Evaluating MSSP security before taking the plunge

Managed security service providers now exist for a wide range of security functions, including:

• Firewall management
• Antivirus management
• Intrusion detection and prevention (IDS/IPS)
• Virtual private networks (VPNs)
• Workstation, server and network device configuration and management

In this tip, we'll take a look at when enterprises should outsource these critical elements of their security infrastructure. The decision to move to one or more managed providers is a complex one, and the answer will vary depending upon given business requirements.

Why make the switch to MSSPs?
There are two basic reasons to consider a managed security service provider: cost savings and service enhancements (or some combination of the two). It's important to clearly understand the objectives before evaluating service providers, as the balance struck between them will definitely influence your MSSP selection.

Economic factors often force the consideration of MSSPs as a cost-saving measure. Indeed, economies of scale often permit MSSPs to provide security services in a much more cost-effective fashion than what can be performed in-house. Consider the costs, for example, involved in maintaining a highly available border firewall in an enterprise. In addition to equipment costs (which may or may not be covered in an MSSP agreement), staff must be recruited, hired and trained to operate the equipment. The costs of fringe benefits, payroll taxes and other employer obligations will also need to be covered. And when an employee decides to leave your organization, you'll need to begin the recruiting, hiring and training process all over again. The MSSP approach shifts this burden to the provider.

MSSPs also offer the opportunity to obtain superior functionality than what can be supported in-house. While an IT shop likely has security as one of many areas of concentration, such as server/desktop management, network infrastructure and database administration, MSSPs have one function: security. This focus allows them to gather expertise that is extremely difficult to obtain in the environment of a busy IT enterprise.

Why to not switch to MSSPs
Is it always appropriate to move to an MSSP-based security infrastructure? Definitely not. Here's some food for thought before making the plunge to managed security service providers:

• Cost savings: Will moving to an MSSP really achieve cost savings in the long run? When building a case for outsourcing security, dissect the business justification for an MSSP. Unrealistic expectations often find a way of creeping into these documents. For example, if you forecast savings in human resources costs, is it likely that you will make the downsizing moves necessary to achieve those savings?
• Control: Are you willing to give up the keys to the kingdom? Moving the management of parts of the security infrastructure to a third party requires a leap of faith. Do you (and your management) feel comfortable with this arrangement? Things can definitely go south quickly if you find out only after you sign a contract that the audit committee of your board of directors vehemently opposes giving someone else control of your security infrastructure.
• Liability: Are you contractually permitted to outsource security? Many organizations, especially those that do business with the government, have contractual relationships with customers that restrict their ability to engage subcontractors. Check with your legal team to determine if an MSSP agreement would run afoul of any such relationships.

Setting standards with a managed security service provider
If you decide to take the plunge, you'll need to consider the terms of your contract with the provider before signing on the dotted line. Here are some items to address in the service-level agreement (SLA):

• Response time in the event of a security incident. You'll need to spell out exactly how quickly you'd like to be notified and provide details on the various scenarios that trigger an alert. For example, you may wish to be notified immediately if the vendor detects a successful intrusion, even if it's 2:00 a.m. On the other hand, you may wish to receive a summary report of unsuccessful attempts once a week.
• Timeliness of signature updates, software upgrades, security patches and related maintenance. The easiest course of action here is to take your own internal standards and apply them to the MSSP as well. If you require your own system administrators to apply security patches within 30 days, that's probably a reasonable standard to apply to the MSSP as well.
• Access rights on security and other devices provided to both the MSSP and your organization's staff. You probably want to guarantee the MSSP will always allow you administrative access to the systems they manage. This provides a sense of security in the event the MSSP goes belly-up.
• Personnel security controls implemented by the MSSP. Again, consider applying the standards that you use in your own organization here as well. If you conduct criminal history checks and credit checks for your own employees, insist that the MSSP follow a similar policy for the people that will be working on your account.
• Frequency and nature of service reviews. At a minimum, plan to get together with the MSSP on an annual basis to review what's working well and what can be an opportunity for improvement. You might wish to tie this to your annual contract renewal cycle.

By taking the time to lay an appropriate foundation of understanding and written agreements, your relationship with a managed security service provider can be a long and fruitful strategic collaboration. Taking the time to plan appropriately will greatly increase the likelihood of success. The judicious use of MSSPs can help enterprises achieve cost savings and gain access to security specialists, but they're not a panacea. It's critical to perform due diligence to ensure that each potential relationship is built upon a solid foundation.

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network security tips Cloud-based services require stalwart business continuity plans How to perform an Active Directory health check Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Windows management tips: How to backup and restore Active Directory Cloud computing compliance: Exploring data security in the cloud Configuring a Windows network infrastructure: Wired, wireless security How to use Google Webmaster tools to help protect your site How to set your baseline with host integrity monitoring software A closer look at Internet Explorer 8 security features Network discovery and the Simple Network Management Protocol Threat and Vulnerability Management Zeus botnet temporarily disrupted, but back in full force Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7 Endpoint and NAC Protection Considering two-factor authentication? Do cost, risk analysis Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Voice data security risks on the rise, say experts The value of booting from a VHD in Windows 7 Thin-client technologies surge thanks to easier security, says Deloitte A closer look at Internet Explorer 8 security features USB drive security best practices and processes First step in forensics: Create a bootable Windows environment CD Protecting enterprise networks from new mobile application downloads Four things to remember about server virtualization security concerns RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Serious Organized Crime Agency  (SearchSecurityUK.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.