Evaluating MSSP security before taking the plunge

Managed security service providers now exist for a wide range of security functions, including:

• Firewall management
• Antivirus management
• Intrusion detection and prevention (IDS/IPS)
• Virtual private networks (VPNs)
• Workstation, server and network device configuration and management

In this tip, we'll take a look at when enterprises should outsource these critical elements of their security infrastructure. The decision to move to one or more managed providers is a complex one, and the answe...

BROWSE BY TAG Network Security Tactics,   Network Security: Tools, Products, Software,   Network Device Management,   Enterprise Network Security,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   VIEW ALL TAGS

RELATED CONTENT Network Security Tactics How to properly implement firewall egress filtering What to do with network penetration test results How to use TrueCrypt for disk encryption Protecting enterprise networks from new mobile application downloads Maintaining security after a cloud computing implementation Preparing the network for a cloud computing implementation PuTTY configuration tips: How to connect to remote network systems A guide to internal and external network security auditing How to keep networks secure when deploying an 802.11n upgrade Screencast: Find rogue wireless access points with Vistumbler Network Device Management Preparing the network for a cloud computing implementation How to prepare for a secure network hardware upgrade Researchers find thousands of flawed embedded devices Is there a way to block iPhone widgets that bypass Web filters? Will an application usage policy best control network bandwidth? What is the difference between static and dynamic network validation? How to manage network bandwidth with distributed ISP bandwidth DNSSEC deployments gain momentum since Kaminsky DNS bug Firewall rule management best practices What are best practices for fiber optic cable security? Information Security Policies, Procedures and Guidelines Schneier-Ranum face-off part 6: Audience questions Editor's Desk: Apathy and the Cybersecurity Coordinator Writing security policies using a taxonomy-based approach How to detect and respond to money laundering Health Net breach failure of security policy, technology How to protect distributed information flows Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary OCSP  (SearchSecurity.com) trusted computing base  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

r will vary depending upon given business requirements.

Why make the switch to MSSPs?
There are two basic reasons to consider a managed security service provider: cost savings and service enhancements (or some combination of the two). It's important to clearly understand the objectives before evaluating service providers, as the balance struck between them will definitely influence your MSSP selection.

Economic factors often force the consideration of MSSPs as a cost-saving measure. Indeed, economies of scale often permit MSSPs to provide security services in a much more cost-effective fashion than what can be performed in-house. Consider the costs, for example, involved in maintaining a highly available border firewall in an enterprise. In addition to equipment costs (which may or may not be covered in an MSSP agreement), staff must be recruited, hired and trained to operate the equipment. The costs of fringe benefits, payroll taxes and other employer obligations will also need to be covered. And when an employee decides to leave your organization, you'll need to begin the recruiting, hiring and training process all over again. The MSSP approach shifts this burden to the provider.

MSSPs also offer the opportunity to obtain superior functionality than what can be supported in-house. While an IT shop likely has security as one of many areas of concentration, such as server/desktop management, network infrastructure and database administration, MSSPs have one function: security. This focus allows them to gather expertise that is extremely difficult to obtain in the environment of a busy IT enterprise.

Why to not switch to MSSPs
Is it always appropriate to move to an MSSP-based security infrastructure? Definitely not. Here's some food for thought before making the plunge to managed security service providers:

• Cost savings: Will moving to an MSSP really achieve cost savings in the long run? When building a case for outsourcing security, dissect the business justification for an MSSP. Unrealistic expectations often find a way of creeping into these documents. For example, if you forecast savings in human resources costs, is it likely that you will make the downsizing moves necessary to achieve those savings?
• Control: Are you willing to give up the keys to the kingdom? Moving the management of parts of the security infrastructure to a third party requires a leap of faith. Do you (and your management) feel comfortable with this arrangement? Things can definitely go south quickly if you find out only after you sign a contract that the audit committee of your board of directors vehemently opposes giving someone else control of your security infrastructure.
• Liability: Are you contractually permitted to outsource security? Many organizations, especially those that do business with the government, have contractual relationships with customers that restrict their ability to engage subcontractors. Check with your legal team to determine if an MSSP agreement would run afoul of any such relationships.

Setting standards with a managed security service provider
If you decide to take the plunge, you'll need to consider the terms of your contract with the provider before signing on the dotted line. Here are some items to address in the service-level agreement (SLA):

• Response time in the event of a security incident. You'll need to spell out exactly how quickly you'd like to be notified and provide details on the various scenarios that trigger an alert. For example, you may wish to be notified immediately if the vendor detects a successful intrusion, even if it's 2:00 a.m. On the other hand, you may wish to receive a summary report of unsuccessful attempts once a week.
• Timeliness of signature updates, software upgrades, security patches and related maintenance. The easiest course of action here is to take your own internal standards and apply them to the MSSP as well. If you require your own system administrators to apply security patches within 30 days, that's probably a reasonable standard to apply to the MSSP as well.
• Access rights on security and other devices provided to both the MSSP and your organization's staff. You probably want to guarantee the MSSP will always allow you administrative access to the systems they manage. This provides a sense of security in the event the MSSP goes belly-up.
• Personnel security controls implemented by the MSSP. Again, consider applying the standards that you use in your own organization here as well. If you conduct criminal history checks and credit checks for your own employees, insist that the MSSP follow a similar policy for the people that will be working on your account.
• Frequency and nature of service reviews. At a minimum, plan to get together with the MSSP on an annual basis to review what's working well and what can be an opportunity for improvement. You might wish to tie this to your annual contract renewal cycle.

By taking the time to lay an appropriate foundation of understanding and written agreements, your relationship with a managed security service provider can be a long and fruitful strategic collaboration. Taking the time to plan appropriately will greatly increase the likelihood of success. The judicious use of MSSPs can help enterprises achieve cost savings and gain access to security specialists, but they're not a panacea. It's critical to perform due diligence to ensure that each potential relationship is built upon a solid foundation.

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.