reinvent any wheels. It should always make the investigative steps practitioners already employ, happen at a faster rate and higher degree of accuracy/efficiency compared to manual processes. This leaves more time for an analyst/investigator to think about the problem, consider the evidence, and make conclusions about a case, rather than being bogged down in an application. And makes them much more valuable to the organization in the effort/reward equation.
At the systems-level
A WEBINT-investigation platform needs to play nice with a multitude of multi-purpose or mission-driven tools that live in the modern security ecosystem. Just as the efficiencies from an individual WEBINT platform are important to efficiency – so is limiting how much time is spent split between different platforms in the security landscape. A successful WEBINT solution should integrate into popular SIEM/SOAR/TIP platforms, as they are core in the efficiency-equation for most security teams who are looking for that “single pane of glass”. While it’s true that most WEBINT solutions are not as mature in terms of integration as other security products, many are starting that journey – and as such – it should be an important consideration.
Marrying the intelligence-advantage of security analysts with tools that allow for greater efficiency and speed in the collection and analysis of WEBINT data gives MSSP and MDR organizations a truly great opportunity to provide real intelligence to companies that cannot afford, one way or another, to do it themselves – contributing to the return on value that the MSSP/MDR brings to the client while opening the doors to a profitable offering in their service portfolio.
The question is not if WEBINT and the broader OSINT will come to any particular MSSP/MDR doorstep; the question is: who will be the first to take it on and solve for “the efficiency problem”. The selection of the WEBINT technology is a key first step.
This article was originally published in VM Blog but written by The Media Sonar Team.