Evaluating MSSP security before taking the plunge

Managed security service providers now exist for a wide range of security functions, including:

• Firewall management
• Antivirus management
• Intrusion detection and prevention (IDS/IPS)
• Virtual private networks (VPNs)
• Workstation, server and network device configuration and management

In this tip, we'll take a look at when enterprises should outsource these critical elements of their security infrastructure. The decision to move to one or more managed providers is a complex one, and the answe...

BROWSE BY TAG Network Security Tactics,   Network Security: Tools, Products, Software,   Network Device Management,   Enterprise Network Security,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   VIEW ALL TAGS

RELATED CONTENT Network Security Tactics How to use NeXpose: Free enterprise vulnerability management tools Security policy for PDF use: How to secure PDF files for the enterprise Fake antivirus pop-up scams: Forming a security awareness training plan FTP security best practices for the enterprise Database application security: Balancing encryption, access control Log management best practices: Five tips for success Using the Microsoft Sysinternals suite for a computer systems audit How to use a PDF redaction tool with a redacted document policy SaaS evaluation: Considerations for a SaaS service-level agreement Free port scan: How to use Angry IP scanner Network Device Management Log management best practices: Five tips for success Quiz: Application and network log management program planning Researchers uncover Cisco firewall vulnerabilities, McAfee console flaws USB thumb drive security best practices spelled out by NIST Endpoint fingerprinting: How to improve NAC security for 'dumb devices' Making USB thumb drives secure enough for government work Database activity monitoring (DAM) software deployment issues to avoid Analyzing MSSP providers' log files for IT security events Government security vulnerabilities: The threat of outsourced chips Portable USB thumb drive encryption: Software and security policy Information Security Policies, Procedures and Guidelines How to develop a data breach response strategy Should enterprises give in to IT consumerization at the expense of security? Self-service user identity management: Pitfalls and processes Forrester offers new guide for information security program development How to use a PDF redaction tool with a redacted document policy Gartner: Companies shouldn't bother banning Facebook, social networking Weighing the risk of hiring hackers How to manage compliance as Chief Information Security Officer (CISO) FFIEC security requirements: Physical security management and logging Penetration test methodology: Creating a network pen testing agreement

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary OCSP  (SearchSecurity.com) trusted computing base  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

r will vary depending upon given business requirements.

Why make the switch to MSSPs?
There are two basic reasons to consider a managed security service provider: cost savings and service enhancements (or some combination of the two). It's important to clearly understand the objectives before evaluating service providers, as the balance struck between them will definitely influence your MSSP selection.

Economic factors often force the consideration of MSSPs as a cost-saving measure. Indeed, economies of scale often permit MSSPs to provide security services in a much more cost-effective fashion than what can be performed in-house. Consider the costs, for example, involved in maintaining a highly available border firewall in an enterprise. In addition to equipment costs (which may or may not be covered in an MSSP agreement), staff must be recruited, hired and trained to operate the equipment. The costs of fringe benefits, payroll taxes and other employer obligations will also need to be covered. And when an employee decides to leave your organization, you'll need to begin the recruiting, hiring and training process all over again. The MSSP approach shifts this burden to the provider.

MSSPs also offer the opportunity to obtain superior functionality than what can be supported in-house. While an IT shop likely has security as one of many areas of concentration, such as server/desktop management, network infrastructure and database administration, MSSPs have one function: security. This focus allows them to gather expertise that is extremely difficult to obtain in the environment of a busy IT enterprise.

Why to not switch to MSSPs
Is it always appropriate to move to an MSSP-based security infrastructure? Definitely not. Here's some food for thought before making the plunge to managed security service providers:

• Cost savings: Will moving to an MSSP really achieve cost savings in the long run? When building a case for outsourcing security, dissect the business justification for an MSSP. Unrealistic expectations often find a way of creeping into these documents. For example, if you forecast savings in human resources costs, is it likely that you will make the downsizing moves necessary to achieve those savings?
• Control: Are you willing to give up the keys to the kingdom? Moving the management of parts of the security infrastructure to a third party requires a leap of faith. Do you (and your management) feel comfortable with this arrangement? Things can definitely go south quickly if you find out only after you sign a contract that the audit committee of your board of directors vehemently opposes giving someone else control of your security infrastructure.
• Liability: Are you contractually permitted to outsource security? Many organizations, especially those that do business with the government, have contractual relationships with customers that restrict their ability to engage subcontractors. Check with your legal team to determine if an MSSP agreement would run afoul of any such relationships.

Setting standards with a managed security service provider
If you decide to take the plunge, you'll need to consider the terms of your contract with the provider before signing on the dotted line. Here are some items to address in the service-level agreement (SLA):

• Response time in the event of a security incident. You'll need to spell out exactly how quickly you'd like to be notified and provide details on the various scenarios that trigger an alert. For example, you may wish to be notified immediately if the vendor detects a successful intrusion, even if it's 2:00 a.m. On the other hand, you may wish to receive a summary report of unsuccessful attempts once a week.
• Timeliness of signature updates, software upgrades, security patches and related maintenance. The easiest course of action here is to take your own internal standards and apply them to the MSSP as well. If you require your own system administrators to apply security patches within 30 days, that's probably a reasonable standard to apply to the MSSP as well.
• Access rights on security and other devices provided to both the MSSP and your organization's staff. You probably want to guarantee the MSSP will always allow you administrative access to the systems they manage. This provides a sense of security in the event the MSSP goes belly-up.
• Personnel security controls implemented by the MSSP. Again, consider applying the standards that you use in your own organization here as well. If you conduct criminal history checks and credit checks for your own employees, insist that the MSSP follow a similar policy for the people that will be working on your account.
• Frequency and nature of service reviews. At a minimum, plan to get together with the MSSP on an annual basis to review what's working well and what can be an opportunity for improvement. You might wish to tie this to your annual contract renewal cycle.

By taking the time to lay an appropriate foundation of understanding and written agreements, your relationship with a managed security service provider can be a long and fruitful strategic collaboration. Taking the time to plan appropriately will greatly increase the likelihood of success. The judicious use of MSSPs can help enterprises achieve cost savings and gain access to security specialists, but they're not a panacea. It's critical to perform due diligence to ensure that each potential relationship is built upon a solid foundation.

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.