Cyber hygiene is very important. Placing plaster with point solutions makes little sense without insight into the threat landscape and the risks in your IT environment. Security assessments such as pen tests can provide the right insight. In that case, however, it should not be a six-monthly snapshot, but a continuous process. Technological developments and innovations from threat actors are taking place at an increasing pace. The threat landscape changes not only when a new technology is rolled out or when a vulnerability becomes known, but also when a threat actor releases new malware. Security assessment provider Outpost24, as an independent provider, thinks it can play a pre-eminent role in this. Also when it comes to answering the growing demand from midmarket and SMEs through an MSSP partner channel.
Outpost24, originally Swedish, has been offering security assessments for 22 years. While many security providers focus on security itself, Outpost24 investigates independently of security management whether security is (still) adequate and provides insight into (possible) vulnerabilities, weaknesses and risks. This independence is just as important as that of an accountancy auditor.
Outpost24’s SaaS cyber risk management platform supports more than 2,500 customers in more than 65 countries in the rapidly increasing need to improve their cybersecurity posture. Outpost24’s solutions also explore the ‘white space’ between point solutions that threat actors often abuse; they scan assets and external data sources to discover, assess and prioritize vulnerabilities and threats on potential attack surfaces. To this end, the company combines cyber risk management solutions for vulnerability management, application security, threat intelligence and access management in a central platform.
Vitruvian Partners announced in July that it had acquired a majority stake in Outpost24. The investment company has previously invested in cybersecurity companies such as Bitdefender, CFC and Darktrace. Outpost24 has a global presence with offices in Europe and the US, with further plans to continue investing in international expansion in the coming years. The company aims to become Europe’s largest independent cybersecurity provider with Vitruvian’s support, said Orlando Klimert, managing director of the Central Europe business unit.
“The keyword for better cybersecurity is cyber hygiene. Before you develop a security strategy, tooling and solutions, you need to understand your technology and what your organization depends on. This concerns internal and external networks and everything that runs on them: applications, users who have access to systems. To shape a cybersecurity strategy, you need to know your IT environment, but also know what is changing in it. That is more and more and it is going faster and faster.”
There is continuous movement in the IT landscape. Think of moving workloads from your own data center to the cloud; rolling out new or patching existing servers. But a new vulnerability or new malware can also cause this movement.
The philosophy of Outpost24 is that you can only deal efficiently with your security budget and resources if you have and keep track of that movement. Outpost24’s scans provide insight into what IT is worth to you, where you are vulnerable, and also offer threat intelligence.
“We also show what the hacker community and cybercriminals are doing and which vulnerabilities they are most likely to use in your environment. That offers a holistic picture, which you as an organization can take proactive action on.”
Unfortunately, most Dutch organizations do not have cyber hygiene in order, Kliemert extrapolates based on what Outpost24 sees with its customers (gartner emphasizes that cybersecurity is seen as the biggest business risk after compliance). “That is not due to security departments. They do their best with the budgets and resources they have. But the realization of the importance of cybersecurity and its maintenance has only reached the top of many companies in the past few years.”
Attention has grown since the pandemic and the digitization to make working from home possible, but there is still often a question of sticking plasters with point solutions, Kliemert sees. “Zero day vulnerabilities such as Log4J at the end of 2021 are causing panic. But cybersecurity is not a project; it is a continuous process. The greatest dangers lie in vulnerabilities in less business-critical applications, for which people often have insufficient money or attention for security and take the risk for granted. And that is precisely what hackers use.”
Account Executive Benelux Robert Scholten understands that it is difficult for companies to know where to start. “Over the past two years, working from home has led to a shift to the application landscape: remote working and remote access to information. However, the resources and specialists to secure this have been left behind. Moreover, more and more departments in organizations – such as HR, for example – are increasingly dealing with the IT landscape. If there is insufficient communication between them and IT, expectations of each other’s roles can differ and gaps arise in cybersecurity.”
Insight with continuous assessments
More and more organizations are realizing that their cyber hygiene needs to keep up with best practices in the sector. They are looking for opportunities not to get a snapshot every now and then, but to gain real insight with continuous assessments. That is what an independent party like Outpost24 is ideally suited for, according to Scholten and Klimert.
“Previously, an assessment was often a pen test a few times a year to tick your compliance list,” says Kliemert. “Nobody worried about next steps. However, the maturity level of organizations in the field of cybersecurity is growing. People are increasingly embracing the security by design idea: assessments as an integral part of your security strategy.”
Pentest as a service
Continuous testing instead of a few snapshots per year does mean that the demand for, among other things, pen testing is growing rapidly, while the capacity is lagging behind. Outpost24 has developed a pentest as a service in this context, so that organizations are assured of this form of cyber assessment all year round.
But, emphasizes Scholten, you have to see this as part of a larger whole. “As an organization you need to know where you want to grow, what your challenges are and how we can include continuous assessments. That is where we at Outpost24 want to go with customers: addressing the economics of cyber security assessments. So that we provide the right insights and organizations can intervene immediately. A new term in this field is external attack service management, for which we have developed a solution. With this we can help organizations to take proactive action, even when nothing has happened yet. This way you can keep improving your cyber hygiene.”
Bottom of the market
Outpost24 is now mainly active at larger organizations, but according to Klimert also sees opportunities at the lower end of the market. “Large organizations often have their own SOC, their own security team. With such parties, we are primarily an extension of their security operations. With technology and sometimes services around this.”
However, the call for help in improving cyber hygiene can be seen in organizations of all sizes. Malware does not discriminate; attackers don’t look at how big an organization’s security budget is. And midmarket and SME organizations that have often already outsourced their automation, are also passing this new demand on to their IT suppliers. Outpost24 focuses on this through a growing partner channel, says Klimert. “We have developed MSSP (managed security service provider) propositions, with a set of easy-to-use tools. Not so that resellers resell them one-on-one, but instead integrate them into their own MSSP services. For example, as part of a managed SOC.”
This is not always easy for parties who may have previously limited security to providing a firewall and backup. Delivering security as a service can then be a big step. “We support these types of parties with training and support, so that they can take that step to answer the rapidly growing demand for complete unburdening in the security field.”
Scholten adds that Outpost24 can also provide the reports to extract from assessments what kind of security tooling an organization needs. For example, an MSSP can tailor its offer and an organization can be confident that they are getting the right security tools.
“As a reseller, you can have a list of ten endpoint manufacturers, but what you deliver must match what your customer needs. As an independent party, we can build a bridge between the reseller and the customer. This is already possible with a kind of quick scan that we call our Scout exercise: drawing up a report based on a domain name in which we map out the most important external risks and vulnerabilities using public information.”
That can be confronting, Scholten realizes, but it does indicate the direction you should take as an organization to improve the cyber hygiene of your IT environment. He notes that Outpost24 does not register everyone as a partner. “We are looking for parties that are active in the cybersecurity area with the same mission, vision and culture as Outpost24. This way we can really make a success of our channel approach together.”
Finger on the pulse
In the coming years, Outpost24 will keep a close eye on developments in the cybersecurity area, concludes Klimert. “We maintain good relationships with analysts from parties such as Gartner and Forrester and will also adjust our acquisition strategy accordingly. We also follow the NIST framework, which focuses on vulnerability identification. Our focus will remain on that. Only by looking broadly at the entire IT stack can we maintain the holistic view that we also want to offer our customers.”
Author: Martijn Kregting