Re: Managed Security Providers (Who do IDS & Firewall Monitoring and Blocking)

From: Drew (simonis@myself.com)
Date: 01/30/02 

Date: Wed, 30 Jan 2002 13:09:09 -0500
From: Drew <simonis@myself.com>
To: focus-ids@securityfocus.com

opiniontaker@hushmail.com wrote:
>

I've been on both sides of the Managed service coin... My thoughts
inline.

> 1. What are your thoughts concerning whether or not the MSSP is
> actually paying attention to the defense of a customer network
> 24/7/365?

I have performed several audits of customer sites that used a MSSP
for things like event/attack correlation, firewall monitoring, etc.
To say that these providers were attentive to the actions of the
audit team would be an overstatement. I remember one specific
customer who told us (without the slightest concern) that their
MSSP had a 24hr response window on event reporting!!!

> 2. What are your thoughts as to the MSSP's ability to defend my
> networks when they aren't really a part of my business, and, hence,
> have a very limited understanding of my individual organization's
> security threats, issues, and needs.

I think this is less a concern than other possible issues. An
attack is an attack. IF they detect the attack, their reaction
shouldn't really be predicated on the type of business you run.
It is up to you to define the scope of the MSSP's responsibilities
during contract time.
 
> 3. What are your thoughts on an MSSP to actually succeed in business
> when they are only charging me $3000-$6000 per month to secure my
> borders, AND they have to pay attention 24/7/365, AND they tell me
> they will know and understand my network, AND they tell me that they
> possess top notch, industry-leading talent (bearing in mind that they
> probably have to pay that talent very well)? How many top notch people
> can they afford to hire and spend on MY network at $3000-$6000/month...
> or do they mean that the top notch talent will spend part of its day on
> my networks and part of its day on X numbers of other customers.
>

Two words: Scope Dopes. The top people at a MSSP don't work on any one
customer all the time. They float around and provide expert assistance
to the monitoring staff. This is not uncommon in any support type of
org. Think of a helpdesk. The best technicians seldom actually talk
to customers directly. What the top dogs do do (is that a pun?) is
provide reassurance to the customer's decision makers, and appear as
a general talent representative.

> 4. How many of you honestly feel that the technology in place to day
> is of a calibur to protect my network the way they say it will (I'm
> sure there are all sorts of technical things to consider on this last
> one, so please list anything you feel is pertinent)?

They have the power of a collective. As for the technology, unless
they have proprietary stuff, they use the same stuff that you can.
Maybe they can afford the best of the best, but maybe so can you. The
question comes down to the cost of doing business. Can you afford the
staff to run best of breed security solutions?

All other issues can be worked out contractually. If you need real time
alerting, demand it and test that it is happening. Don't just throw
security over the fence and hope that someone takes care of it.

Relevant Pages
Quantcast